Overview
Multifactor authentication (MFA) requires users to present at least two different types of authentication evidence before access is granted. The security principle behind MFA is that each factor type has different attack vectors: a password can be phished, but a physical hardware token cannot be emailed to an attacker. Requiring proof from multiple categories simultaneously means an attacker who compromises one factor type (a password) still cannot authenticate without also compromising a different category of factor.
MFA specifically requires factors from two or more different categories. Using two passwords is two-step verification, not MFA. Using a password (something you know) plus a hardware token (something you have) is true MFA because both factors come from different categories.
The Four Authentication Factors
| Factor | Category Name | Examples |
|---|---|---|
| Something you know | Knowledge factor | Password, PIN, pattern, security question answer |
| Something you have | Possession factor | Smart card, USB security key, hardware token, software token, phone (SMS OTP) |
| Something you are | Inherence factor | Fingerprint, iris scan, voice recognition, facial recognition, retina scan |
| Somewhere you are | Location factor | IP address geolocation, GPS coordinates, cellular location, 802.11 access point triangulation |
Smart Cards
A smart card is a physical card containing an embedded microprocessor and cryptographic keys. Authentication with a smart card requires both physical possession of the card AND knowledge of a PIN. This combination means a stolen card is useless without the PIN, and a stolen PIN is useless without the card. Smart cards are used in government PIV (Personal Identity Verification) credentials and corporate CAC (Common Access Card) systems.
USB Security Keys
A USB security key (such as a YubiKey) is a small hardware device that plugs into a USB port. It stores cryptographic keys and certificates that never leave the device. Authentication involves physical presence (the key must be inserted) and may also require a tap or button press. USB security keys are phishing-resistant because the cryptographic operation is bound to the specific website's domain — a phishing site cannot trick the key into authenticating for the real site.
Hardware and Software Tokens
Tokens generate pseudo-random one-time passwords (OTPs) on a time-based or event-based algorithm. The token and the authentication server share a seed value; both independently generate the same code at the same time, allowing the server to verify the code without transmitting it.
- Hardware token: a physical device (RSA SecurID) that displays a numeric code, typically changing every 30 or 60 seconds. The code is valid for one use only during its validity window. Physical possession of the device is required.
- Software token: an application (Google Authenticator, Microsoft Authenticator) running on a smartphone that generates the same time-based codes as a hardware token. Requires access to the registered device. More convenient than hardware tokens but potentially less secure if the phone is compromised.
- SMS OTP: a one-time code sent via text message to the registered phone number. Weakest form of “something you have” because SMS can be intercepted via SIM-swapping attacks. Still significantly better than a password alone, but not recommended for high-security environments.
Biometrics (Something You Are)
Biometric authentication uses measurable physical characteristics: fingerprints, iris patterns, voice characteristics, facial geometry, or retinal blood vessel patterns. A critical exam concept about biometrics:
- Mathematical representation, not the biometric itself: biometric systems do NOT store an image of your fingerprint or iris. Instead, they capture the biometric during enrollment, convert it to a mathematical representation (a set of extracted feature points and measurements), and store only that mathematical model. During authentication, the same conversion is applied to the presented biometric and the result is compared to the stored model.
- Cannot be changed: unlike a password, a biometric cannot be changed if it is compromised. If an attacker obtains the mathematical representation of your fingerprint from a database breach, you cannot change your fingerprint. This is a fundamental limitation of biometric authentication as a single factor.
Biometric accuracy metrics:
- False Acceptance Rate (FAR): rate at which the system incorrectly accepts an unauthorized user (false positive). High FAR = low security.
- False Rejection Rate (FRR): rate at which the system incorrectly rejects a legitimate user (false negative). High FRR = poor usability.
- Crossover Error Rate (CER): the point at which FAR = FRR; used to compare biometric system accuracy. Lower CER = better system.
Location-Based Authentication (Somewhere You Are)
The location factor verifies that the authentication request originates from an expected geographic location. Several technologies provide location data:
- IP address geolocation: the originating IP address is mapped to an approximate geographic location. Limitations: VPNs and proxy servers can mask the real location; IPv6 addresses are less accurately mapped to locations. Imprecise but easy to implement.
- GPS: requires the authenticating device to report GPS coordinates. More accurate than IP-based location but requires device participation and can be spoofed by GPS spoofing software.
- Cellular network location: the device's cell tower connections provide approximate location. Less accurate than GPS but does not require GPS capability.
- 802.11 Wi-Fi triangulation: location determined by the access points visible to the device. Useful indoors where GPS signal is weak. Accuracy depends on AP density.
Location-based authentication is often used to detect anomalies (impossible travel) rather than as a primary authentication factor. It works well in combination with other factors but is not reliable as a standalone authentication mechanism due to the ease of location spoofing.