Traditionally, authentication mechanisms have been categorised as either:
1. Something you know (for example, a password or a PIN)
2. Something you have (for example, a mobile phone or a token)
3. Something you are (for example, a fingerprint or other biometric data)

In theory, MFA goes beyond 2FA by requiring a user to authenticate via two or more authentication factors (e.g., a “something you know” combined with a “something you have”).  In practice, however, there’s still value in multiple factors of the same type, as long as compromising one factor doesn’t mean compromising the other.

Generally, combining multiple authentication factors results in a higher Level of Assurance (LoA) that the individual attempting to authenticate is actually the individual in question. Because even if one of the factors has been compromised, the chances of the other factor also being compromised are low. Authentication mechanisms can also be distinguished by whether they use the same channel where the user accesses the application, or a separate channel that’s dedicated for authentication.

Authentication Vocabulary

The world of authentication has many different (and sometimes contradictory) terms to describe authentication models.  Here is a guideline:
• Authentication is the process of verifying that a claimed identity is genuine and based on valid credentials
• A credential is something the user has access to (either “has” or “knows”) that can be used in an authentication protocol. Before a credential can be used to authenticate the user, it must have previously been associated or bound to that user.
• Identification is the process by which information about a person is gathered and used to provide some level of assurance that the person is who they claim to be
• Identity proofing is a part of the registration process that verifies a customer’s identity before he/she is issued accounts and credentials
• A Level of Assurance or LoA describes the degree of certainty that an individual is who he/she claims to be when presented with a digital credential. LoA is determined by the quality of the identity vetting, proofing and credentialing phase, and by the quality of the actual authentication process, including the quality/type of the authentication credential and robustness of the authentication mechanism. LoA models typically define about four different categories, each with defined requirements for identity proofing and the particulars of the authentication mechanism(s).
• Multi-factor authentication or MFA refers to the use of two or more credentials in the authentication of the user. Generally, the use of multiple factors/credentials results in a higher LoA about the user. Two-factor (2FA) is an example of MFA where two different credentials are used.
• Registration is the process by which the user is linked to his/her credential and identity record, and a corresponding credential is issued to the user

Authentication Signals

Contextual authentication presumes passively collecting (in theory) a variety of different signals about users and their context. These authentication signals might include their location (both physical and network), their computing environment and the resources they’re trying to access.
Signals can be collected by:
•  The web pages where they authenticate.
•  The mobile devices used for MFA.
•  Other network hardware.
•  The application (or gateways in front).

•  Other sensors in proximity to the user (e.g., wearables, smart watches, etc).

Once collected and aggregated, the risk and policy infrastructure can analyse these signals to look for anomalous patterns that might indicate anattack or fraudulent behavior. This analysis can be:
•  Contextual, comparing a given signal value to a prescribed list of allowed or disallowed values (e.g., not allowing sign-on for any IP address coming from Uzbekistan).
• Behavioral, comparing a given signal value to the expected value based on a previously established pattern (e.g., an employee often travels to Uzbekistan on legitimate business, and therefore is allowed to sign on with MFA, whereas any other employee is prohibited from signing on from Uzbekistan).
• Correlative, comparing a given signal value to a different collected signal value and looking for inconsistencies between the two (e.g., according to the laptop IP, an employee is in the United States, but according to their mobile phone, this employee is in Canada).

Change your tomorrow, today.
Get in touch.

Google Plus