Free Download     |     Resource Center    |     Customer Login
1.877.No.Token (1.877.668.6536)
Live Chat
PhoneFactor Blog

What does "two-factor" really mean?

Posted  July 16, 2007 By Steve

There are a lot of commentators in the security space that get the concept of two-factor authentication slightly wrong. I just ran across one of those cases elsewhere in the Blogosphere: ATMIA address PIN authentication at ATMs. ATMIA is the ATM Industry Association.

Two-factor authentication requires something from two out of three of the following categories:

  • Something you know – a username and password, a PIN, etc.
  • Something you have – a physical device, token, or similar
  • Something you are – a fingerprint, a retinal scan, etc.

Having more than one thing from a particular category may make the system slightly more secure, but it doesn’t count as an extra "factor." That’s why, for example, username and password count together as one factor, not as two.

The "something you have" must, in particular, be very difficult to duplicate. A piece of paper in your wallet can be photocopied without your knowledge, which dramatically weakens its security as a second factor. The same problems pop up on banking websites that use browser cookies as the second factor – an attacker with access to the computer can make a copy of the cookie, rendering it useless as a second factor.

Now, with that in mind, here’s a quote from the linked article:

The PIN is part of a two-factor authentication system — the magnetic-stripe or chip contains unique account data, while the PIN is unique to the customer. If a customer’s ATM card is stolen but the PIN remains unknown to the fraudster, no fraudulent cash withdrawal can take place, ATMIA says.

Do you spot the problem? The flaw here is that the ATMIA conveniently forgets that it’s pretty easy to duplicate the information in the magnetic stripe on a card. This has been done before by thieves using using glue-on mag stripe readers attached to ATMs.

In these cases, the "something you have" behaves more like "something you know," which effectively reduces the system to one factor.

So remember, if what you want is a two-factor authentication system, make sure to pick one with a device that is very difficult for a thief to duplicate. Maybe a device that huge corporations have spent billions of dollars on to prevent duplication. Say, for example, a mobile phone!

-Steve

Share This
  • Twitthis
  • Facebook
  • E-mail this story to a friend!
  • Digg
  • Technorati
  • del.icio.us
  • StumbleUpon
  • Slashdot

Leave a Reply

   Legal  |  Sitemap  |  Support  |  Contact               

PhoneFactor, Inc provides secure two-factor authentication services to leading companies worldwide. PhoneFactor's multifactor out-of-band authentication software is a cost effective, user friendly alternative to tokens, security fobs, certificates, and other 2 factor authentication methods.
Secure User Authentication including: SSL VPN Authentication | Citrix Authentication | Web Authentication | Terminal Services Authentication | OWA Authentication
Two-Factor Authentication for Regulatory Compliance: Payment Card Industry Data Security Standards(PCI DSS) Compliance | FFIEC Compliance | HIPAA Compliance | NIST 800-63
Compare Phone Authentication to: Security Tokens | SMS Authentication | Biometric Authentication | Soft Tokens | Smart Cards | Certificates