I was recently having a discussion about the definition of multifactor authentication and what actually constitutes one, two or three factor authentication. There seems to be confusion around these definitions, so I am posting some industry accepted definitions for all to see or reference. Authentication methodologies involve three basic “factors”:
- Something the user knows (eg. password, personal identification number, personally identifiable information)
- Something the user has (eg. smartcard, security token, telephone, signed digital certificate)
- Something the user is (eg. fingerprint, voice, retinal pattern, DNA)
There is a great article here (http://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/) which discusses this in detail, and it is also worth checking out the PCI Security Standard Council Quick Reference Guide, especially section 8.3 (https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf), FFIEC’s Authenitcation Guidance whitepaper (http://www.ffiec.gov/pdf/authentication_guidance.pdf) and Australia’s DSD security advice article (http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm).