User Authentication Factors

  • Article

There are four authentication factors:

  • Something one knows:

The concept here is that if the user knows a pre-determined secret, he or she must be the right person. The common type of secret is a password or a PIN, though other schemes like images and patterns are being explored. The conventional wisdom is that since it is a secret, no additional information about the likelihood of true identity is necessary or available. Security professionals usually disagree: for example, a system’s confidence in the provided password could certainly depend upon the location of its source - the likelihood of an imposter providing your password from your office is much lower than the likelihood of them providing it over the network.

  • Something one has:

The concept here is that if a user has a pre-configured item, she or she must be the right person. Samples of this may be a smart card, ID badge, key or time variant authentication code generator. The conventional wisdom is that anyone who has the token should have full access and that no other information is needed. Again, we disagree. As with the password example, location of the token and time since session use can both affect the confidence a system should have in the corresponding authentication. More radical out-of-band information, such as the owner’s expected location based on scheduled appointments, could also provide insight.

  • Something one is:

The concept here is that the system compares measured features of the user to pre-recorded values, allowing access if there is a match. Commonly, physical features (retinal patterns, fingerprints, voice characteristics, facial geometry, DNA sequences, etc) are the focus of such schemes. Identifying features are boiled down to numerical values called “biometrics” for comparison purposes. Biometric values are inherently varied, both because of changes in the feature itself and because of changes in the measurement environment. For example, facial biometrics can vary during a day due to acne appearance, facial hair growth, facial expressions, and ambient light variations. More drastic changes result when switching between eyeglasses and contact lenses or upon breaking one’s nose. Similar sets of issues exist for other physical features. Therefore, the decision approach used is to define a “closeness of match” metric and to set some cut-off value — above the cut-off value, the system accepts the identity, and below it, not. When setting the cut-off value, an administrator makes a trade-off between the likelihood of FAR (False Acceptance Rate) and FRR (False Rejection Rate).

  • Something one can do:

The concept here is that the system compares measured user activity or pattern to pre-recorded “cog metrics” or “cognitive” values, allowing access if there is a match. The activity or pattern can be normal activity periods, IP address of access point, pattern of application usage, signature writing, key-press timing, commands one uses, one’s footfall, one’s attire, one’s familiar faces etc. This factor may be considered as a subset of (or overlapped with) “something one is” or “something one knows” in certain scenarios.