4.6 Multifactor Authentication

Multifactor Authentication (MFA)

A security method that requires users to present multiple forms of identification when logging in. Common types include:

• Something you know (like a password)

• Something you have (like a smartphone app that generates a code)

• Something you are (like a fingerprint or face scan)

• Somewhere you are (like your GPS location)

^ These are called authentication factors.

Something You Know

An authentication factor based on knowledge only the user should have. Common examples include:

• Passwords that are memorized and kept secret

• PINs (Personal Identification Numbers), like the ones used at ATMs

• Unlock patterns used on smartphones or tablets

Something You Have

An authentication factor based on physical items the user possesses. Examples include:

• Smart cards with embedded IDs that are used along with a PIN

• USB security keys containing personal certificates that verify identity

• Hardware tokens that generate time-based codes matched by the server

• Software tokens on mobile phones that produce login codes

• Mobile phones themselves, often used to receive SMS codes for verification

Something You Are

A personal authentication factor based on biometrics, such as fingerprints or voiceprints.

• Instead of storing actual images, systems save a mathematical representation of these traits for comparison.

• Biometrics are hard to change

• Because biometrics can sometimes be bypassed, they are often combined with other factors like passwords or tokens to increase security.

Somewhere You Are

An authentication factor that uses a user’s location to verify identity.

• For example, a login from a country different than where the user was minutes earlier might be blocked.

• IP addresses also help estimate location, though IPv6 addresses are more complex and less precise for geolocation than IPv4

• Combining GPS, IP data, and other location services improves accuracy