Traditionally, authentication mechanisms have been categorised as either:
1. Something you know (for example, a password or a PIN)
2. Something you have (for example, a mobile phone or a token)
3. Something you are (for example, a fingerprint or other biometric data)
In theory, MFA goes beyond 2FA by requiring a user to authenticate via two or more authentication factors (e.g., a “something you know” combined with a “something you have”). In practice, however, there’s still value in multiple factors of the same type, as long as compromising one factor doesn’t mean compromising the other.
Generally, combining multiple authentication factors results in a higher Level of Assurance (LoA) that the individual attempting to authenticate is actually the individual in question. Because even if one of the factors has been compromised, the chances of the other factor also being compromised are low. Authentication mechanisms can also be distinguished by whether they use the same channel where the user accesses the application, or a separate channel that’s dedicated for authentication.
The world of authentication has many different (and sometimes contradictory) terms to describe authentication models. Here is a guideline:
• Authentication is the process of verifying that a claimed identity is genuine and based on valid credentials
• A credential is something the user has access to (either “has” or “knows”) that can be used in an authentication protocol. Before a credential can be used to authenticate the user, it must have previously been associated or bound to that user.
• Identification is the process by which information about a person is gathered and used to provide some level of assurance that the person is who they claim to be
• Identity proofing is a part of the registration process that verifies a customer’s identity before he/she is issued accounts and credentials
• A Level of Assurance or LoA describes the degree of certainty that an individual is who he/she claims to be when presented with a digital credential. LoA is determined by the quality of the identity vetting, proofing and credentialing phase, and by the quality of the actual authentication process, including the quality/type of the authentication credential and robustness of the authentication mechanism. LoA models typically define about four different categories, each with defined requirements for identity proofing and the particulars of the authentication mechanism(s).
• Multi-factor authentication or MFA refers to the use of two or more credentials in the authentication of the user. Generally, the use of multiple factors/credentials results in a higher LoA about the user. Two-factor (2FA) is an example of MFA where two different credentials are used.
• Registration is the process by which the user is linked to his/her credential and identity record, and a corresponding credential is issued to the user
• Other sensors in proximity to the user (e.g., wearables, smart watches, etc).