Three Factors of Authentication and Multifactor Authentication

If you’re studying for one of the security certifications like CISSP, SSCP, or Security+ it’s important to understand the different factors of authentication, and how they can be intertwined as multifactor authentication.  These are commonly known as something you know (such as a password), something you have (such as a smart card), and something you are (using biometrics.  A basic understanding of these topics can help you correctly answer many different questions on authentication on any of these certification exams.

A previous post  covered identification, authentication, and authorization.  As a reminder, identification occurs when a user (or any subject) claims an identity. Authentication occurs when the user provides proof of the identity, such as with a password. Authorization grants access to resources based on the user’s proven identity.


Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


Something You Know

The something you know factor includes passwords and personal identification numbers (PINs). This is considered the weakest form of authentication because users often use weak passwords, give them out, or write their passwords down.

A strong password is complex and includes at least eight characters. Complex means that the password uses a mixture of upper case, lower case, numbers, and special characters. Some documentation indicates using three of the four character types is enough, while other documentation states that a complex password has four character types. The key is that more character types results in a more complex password that is harder to crack. However, the bigger point is that many users create passwords with only a single character type.

Troy Hunt did a great analysis of passwords that were stolen from Sony’s web sites and published on the Internet. He found that half used only a single character type and only 1 percent used any non-alphanumeric characters. Some of the top passwords were very simple: seinfeld, password, winner, 123456, purple, sweeps, contest, princess, maggie, and abc123. More than 64 percent of the passwords were found in common password-cracking dictionaries. Additionally, when users had accounts on two separate Sony sites, over 92 percent of them used the same password.

Password policies are often used to ensure that users create strong passwords and change them often.  Some common password policy settings are:

  • Maximum password age. Requires users to change their password.
  • Minimum length. Ensures passwords have a minimum number of characters.
  • History. Remembers specific number of past passwords (such as last 5, or last 24 passwords). Prevents users from reusing the same passwords.
  • Minimum password page. Prevents users from changing their password right away. Used with the password history to prevent users from changing their password multiple times to circumvent the password history.

Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions


Something You Have

Smart cards and token, or fobs are common examples within the something you have factor of authentication. A smart card is a credit card sized card that holds key information about the user. Smart cards have certificates embedded in them using TLS and provide very strong authentication. This blog covers the differences between smart cards, a common access card (CAC), and a personal identity verification (PIV) card.

A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server. When users log into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.


Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


Something You Are

The something you are factor uses biometrics to prove a user’s identity. Fingerprints are very commonly used for authentication, but there are many other examples. Biometrics are often divided into two categories: physical biometrics and behavioral biometrics.

  • Physical biometrics are based on physical traits of an individual. It includes fingerprints, thumbprints, handprints, palms retina scanners, and iris scanners.
  • Behavioral biometrics is based on behavioral traits of an individual. It includes voice recognition, signature geometry, and key strokes on a keyboard.

Biometrics systems are susceptible to false readings. These are commonly known as:

  • Type 1 error. False Reject Rate (FRR). This occurs when a biometric system incorrectly rejects an authorized user.
  • Type 2 error. False Accept Rate (FAR). This occurs when a biometric system incorrectly identifies an unauthorized user as an authorized user.

Most biometric systems allow you to adjust the sensitivity of the system. For example, you can adjust it to minimize false rejections (FRR errors) but this will result in an increase in the false acceptances (FAR errors). The overall accuracy of a biometric system is identified with the crossover error rate (CER), where the FAR and FRR are equal. A biometric system with a lower CER is more accurate than one with a higher CER.


Looking for practice test questions to test your readiness for Security+?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions


Multifactor Authentication

Multifactor authentication combines two or three of the factors. Two common examples are:

  • A user has a smart card and also uses a personal identification number (PIN)
  • A user  has a token and also enters a username and password

It’s important to realize that multiple authentication and multifactor authentication are not the same thing. For example, if a user enters a pin (in the something you know factor), and a password (also in the something you know factor), this is not multifactor authentication.