FB pixel

Explainer: Multi-factor authentication

Explainer: Multi-factor authentication

Multi-factor authentication (MFA) is a layer of security that ensures a person provides two or more pieces of information to complete an authentication check that grants further access to a digital service or application. With the mass popularization of online services that cover deeply personal and vital data such as identity and banking, MFA has become a necessary protection against third-party intruders and malicious actors. Important recent developments supporting MFA adoption include the passage of regulations like the European Union’s Payment Services Directive (PSD2) in 2018, and the emergence of the FIDO Alliance. MFA typically encompasses three factors: knowledge, possession, and inherence.

Knowledge factors rely on what the user knows. Passwords or passcode only the user would know, or answers to questions about personal history are common knowledge factors used in authentication. Variants on passwords include passphrases, formed from multiple words, and personal identification numbers (PIN), typically shorter and purely numerical.

Possession factors provide security by granting access with something only the user has. This method is commonly found as tokens that are disconnected, connected or software. A disconnected token has no connection directly to the main device and usually has a built-in screen that displays a randomly generating password that is input in by the user, like RSA’s SecurID. A connected token directly links to the main device to transmit data to unlock access, very similar to the traditional lock and key. USB tokens, card readers and wireless tags are common examples. Software tokens are stored on a general-purpose device, such as a smartphone and computer, that authorizes access to the main device and can be duplicated.

Inherence factors are data that only the user possesses, or biometrics. Face, fingerprint, and voice biometrics are often deployed as inherence factors. Biometrics in MFA are growing in prevalence with the mass adoption of smartphones and laptops that can be used as data capture devices.

PSD2 was implemented as a means of updating the EU’s digital payments system, protecting customer security and fostering competition. One major change is the requirement for strong customer authentication for all digital transactions, which would necessitate the use of at least two or more forms of MFA. Effectively, any business with a digital footprint operating in the EU now must comply with PSD2 via MFA.

The FIDO Alliance is an industry body launched in 2013 with members including PayPal, Apple, Google, Amazon, American Express, Meta, and Microsoft that aims to promote “authentication standards to help reduce the world’s over-reliance on passwords.”  The FIDO protocol works by registering a user’s device (say, a smartphone) which creates a connected pair of a private and public key. The private key held on the device is authenticated by providing MFA, including biometric data such as a fingerprint and voice, or knowledge and possession factors, which will signal to the public key to grant access.

Click here for more explainers on concepts in biometrics.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News


Biometrics cutting the line of in-person payments innovations: Mastercard

Mastercard sees biometrics for in-store payments as a part of a broader shift towards seamless interactions of all kinds, as…


New South Wales’ government is investing millions in digital identity

New South Wales’ decentralized digital identity program is getting a cash infusion from the Premier Chris Minns’ government, which has…


Innovatrics cuts fingerprint error rate by 20%, upgrades SmartFace platform

Innovatrics has reported its best-yet scores in NIST’s fingerprint biometrics testing, and added a new feature to its facial recognition…


Canadian cruise terminal gets Pangiam face biometrics for ID verification

The Vancouver Fraser Port Authority and U.S. Customs and Border Protection (CBP) have joined forces to implement face biometrics for…


Atlantic Council stresses importance of DPI, data for stronger digital economies

The Atlantic Council has highlighted the importance of digital identity and digital public infrastructure (DPI) in birthing and growing strong,…


Sri Lanka extends bid deadline for national digital ID project

The Government of Sri Lanka has extended the deadline for the submission of bids for the procurement of a Master…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events