Multi-Factor Authentication Primer

Author: Brian Rhodes, Published on Feb 04, 2013

Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting them to certain individuals. The technique of 'multi-factor authentication' is applied when the end-user is concerned about who actually can use access control credentials. In this note, we examine the concept and detail the ways many access control designers choose to use it.

Multi-Factor Authentication Defined

** ****** *****, *** ******* ***** **** **** **** *** credential **** ** ********* ** ***** ** **** ******. *******, the *********** **** ** '*******' ** * *** **** **** validate **** *****. **** ***** **** *** '*****-******' *******, **** than *** ********** **** ** ************** ********, *** ****** ** option ** **** **** *** **** ** ***** ****.

** * ***** **** ***** ****** ******** ********* *****, *********** scans, ** * ****** **** ** ***** ** ** '***********', two ** **** *********** ***** ** ******* *** *****, *** just ********* ********** ****** *** ********** *** *** **** ** present ** *** ****. *** ***** ***** ***** ** ******* of * ******* '***** ******' ****** ******:


*** ********** ************** '*******' ****** ** *** ** *** **** type, *** **** ** *******, ********, *** ********** ******* ***** of ***********. ***** '****** ******' *** ******** ***** **:

  • ********* *** **** ***: * **********/********** ******* **************** ** *** ****. ********* ** access ******* *****, *****, ** ***. **** ******** * ********** key, ********** **, ** ********.
  • ********* *** **** *****: ********* * **** ** ******** **** ******* ** *** user. ********* * *** ******, *** **** ******* '******** *********' or '**** * ****** ******** *****' *************.
  • ********* *** **** **: ********* ******** **** *** **** ** **** ** *******. Typically ************ ** **** ******, *** ***** ******** ******** ********* face ***********, **********, ******/**** *****, *** **** ****.
  • ******* ******* ******** *** ****: ***** ******* **********, ******* ***** ********** *** *** ******* for *** ****. **** ***** ** * ****** *****, ** even * ************ **** ****** ****** ***** ** ***********.

Different *****

*** ****** ****** ** ******* ******* **** ********* ** ** end-user's ******** ********. ***** ****** ********* ***** *** ******** *** of **** *********** *** ******* *** *******, ***** ****-******** ************* may ******* ***** ** ****. ** ****** *** ******* ***** tiers *****:

*** ******:**** ***** * *********** ** '********* *** **** ***' *** '********* ** *****', **** ** ****** ******* ****** **** *** ************ *** number. **** ** *** **** ***** *** ****, ** ************ finder ****** *** ** ** **** ****** ****** **** **** know * ****, ***** ** ***** **** ** *** ****.

******* *********** ********** ****** *** **** *********, ** ** **** common ** *** *********** ** ***** ************* ******* **** **'********* *** **** **' ** *** ****** **************.

***** ******: **** ******** ******** ** **** ****** ***** ** **********, three ******* *** ********. **** ***** **** ** * *********** of **********, *** *****, *** ****** ******* ***********, *** ****** significantly **** ****** ** ********* *** ****** **** ****** '****** factor' **************.


** * ****** ** **** **** *** **** ** *** this ***** ** **************, ** ** **** ** ******** **************, military, *** ******** ********** *** *** ********* *** ********** ***-*****.

**** ******: *** ******* ***** ** ************** ** ***** **** ** military *** ***** ********* *********, ***** ****** *********** *** **** in *********** **** *** ***** *******. ******* **** ******* ***** the **** **** *** ** *** **** ***** *********, ** typically ** *** ******** ****** *** ******** **** ** **** high *** ******** ******** ** *********.


Multi-Factor ************

**** ***** ****** '****** ******' ************** ** **** ******, *** multiple ******* *** ******** ******** ** ******* ************* ******* ** access *******. **** ***** ******** ********:

  • ATM ********: Not only are debit cards required to be swiped, but PIN numbers are required every time a cash transaction takes place at one of these machines.
  • ******: ********** **** ****** *****, *****, ** *** ***** ******* takes ********* ** ********* '********* *** ****' *** ********* '********* *** ****' ** ******* ****** **********.

**** ** ***** ** ******** ******, *********** **** * ***** role. **** ** ***** ** ******** ***********, ******** ******* *** required.

Single ****** ***** **** ******

* ******** ** ********** ****** ******* ******* *** '****** ******' authentication, *** **** ** ********** *** *** *********** ******** ** most ***-*****. *** ****** ********** **** ** **** ** **** to *** ******** ** *** ******, *** *** ****** ******** (ie: *******, *****) ** ****** ******* **** ******.

*** *********** *** ******* *** **** ****** '****** ******' **********. No ***** ************ ** *** ****** ** ******** **** *** key *** **** ******. ***** ********* ******** ** ****-**** ********** access ***********, ********** **** ***** ******* ** ******** '***** *****' of ******** *** **** ******** ** **********.

*** ***** *******, ***** ******** ******* ** ****** ******** ***** be ********** ******. ******* ******* ********** ***** ****** *** **** expensive, *** ****** ****** ************ ***** ** ******** *** ****** justified ******* ******** *************, ****** ****** ******* *** ******** ****** used.

Comments (19)

Access time can be uses as multi factor authentication. In some access, we need at least 2 persons (max 3 persons) to present themselves at specific time range to verify to unlock a door, for example 1pm to 2pm. Door remain locked if any of them does not present, or outside the specific time range.

The picture accompanying the Two Factor discussion appears to illustrate a key problem of access. Potential for second person allowed access in tandum with first person's credentials.

Curious Brian, when using a credit card in a brick & mortar store and the attendant checks your signature on the slip against the one on the card, is that considered a crude but effective Biometric? Or is it actually an altogether different form, i.e., Something you can do...

Interesting question. Handwriting is considered a biometric, at least by some.

Indeed when (more like 'if' in my experience) the clerk checks your signature on the back of the card, it is at least a two-factor check: One - you have the card, and two - you 'are' the person who was issued the card (validated by same signature).

In any case, handwriting is a weak biometric, since it can easily be spoofed. The time it takes for a finite comparison limits the applications. Not only this, but it appears to dramatically change over time. The way I write something when I am warm and sober will certainly change if I am cold and drunk, so handwriting has disadvantages that other biometrics do not.

handwriting is a weak biometric, since it can easily be spoofed.

Who knows one day they might make it so that the pricey pressure-sensitive signature pad performs a check, with a very lenient algorithm, against your onfile J. Hancock instead of the spoofable one on your card. After that its a breeze to implement a contextual scheme that uses your pending purchases to estimate your BAC level and compensate the signature validation algorithim accordingly...

Do these systems usually come with a 'entry under duress' panic button? Even for badges, like use the wrong side or something? :)

P.S. I don't know about you but I am a 'warm drunk'...

We use PIN and biometrics to access narcotics in our facility. Requiring the PIN to be entered first shortens the search time for the thumb print verification. Rather that searching through all of the thumb prints when presented, the PIN identifies the users and only looks for the users thumb print for verification.

Ordering the way layers are presented (pin first to queue up fingerprint for verification) is a good point, Ed, and something I myself have not considered before. A good question on the ability of the biometric manufcaturer to ask them about their equipment.

This is called 'verification mode' for many biometric readers.

Products like HID's bioClass fingerprint readers use it exclusively, where the card itself contains both the fingerprint template and credential data. The user scans a badge to load the credential into the reader, but the reader does not actually send any information to the access system unless the fingerprint scan matches the one downloaded from the card.

Not only does it speed up the database search, but the other factors are not active until the other credentials are valid.

For example, an Iris reader that I have worked with had a mode where the iris reader would not become active until the card or card + pin was entered AND matched.

This way, you don't have someone trying to "hack" the biometric part. You would have to match the card or card + pin first.

There was some movie where they "defeated" an iris or retnia reader by holding up a specially crafted jewel that was a "backdoor" into the database or something like that. Having the additional factors helps prevent or delay the defeat requiring more steps to be taken...

Why would you need anything else, when you use biometrics authentication? Nobody else has the same fingerprint. I think it should fully identify you.

Good question! There are several reasons why biometric isn't always a good answer, even as part of a 'multi-factor' setup:

Time: Biometric readers often take time. Comparing even a quick fingerprint to multiple possible matches takes time. People standing outside a locked door usually aren't very patient when they are waiting, and other factors may be faster.

Location: Sticking a fingerprint reader outside may be okay during summer, but when the weather is cold and icy, you might face considerable resentment if you force people to take off gloves simply to get in the door. Realistically, major problems like door propping and tailgating creep up. There are other factors too, like dirty hands, iris scanners facing the sun, and so on.

Culture: Some people are just outright uncomfortable with biometric scanners. Some users object to 'machines reading their bodies'. We may disagree and think it's silly, but not everyone is okay with biometrics when other credential options are readily available.

Physiology: Also, not everyone is equally 'readable' by biometric readers. For example, user age can greatly affect how easily a fingerprint can be read. An iris scanner is an unpopular choice for the blind, and so on...

No all biometrics are created equally. Fingerprint biometrics can be "easily" hacked. So, if you are able to create a "gummy" fingerprint (google it...) from a latent print, then you have access. This is why you need a second factor.

Another example would be forcing someone to put their finger on the scanner.

For fingerprint, having a system that detects a pulse ensures that it is a live finger, and not a copy or otherwise.

Having a PIN like Rukmini mentions allows for a panic or duress capability. Typing in a wrong or altered pin trips a silent alarm triggering a response without alerting the intruder immediately...

I am thinking in low traffic areas such as gated community, where one must pass some form of id to enter the gates. Residents wouldnt mind the extra time to include some form of biometrics and fob to enter their residence.

At one point in my career I worked at a facility that had a security officer at the gate who would verify the photo on the the badge was you, then let you use a reader and PIN pad. 3 layers without biometics.

I know I wasn't able to make the live class, but plan to watch the webinar. I've done the class readings and I'm curious what people think of facial recognition as a biometric crediential. When I was at Security Systems News, I wrote a story and did a video interview on FST21 (now FST BM) and a building-wide installation they'd done at a senior housing facility in Lynn MA and the solution seemed to work extremely well and was a perfect fit for a elders who didn't need to remember to carry a credential or understand where to place there fob, etc...


However, I now work in systems sales, and I don't see facial recognition--or biometrics in general--taking off. Are others installing any kind of facial recognition?

Thanks!

Online: Everything from social media, email, to web based banking takes advantage of usernames 'something you have' and passwords 'something you know' to protect online identities.

It's odd that you describe a username and password being multi-factor authentication. Most security certifications consider it to be single-factor, as both username and password are considered something you know. I don't think a username could be something I have, as it can't be taken from me (like an access card can be). I grabbed this from my CompTIA Security+ guide:

The most basic form of authentication is known as single factor authentication (SFA) because only one type of authentication is checked. SFA is most often implemented as the traditional username/password combination.

This is very helpful information!!

Would the "gait" authentication be read by a floor unit or is it measured by recorded video? This one baffles me.

I've not seen commercially widespread use of 'gait' biometrics.

However, there are several 'proofs of concept' models at tradeshows that have used (visual) camera arrays or arrays of TOF sensors (ie: like those in IP Time of Flight Camera, TOF Turnstile).

I do think the market is pretty long from adopting gait as a biometric, but several claim the 'unique signature' is there.

However, stick me in a weird pair of boots or after a weekend of yardwork, and I can easily see differences in my own gait. :)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Startup SafePass Profile on Oct 19, 2018
A major problem with visitor management is that the systems mostly require adhesive printed paper labels and paper logs, creating waste and an...
Higher Power PoE 802.3bt Ratified, Impact on Security Products Examined on Oct 12, 2018
Power over Ethernet has become one of the most popular features of many video, access, and other security products. See our PoE for IP Video...
Door Hinges Guide on Oct 10, 2018
Some of the trickiest access control problems are caused by bad door hinges. From doors not closing right, to locks not locking, worn or warped...
Security System Health Monitoring Usage Statistics 2018 on Oct 09, 2018
How well and quickly do integrators know if devices are offline or broken? New IPVM statistics show that typically no health monitoring is...
UTC Merges Lenel and S2, Creates LenelS2 on Oct 03, 2018
UTC has completed the acquisition of S2, launching literally Lenel's2 LenelS2 with UTC declaring that "LenelS2 unites two world-class teams with...
Anti-Tailgating Startup: Spyfloor on Oct 03, 2018
A Canadian startup, Spyfloor, is using a different approach to warn against tailgating, a common access control problem. By counting feet,...
VMS Mobile App Shootout - Avigilon, Dahua, Exacq, Genetec, Hikvision, Milestone on Oct 01, 2018
Mobile VMS apps are a critical interface for the modern surveillance user. But who does it best and worst? We tested 6 manufacturers - Avigilon,...
Favorite Power Supply Manufacturer 2018 on Sep 28, 2018
While power supplies are becoming less important as PoE matures, they remain vital to access control systems, where increased power for locks,...
AHJ / Authority Having Jurisdiction Tutorial on Sep 27, 2018
One of the most powerful yet often underappreciated characters in all of physical security is the Authority Having Jurisdiction (AHJ). Often,...
Access Control Lock Guide on Sep 26, 2018
In this guide, we examine locks; critical elements of any security system and fundamental parts of every access control system. Two fundamental...

Most Recent Industry Reports

Hanwha Dual Imager Dome Camera Tested (PNM-7000VD) on Oct 18, 2018
Hanwha has introduced their first dual-imager model, the PNM-7000VD, a twin 1080p model featuring independently positionable sensors and a snap-in...
Camera Height / Blind Spot Added to IPVM Camera Calculator on Oct 18, 2018
IPVM has added camera height and blind spot estimation to the Camera Calculator. This is especially helpful for those who need to mount cameras up...
Axis Strong US Growth, Flat EMEA - Q3 2018 Financials on Oct 18, 2018
This spring, Axis had its best financials in many years (see Axis Strong Q2 2018 Results). However, over the summer, Axis had many products sold...
Best Alternatives to Banned Dahua and Hikvision on Oct 17, 2018
With the US government ban and a growing number of users banning Dahua and Hikvision, one key question is what to use for low cost? While Dahua and...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...
Knightscope Winning Investors, Struggling With Growth on Oct 16, 2018
While Knightscope's new financials show the company only winning 11 new customers in the past 12 months, the company continues to win new...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Huawei Admits AI "Bubble" on Oct 16, 2018
A fascinating article from the Chinese government's Global Times: Huawei’s AI ambition to reshape industries. While the Global Times talks about...
ADI's Financials Revealed + W-Box Growth Priority on Oct 15, 2018
  ADI is one of the most powerful distributors in the security industry but how big are they? How much profit do they make? How much do they sell...
Dahua Face Recognition Camera Tested on Oct 15, 2018
Dahua has been one of the industry's most vocal proponents of the value that AI creates: As part of this, Dahua has released a facial...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact