Multi-Factor Authentication Primer

Author: Brian Rhodes, Published on Feb 04, 2013

Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting them to certain individuals. The technique of 'multi-factor authentication' is applied when the end-user is concerned about who actually can use access control credentials. In this note, we examine the concept and detail the ways many access control designers choose to use it.

Multi-Factor Authentication Defined

** ****** *****, *** ******* ***** **** **** **** *** credential **** ** ********* ** ***** ** **** ******. *******, the *********** **** ** '*******' ** * *** **** **** validate **** *****. **** ***** **** *** '*****-******' *******, **** than *** ********** **** ** ************** ********, *** ****** ** option ** **** **** *** **** ** ***** ****.

** * ***** **** ***** ****** ******** ********* *****, *********** scans, ** * ****** **** ** ***** ** ** '***********', two ** **** *********** ***** ** ******* *** *****, *** just ********* ********** ****** *** ********** *** *** **** ** present ** *** ****. *** ***** ***** ***** ** ******* of * ******* '***** ******' ****** ******:


*** ********** ************** '*******' ****** ** *** ** *** **** type, *** **** ** *******, ********, *** ********** ******* ***** of ***********. ***** '****** ******' *** ******** ***** **:

  • ********* *** **** ***: * **********/********** ******* **************** ** *** ****. ********* ** access ******* *****, *****, ** ***. **** ******** * ********** key, ********** **, ** ********.
  • ********* *** **** *****: ********* * **** ** ******** **** ******* ** *** user. ********* * *** ******, *** **** ******* '******** *********' or '**** * ****** ******** *****' *************.
  • ********* *** **** **: ********* ******** **** *** **** ** **** ** *******. Typically ************ ** **** ******, *** ***** ******** ******** ********* face ***********, **********, ******/**** *****, *** **** ****.
  • ******* ******* ******** *** ****: ***** ******* **********, ******* ***** ********** *** *** ******* for *** ****. **** ***** ** * ****** *****, ** even * ************ **** ****** ****** ***** ** ***********.

Different *****

*** ****** ****** ** ******* ******* **** ********* ** ** end-user's ******** ********. ***** ****** ********* ***** *** ******** *** of **** *********** *** ******* *** *******, ***** ****-******** ************* may ******* ***** ** ****. ** ****** *** ******* ***** tiers *****:

*** ******:**** ***** * *********** ** '********* *** **** ***' *** '********* ** *****', **** ** ****** ******* ****** **** *** ************ *** number. **** ** *** **** ***** *** ****, ** ************ finder ****** *** ** ** **** ****** ****** **** **** know * ****, ***** ** ***** **** ** *** ****.

******* *********** ********** ****** *** **** *********, ** ** **** common ** *** *********** ** ***** ************* ******* **** **'********* *** **** **' ** *** ****** **************.

***** ******: **** ******** ******** ** **** ****** ***** ** **********, three ******* *** ********. **** ***** **** ** * *********** of **********, *** *****, *** ****** ******* ***********, *** ****** significantly **** ****** ** ********* *** ****** **** ****** '****** factor' **************.


** * ****** ** **** **** *** **** ** *** this ***** ** **************, ** ** **** ** ******** **************, military, *** ******** ********** *** *** ********* *** ********** ***-*****.

**** ******: *** ******* ***** ** ************** ** ***** **** ** military *** ***** ********* *********, ***** ****** *********** *** **** in *********** **** *** ***** *******. ******* **** ******* ***** the **** **** *** ** *** **** ***** *********, ** typically ** *** ******** ****** *** ******** **** ** **** high *** ******** ******** ** *********.


Multi-Factor ************

**** ***** ****** '****** ******' ************** ** **** ******, *** multiple ******* *** ******** ******** ** ******* ************* ******* ** access *******. **** ***** ******** ********:

  • ATM ********: Not only are debit cards required to be swiped, but PIN numbers are required every time a cash transaction takes place at one of these machines.
  • ******: ********** **** ****** *****, *****, ** *** ***** ******* takes ********* ** ********* '********* *** ****' *** ********* '********* *** ****' ** ******* ****** **********.

**** ** ***** ** ******** ******, *********** **** * ***** role. **** ** ***** ** ******** ***********, ******** ******* *** required.

Single ****** ***** **** ******

* ******** ** ********** ****** ******* ******* *** '****** ******' authentication, *** **** ** ********** *** *** *********** ******** ** most ***-*****. *** ****** ********** **** ** **** ** **** to *** ******** ** *** ******, *** *** ****** ******** (ie: *******, *****) ** ****** ******* **** ******.

*** *********** *** ******* *** **** ****** '****** ******' **********. No ***** ************ ** *** ****** ** ******** **** *** key *** **** ******. ***** ********* ******** ** ****-**** ********** access ***********, ********** **** ***** ******* ** ******** '***** *****' of ******** *** **** ******** ** **********.

*** ***** *******, ***** ******** ******* ** ****** ******** ***** be ********** ******. ******* ******* ********** ***** ****** *** **** expensive, *** ****** ****** ************ ***** ** ******** *** ****** justified ******* ******** *************, ****** ****** ******* *** ******** ****** used.

Comments (19)

Kok Long Pang

10/17/13 08:16am

Access time can be uses as multi factor authentication. In some access, we need at least 2 persons (max 3 persons) to present themselves at specific time range to verify to unlock a door, for example 1pm to 2pm. Door remain locked if any of them does not present, or outside the specific time range.

Bob Lowden

IPVMU Certified | 04/17/14 01:59am

The picture accompanying the Two Factor discussion appears to illustrate a key problem of access. Potential for second person allowed access in tandum with first person's credentials.

Rukmini Wilson

04/17/14 02:51am

Curious Brian, when using a credit card in a brick & mortar store and the attendant checks your signature on the slip against the one on the card, is that considered a crude but effective Biometric? Or is it actually an altogether different form, i.e., Something you can do...

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Rukmini Wilson | 04/17/14 03:14am

Interesting question. Handwriting is considered a biometric, at least by some.

Indeed when (more like 'if' in my experience) the clerk checks your signature on the back of the card, it is at least a two-factor check: One - you have the card, and two - you 'are' the person who was issued the card (validated by same signature).

In any case, handwriting is a weak biometric, since it can easily be spoofed. The time it takes for a finite comparison limits the applications. Not only this, but it appears to dramatically change over time. The way I write something when I am warm and sober will certainly change if I am cold and drunk, so handwriting has disadvantages that other biometrics do not.

Rukmini Wilson

In reply to Brian Rhodes | 04/17/14 04:12am

handwriting is a weak biometric, since it can easily be spoofed.

Who knows one day they might make it so that the pricey pressure-sensitive signature pad performs a check, with a very lenient algorithm, against your onfile J. Hancock instead of the spoofable one on your card. After that its a breeze to implement a contextual scheme that uses your pending purchases to estimate your BAC level and compensate the signature validation algorithim accordingly...

Do these systems usually come with a 'entry under duress' panic button? Even for badges, like use the wrong side or something? :)

P.S. I don't know about you but I am a 'warm drunk'...

Brandon Sobotka

IPVMU Certified | 01/21/15 04:00pm

We use PIN and biometrics to access narcotics in our facility. Requiring the PIN to be entered first shortens the search time for the thumb print verification. Rather that searching through all of the thumb prints when presented, the PIN identifies the users and only looks for the users thumb print for verification.

Thumbnail usa shield

Luis Carmona

IPVMU Certified | In reply to Brandon Sobotka | 01/21/15 05:36pm

Ordering the way layers are presented (pin first to queue up fingerprint for verification) is a good point, Ed, and something I myself have not considered before. A good question on the ability of the biometric manufcaturer to ask them about their equipment.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Luis Carmona | 01/21/15 05:46pm

This is called 'verification mode' for many biometric readers.

Products like HID's bioClass fingerprint readers use it exclusively, where the card itself contains both the fingerprint template and credential data. The user scans a badge to load the credential into the reader, but the reader does not actually send any information to the access system unless the fingerprint scan matches the one downloaded from the card.

Thumbnail saks

Aaron Saks

In reply to Brandon Sobotka | 01/22/15 02:00pm

Not only does it speed up the database search, but the other factors are not active until the other credentials are valid.

For example, an Iris reader that I have worked with had a mode where the iris reader would not become active until the card or card + pin was entered AND matched.

This way, you don't have someone trying to "hack" the biometric part. You would have to match the card or card + pin first.

There was some movie where they "defeated" an iris or retnia reader by holding up a specially crafted jewel that was a "backdoor" into the database or something like that. Having the additional factors helps prevent or delay the defeat requiring more steps to be taken...

Val Tsyrklevich

01/22/15 02:28am

Why would you need anything else, when you use biometrics authentication? Nobody else has the same fingerprint. I think it should fully identify you.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Val Tsyrklevich | 01/22/15 03:04am

Good question! There are several reasons why biometric isn't always a good answer, even as part of a 'multi-factor' setup:

Time: Biometric readers often take time. Comparing even a quick fingerprint to multiple possible matches takes time. People standing outside a locked door usually aren't very patient when they are waiting, and other factors may be faster.

Location: Sticking a fingerprint reader outside may be okay during summer, but when the weather is cold and icy, you might face considerable resentment if you force people to take off gloves simply to get in the door. Realistically, major problems like door propping and tailgating creep up. There are other factors too, like dirty hands, iris scanners facing the sun, and so on.

Culture: Some people are just outright uncomfortable with biometric scanners. Some users object to 'machines reading their bodies'. We may disagree and think it's silly, but not everyone is okay with biometrics when other credential options are readily available.

Physiology: Also, not everyone is equally 'readable' by biometric readers. For example, user age can greatly affect how easily a fingerprint can be read. An iris scanner is an unpopular choice for the blind, and so on...

Thumbnail saks

Aaron Saks

In reply to Val Tsyrklevich | 01/22/15 01:50pm

No all biometrics are created equally. Fingerprint biometrics can be "easily" hacked. So, if you are able to create a "gummy" fingerprint (google it...) from a latent print, then you have access. This is why you need a second factor.

Another example would be forcing someone to put their finger on the scanner.

For fingerprint, having a system that detects a pulse ensures that it is a live finger, and not a copy or otherwise.

Having a PIN like Rukmini mentions allows for a panic or duress capability. Typing in a wrong or altered pin trips a silent alarm triggering a response without alerting the intruder immediately...

Paul Salvato

01/22/15 02:53am

I am thinking in low traffic areas such as gated community, where one must pass some form of id to enter the gates. Residents wouldnt mind the extra time to include some form of biometrics and fob to enter their residence.

Kim Mentzer

IPVMU Certified | 01/22/15 04:08am

At one point in my career I worked at a facility that had a security officer at the gate who would verify the photo on the the badge was you, then let you use a reader and PIN pad. 3 layers without biometics.

Thumbnail headshot

Daniel Gelinas

IPVMU Certified | 09/24/15 07:59pm

I know I wasn't able to make the live class, but plan to watch the webinar. I've done the class readings and I'm curious what people think of facial recognition as a biometric crediential. When I was at Security Systems News, I wrote a story and did a video interview on FST21 (now FST BM) and a building-wide installation they'd done at a senior housing facility in Lynn MA and the solution seemed to work extremely well and was a perfect fit for a elders who didn't need to remember to carry a credential or understand where to place there fob, etc...


However, I now work in systems sales, and I don't see facial recognition--or biometrics in general--taking off. Are others installing any kind of facial recognition?

Thanks!

Tim Hamilton

IPVMU Certified | 10/13/16 09:27pm

Online: Everything from social media, email, to web based banking takes advantage of usernames 'something you have' and passwords 'something you know' to protect online identities.

It's odd that you describe a username and password being multi-factor authentication. Most security certifications consider it to be single-factor, as both username and password are considered something you know. I don't think a username could be something I have, as it can't be taken from me (like an access card can be). I grabbed this from my CompTIA Security+ guide:

The most basic form of authentication is known as single factor authentication (SFA) because only one type of authentication is checked. SFA is most often implemented as the traditional username/password combination.

Thumbnail mmsaltz

Mike Saltzgiver

IPVMU Certified | 10/17/16 06:50pm

This is very helpful information!!

Thumbnail steve hannah ii

Stephen Hannah II

IPVMU Certified | 04/19/17 11:37pm

Would the "gait" authentication be read by a floor unit or is it measured by recorded video? This one baffles me.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Stephen Hannah II | 04/20/17 12:16am

I've not seen commercially widespread use of 'gait' biometrics.

However, there are several 'proofs of concept' models at tradeshows that have used (visual) camera arrays or arrays of TOF sensors (ie: like those in IP Time of Flight Camera, TOF Turnstile).

I do think the market is pretty long from adopting gait as a biometric, but several claim the 'unique signature' is there.

However, stick me in a weird pair of boots or after a weekend of yardwork, and I can easily see differences in my own gait. :)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Axis Releases First New Access Controller In 5 Years (A1601) on Jun 15, 2018
It has been 5 years since Axis 2013 entry in the physical access control market, with the A1001 (IPVM test). Now, Axis has released its second...
Access Control - Time & Attendance, Mustering and Mantraps Guide on Jun 13, 2018
Electronic access offers features that traditional mechanical locks cannot. While these features may not be as fundamental as keeping doors secure,...
ReconaSense - The AI / Access Control / Analytics / IoT / Video Company Profile on Jun 12, 2018
One company's ISC West booth stood out for displaying a light-up tower of buzzwords. The company, ReconaSense, pledged to be 'making sense of it...
Introducing Effective PPF (ePPF) - Improving Video Surveillance Designs on Jun 11, 2018
Pixel density (PPF / PPM) is the best metric the industry has to define and project video quality. It allows simple communication of estimated...
The Benefits of An Access Control Test Door on Jun 08, 2018
Security system dealers can benefit from having their own access control test door both for demonstrations and training. Inside, we explain the...
H.265 / HEVC Codec Tutorial on Jun 07, 2018
H.265 support has improved significantly in 2018, with H.265 camera/VMS compatibility increased compared to only a year ago, and more manufacturers...
Princeton Identity Access 200 Iris Scanners Examined on Jun 05, 2018
Iris recently registered a big jump as a preferred biometric in our Favorite Biometrics survey, but access-ready options can be difficult to...
Keypads For Access Control Tutorial on May 31, 2018
Keypad readers present huge risks to even the best access systems. If deployed improperly, keypads let people through locked doors almost as if...
Ambitious Mobile Access Startup: Openpath on May 24, 2018
This team sold their last startup for hundreds of millions of dollars, now they have started Openpath to become a rare access control small...
Installing Box Cameras Indoors Tutorial on May 22, 2018
This tutorial starts our physical installation for video surveillance series, starting with Box Cameras, one of the oldest and most basic types....

Most Recent Industry Reports

IPVM Vulnerability Scanner Released on Jun 18, 2018
IPVM is proud to announce video surveillance's first and only cybersecurity vulnerability scanner. This tool allows quickly and simply...
Hikvision Corrects False Cybersecurity Announcement on Jun 18, 2018
Hikvision has corrected a false cybersecurity announcement that claimed a British government-sponsored program endorsed the cybersecurity of...
July 2018 IP Networking Course on Jun 16, 2018
The last chance to save $50 on registration is this Thursday, June 21st. Register now and save. This is the only networking course designed...
The Dumb Ones: PSA's Bozeman On Cybersecurity on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring Dahua as a 'cyber responsible partner',...
Amazon Ring Launches $10 Monthly Professional Alarm Monitoring on Jun 15, 2018
Amazon's Ring has announced an alarm system with 24/7 professional alarm monitoring for $10 per month, a fraction of the $30+ per month traditional...
Axis Releases First New Access Controller In 5 Years (A1601) on Jun 15, 2018
It has been 5 years since Axis 2013 entry in the physical access control market, with the A1001 (IPVM test). Now, Axis has released its second...
Hikvision 12MP Fisheye Camera Tested (DS-2CD63C2F-IV) on Jun 14, 2018
Hikvision's DS-2CD63C2F-IV is their flagship panoramic camera, with a 12MP imager, 15m integrated IR, smart codec, and more. We tested the 63C2 in...
Four Major Outdoor Camera Install Problems on Jun 14, 2018
Over 140 integrators told us the top four camera installation mistakes that lead to unexpected problems and failures. Their comments often...
Security Sales Course Summer 2018 on Jun 14, 2018
Based on member's interest, IPVM is offering a security sales course this summer. Register Now - IPVM Security Sales Course Summer...
China Public Video Surveillance Guide: From Skynet to Sharp Eyes on Jun 14, 2018
China is expanding its video surveillance network to achieve “100%” nationwide coverage by 2020, including facial recognition capabilities and a...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact