Multi-factor Authentication – SY0-601 CompTIA Security+ : 2.4

We use many different factors during the authentication process. In this video, you’ll learn about the AAA framework, multi-factor authentication factors, and multi-factor authentication attributes.

<< Previous Video: Biometrics Next: Disk Redundancy >>



We’re all familiar with the process of authenticating into a system. Usually you use a username, a password, and perhaps some other type of authentication factor to gain access. This is often combined with what we call the AAA framework, this is authentication, authorization, and accounting. This starts with identification, the process of proving we are who we say we are. This is commonly a username that we would provide during the login process, and that username is one that associates an account with us, as an individual.

It’s one thing to say that you are who you say you are, but you also have to prove that during the authentication process. This is commonly done by using some type of authentication factor. Such as a password, a biometric factor, or one of the many other authentication factors that we will discuss in this video. Once you’ve now, proven that you are who you say you are, now we need to determine what you would have access to. This authorization process may allow you access to a particular file share, or it may allow you to print to a particular printer.

And the last A in the AAA framework is accounting. This is keeping track of exactly who may have authenticated onto a network. There are a number of different ways to provide this authentication process. Some are in the cloud, and some are on premises.

A cloud based authentication is often going to involve a third party to manage that platform. We will have that service provided by a Cloud service provider, and we will simply use that service as part of the authentication process. This is usually a centralized platform in the Cloud that can be accessed from anywhere in the world. And it might often include an API integration so that we can have applications access this and provide the same authentication to the same centralized database.

There might also be the ability to add on additional options in the Cloud that we can turn on and turn off as we need them. And on premises, or on-prem authentication system would be one in our local data center. This would require our own internal staff to be able to monitor and configure anything associated with this authentication system. And if there are users on the outside of our network that still need to authenticate through our internal system, we need to make sure there are processes in place for them to be able to provide that authentication.

When we are authenticating into a system, there are a set of factors that we would use. Those three factors are something you know, something you have, and something you are. You can add on to those factors, some attributes. Those attributes would be somewhere you are, something you can do, something you exhibit, and someone you know. An authentication factor is comparing a characteristic to what you know is associated with an individual. An authentication attribute is a bit more fluid. It may not necessarily directly be associated with an individual, but we can include these with other authentication factors to help prove someone’s identity.

The authentication factor of something you know is something that’s in your brain, and only you happen to know what this particular value is. One of the most common things that we know is a password. And we commonly use a username and password to be able to gain access to a system. But we could also use a personal identification number, similar to the numbers you would use at an automatic teller machine for example. This is something that is not usually written down anywhere. This is also something that’s in your brain and something that you know.

On many mobile phones, you also have the option to use a particular pattern that you’ve memorized. This is very similar to a password you might have memorized, but instead you’ve memorized a set of patterns that’s on the screen, and you can duplicate those patterns to gain access to your phone. Another authentication factor is something you have. This is usually a device or some type of system that is near where you happen to be. Something like a smart card for example, would be a card that we keep with us. This is sometimes even a card that’s also used as identification, and this might integrate into other devices by sliding it into a smart card reader. These are usually used in conjunction with a personal identification number so that you’re using not only something you have, but you’re combining it with something you know.

Another factor of something you have might be a USB token, where we might have a certificate that’s loaded on this USB drive, and you have to provide that certificate to be able to gain access to a system. Since you are the only one who has this USB token, and that certificate is not on any other USB drive, it’s assumed that this would be something that you would have with you. If you’ve ever carried around one of these hardware-based pseudo-random number generators, then you’re familiar with something you have. There are also software based versions of these that can be loaded on a mobile phone, and in both of those situations, it would be something you have.

And another common factor of something you have might be your phone itself. It’s common to send an SMS message or text message to your phone, and if you have your phone you’re able to repeat that text message back during the authentication process. And the third authentication factor is something you are, this is a biometric factor, so this might be a fingerprint, an iris scan, or perhaps a voice print. This usually works by taking a mathematical representation of some part of you or your body, such as a fingerprint and storing a mathematical representation of that fingerprint. The next time you use your finger on that biometric reader it will perform the same calculation and compare that to what’s been stored previously.

These biometric authentication factors of something you are is certainly associating these characteristics with a specific individual. It would be very unusual for someone to be able to change their fingerprint, or change their retina. So we can associate these types of biometric features with an individual for effectively their entire lifetime. And although these biometric factors are very good at the authentication of an individual, they’re not fool-proof and they should usually be used with other authentication factors as well.

One of the authentication attributes that doesn’t necessarily identify a specific individual but can help with the authentication process, is some where you are. This would provide an authentication factor based on where you might happen to be geographically. For example, authentications may be allowed if you are in the United States, but if you’re outside of the United States the authentication process would fail. We can sometimes use IPv4 addressing to determine where a person might be, although this process is a bit imprecise and may give us incorrect information about what country a person may be in.

This is a bit more difficult with IPv6 where specific country associations aren’t available. But this can give us a good amount of information that can help us make decisions whether a user is authenticated, or not authenticated. Another way to gather a person’s location is through GPS or perhaps triangulation with certain wireless networks that may be in the area. This is also not a perfect way to determine where someone might be and there are ways to get around or even spoof GPS coordinates, but this can help in the authentication process to be able to allow or disallow access to the network.

Another attribute that can be used for authentication is something you can do, this is your personal way of doing things. A good example of something you can do might be your signature. The way that you write your signature is something that’s very unique to you and it’s very difficult for someone else to be able to replicate that. These attributes may seem very similar to biometrics, but biometrics can provide us with characteristics that are very specific to an individual, whereas something you can do is a much broader description of a characteristic.

Another set of attributes would be something you exhibit, this is a personal way that you do things. For example, the way that you walk is very unique to you, and someone can perform a gait analysis to be able to compare the way you walk, versus the way that someone else walks. Another attribute that you exhibit might be the way that you type, you might type at a particular speed or there might be a particular timing between keys that’s very unique to you. And sometimes it’s not what you know, but who you know. And the attribute of someone you know can help give you a little bit more credibility when you’re trying to gain access or authenticate to a system. We use attributes of someone you know in cryptography when we’re creating a web of trust like we do with certificates, or when we’re creating a digital signature.