I have run into it again. Another organization that thinks two user identifiers and passwords constitutes two-factor authentication and meets PCI DSS requirement 8.3. With all of the documentation available on the Internet, you would think this topic would be covered cold. However, there seems to still be confusion regarding what constitutes one-, two- and three-factor authentication, so I thought I would take this time to explain these concepts.
Let us talk about the definitions of the three factors of authentication.
- One-factor authentication – this is “something a user knows.” The most recognized type of one-factor authentication method is the password.
- Two-factor authentication – in addition to the first factor, the second factor is “something a user has.” Examples of something a user has are a fob that generates a pre-determined code, a signed digital certificate or even a biometric such as a fingerprint. The most recognized form of two-factor authentication is the ubiquitous RSA SecurID fob.
- Three-factor authentication – in addition to the previous two factors, the third factor is “something a user is.” Examples of a third factor are all biometric such as the user’s voice, hand configuration, a fingerprint, a retina scan or similar. The most recognized form of three-factor authentication is usually the retina scan.
The important thing to notice about the aforementioned definitions is that no where do they mention using two passwords or passphrases, two fingerprints or two retina scans. Such use of two of the same factors is considered multi-factor authentication and is not related to any of the aforementioned definitions. So those of you that are using two different user identifiers and passwords are not using two-factor authentication, you are using multi-factor authentication. The PCI DSS is very specific in requirement 8.3 and requires two-factor authentication or better. So multi-factor is not acceptable.
Another thing to mention is that security purists will argue that using a biometric for a second factor violates the rules of the third factor. However, other security practitioners say that something a user has or they are can be either something like a token or a biometric. Their logic is that a user has a fingerprint or a retina, so it qualifies as either factor. The key is to only use a particular biometric once. So if you use a fingerprint for your second factor, you cannot use a fingerprint for the third factor.
Finally, while obvious, a lot of people miss this point. One-factor is less secure than two-factor which is less secure than three-factor authentication. However, if users properly construct their passwords or passphrases and other logon restrictions are in place, one-factor authentication can be fairly effective against security breaches, possibly in the 90% range. Two factor authentication typically raises the effectiveness to probably around 97 or 98%. And three-factor authentication likely takes things to a six sigma level of effectiveness. Note that even with three-factor authentication you only get to 99.9999% effectiveness. As I have repeatedly pointed out, security is not perfect.
A lot of people do not realize the fact that they use two-factor authentication regularly. In order to use an ATM you need a card (something you have) and a four digit personal identification number or PIN (something you know). Another example that is common these days is in order to enter secure facilities, an authorized user is required to use their HID access card and enter a PIN into a keypad before a door will open. Something to note is that it does not matter the order in which the factors are used. In the case of the ATM and entry examples, you swipe your card (something you have) first and then enter your PIN (something you know).
Just because the second factor is something a user has, does not mean that the user must know they have it. A prime example is in the case of a digital certificate. A lot of organizations issue a digital certificate with their VPN software to provide two-factor authentication. Most users are unaware that they need a digital certificate to make the VPN work. The digital certificate is usually tied to the user or the computer and is installed as part of the installation of the VPN software. The only way a user ever becomes aware of the digital certificate is if it is ever corrupted or becomes out dated resulting in an error when they try to connect to the VPN.
Another important point is that in instances where all you use is your HID access card, you are using one-factor authentication. The definitions for the factors were established for ease of learning and memory. However, using any of the factors alone is one-factor authentication. Using each type of factor in conjunction with another, results in two- and three-factor authentication. As such, you can use different combinations of all of the factors to decrease the likelihood of a compromise. For example, in a lot of spy movies, there is an ultra-secure room where to gain entry, you need for example an ID card, a PIN, a retina scan and you need to say your passphrase. This is not an example of four-factor authentication; this is three-factor authentication with the use of two biometric factors (i.e., multi-factor).
Finally, there is a risk in using biometric factors that most people do not like to talk about but is important to consider. People suffer accidents all of the time. Fingers get cut or even removed. Hands get broken or maimed. Eyes become damaged. People lose their voices. As a result, if you are looking to use biometrics for authentication, make sure you plan for such incidents.
Hopefully you now understand the various factors of authentication and understand how they are used.
Retina scans are extremely rare today, having been almost completely replaced by iris scans. Furthermore, they were never the “most recognized” biometric. That has always been the fingerprint – in use, by far, more than any other biometric. Virtually ever laptop has a fingerprint sensor.
Retina scanning is not as rare as you think. While it has been replaced in some locations, in very, very high security installations, the retina scan is still king as it cannot be faked out by a well made contact lens with a fake iris.
Those fingerprint scanners that you see ala Lenovo ThinkPads are not something I would particularly want to trust. The full print scanners are much more accurate than the swipe variety. We have seen instances where the swipe version can be easily faked out and you can gain access.
Is there any reason to believe one category of factor is more secure than the other. For example, “what is know” is more secure than “what you have”.
If I change the authentication protocol from password to “what you have” does it make is less safe?
Biometric factors are going to be more secure than a password or a fob. However, the risk with biometrics is that someone loses the biometric such as a finger, eye or their voice. You can replace a fob or reset a password, but biometrics are not replaceable. As a result, when using biometrics you need to plan for the loss of the biometric.
The other consideration with biometrics is that not everyone has two eyes, all their fingers or can speak. As a result, you need to allow for multiple biometrics so that you have alternatives.
Please allow me to clear this up. From Wikipedia:
“On October 12, 2005, the Federal Financial Institutions Examination Council’s (FFIEC) issued guidance for financial institutions recommending financial institutions conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services. The FFIEC identified three authentication factors as:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint)”
With this preface, allow me to make a few observations:
1) PCIGuru refers to retina scans as three-factor, which is inaccurate. It is one-factor using a biometric.
2) A username and password constitute one-factor authentication, but is considered two-STEP.
3) A biometric scan of two retinas and 20 fingers and toes is ONE-factor, 22-steps. Get it now? ;c)
4) True 3-factor authentication necessitates combining all three of the aforementioned factors in the authentication process. our company offers such a method through interacting with a biometric image on a mobile device.
I would be open to shedding more light on the subject if you would care to contact me.
Mike Hill
Director
Avimir Limited
What is it about this post? I keep re-reading it and I do not get where you all keep coming up these supposed errors. However, all of the comments on this post go to my original reason for writing it which is, even within the security profession, there is a misunderstanding of the factors of authentication.
I do NOT refer to a retina scan by itself as an example of three factor authentication. Go back and re-read the post, it’s NOT there. What is there is the statement, “… in addition to the previous two factors, the third factor is …” and then I use some examples, one of which is the retina.
Your point number two of retina AND fingerprints is an example of two-factor authentication, not one-factor. Remember fingerprints and retinas are two different things (i.e., factors) even though they are both in the same class of factors (i.e., biometrics). Just because biometrics are commonly associated with the third factor does not mean that they can only be used as the third factor.
And your point number three – DUH! Again, re-read the post – PLEASE!
I do not mind having people correct me when I am wrong, but there is nothing wrong with this post. Re-read it. It is correct. Yes, you have developed a new factor that can be used. Hurray for you and your company. However, promoting it by trying to correct someone who has done nothing to justify correction proves … Well, I will let the other readers fill in what it proves.
Can digital signature be accepted as “something you have” in PA-DSS compliance?
I do not see why not. A digital signature resolves into a certificate which is like any other certificate. We accept certificates as “something you have.”
when having multiple instances of factoring it can be broken down simply like the author states. but, i do not see the mistake the others have identified in their comments. He resonably communicated the idea of one factor two factor and three factor forms of security.
You seem to be confused about multi-factor authentication. You state that:
“Such use of two of the same factors is considered multi-factor authentication and is not related to any of the aforementioned definitions.”
I can not find a single source to agree with you. Two items from the same category is still single-factor and does not change the definition from single-factor to two-factor. Every other source I have seen refers to “multi-factor” as item(s) from two or more categories. So you could be required to enter a password and a pin and insert a card and a token and you would have two-factor authentication.
I don’t want to say that you an overbearing idiot or anything like that, but I would suggest that, if you express exasperation at the knowledge limits of others, you should not add to that yourself.
Welcome to part of the problem with security. You say, “poe – tay – toe” and I say “pa – ta – toe” problem in security. When I went started implementing SecurID an eternity ago, the guy from SecurID referred to two-factor authentication as two-factor and anything using the same factors as multi-factor authentication and that stuck with me. Over the years, most of the security people I have run across have referred to it similarly. However, over the last 8 to 10 years, I have seen that change with multi-factor coming to mean that multiple factors are being used. However, I still think the bulk of security professionals would say my definitions still work.
I completely disagree with you defense and agree with Zorg, you are confused and ostensibly part of the problem. Multi-factor auth is an auth requiring multiple factors. It’s simple English. If I live in a multi-cat house, there is more than one cat, not multiple instances of the same cat.
Additionally you’ve got “one-factor”, “three-factor”, and “three-factor”, mixed up with the factors. There are currently three widely accepted factors of Authentication. Something you know, something you have, and something you are. You correctly identify the most recognized instances of these factors as passwords, security tokens, and fingerprints. But using only a fingerprint would be “one-factor” are you are actually using only one factor.
It’s really scary that you claim to be an expert but don’t know even this basic terminology. Something that you started the article by admitting has been expounded on the Internet in detail for years. You really need to read up on the subject (may I suggest Wikipedia given the elementary nature of the mistakes) or do some proof-reading before publishing an article you claim to be authoritative. It’s embarrassing to you and the security community as a whole.
I went back and re-read my post and I am confused as to where I even implied that using only a fingerprint is something other than one-factor authentication.
Security professionals I know do NOT recognize multi-factor authentication, (for example, two user identifiers with two password, different or otherwise, on different but interconnected systems, using a thumb and index finger at different authentication points, using the right iris and then the left iris at different authentication points) as meeting the concept of two-factor authentication.
And since you brought up the point of proofing your work. ‘Additionally you’ve got “one-factor”, “three-factor”, and “three-factor”’. I know you meant “two-factor” for the first instance of “three-factor” but it points to your rush to condemn those of us trying to make the world a more secure place.
Not quite as far as the definitions. If there are three factors a user can be identified by:
1. Something the user knows.
2. Something the user has.
3. Something the user is.
Then dual or two factor authentication is a combination of any two of these factors (as opposed to two factor authentication being the same as the second factor listed). For example, a biometric scan and a password is two factor authentication. You sort of say the same in the third paragraph.
Fingerprint scanners and voice recognition are likely the most commonly deployed type of biometric authentication methods.
Multi-factor authentication is a synonym, it only means two or more factors of authentication (not multiple uses of the same factor).
I’ve never before seen the metrics (percentages) you reference in paragraph 4.
For a small company that purchased and hosts in their own network a vendor PA-DSS certified software, what types of two-factor authentication solutions do you recommend to allow customer reps from the vendor to remote assist the company when issues arise? Thanks.
rpa