Multi-Factor Authentication Primer

Author: Brian Rhodes, Published on Feb 04, 2013

Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting them to certain individuals. The technique of 'multi-factor authentication' is applied when the end-user is concerned about who actually can use access control credentials. In this note, we examine the concept and detail the ways many access control designers choose to use it.

Multi-Factor Authentication Defined

** ****** *****, *** ******* ***** **** **** **** *** credential **** ** ********* ** ***** ** **** ******. *******, the *********** **** ** '*******' ** * *** **** **** validate **** *****. **** ***** **** *** '*****-******' *******, **** than *** ********** **** ** ************** ********, *** ****** ** option ** **** **** *** **** ** ***** ****.

** * ***** **** ***** ****** ******** ********* *****, *********** scans, ** * ****** **** ** ***** ** ** '***********', two ** **** *********** ***** ** ******* *** *****, *** just ********* ********** ****** *** ********** *** *** **** ** present ** *** ****. *** ***** ***** ***** ** ******* of * ******* '***** ******' ****** ******:


*** ********** ************** '*******' ****** ** *** ** *** **** type, *** **** ** *******, ********, *** ********** ******* ***** of ***********. ***** '****** ******' *** ******** ***** **:

  • ********* *** **** ***: * **********/********** ******* **************** ** *** ****. ********* ** access ******* *****, *****, ** ***. **** ******** * ********** key, ********** **, ** ********.
  • ********* *** **** *****: ********* * **** ** ******** **** ******* ** *** user. ********* * *** ******, *** **** ******* '******** *********' or '**** * ****** ******** *****' *************.
  • ********* *** **** **: ********* ******** **** *** **** ** **** ** *******. Typically ************ ** **** ******, *** ***** ******** ******** ********* face ***********, **********, ******/**** *****, *** **** ****.
  • ******* ******* ******** *** ****: ***** ******* **********, ******* ***** ********** *** *** ******* for *** ****. **** ***** ** * ****** *****, ** even * ************ **** ****** ****** ***** ** ***********.

Different *****

*** ****** ****** ** ******* ******* **** ********* ** ** end-user's ******** ********. ***** ****** ********* ***** *** ******** *** of **** *********** *** ******* *** *******, ***** ****-******** ************* may ******* ***** ** ****. ** ****** *** ******* ***** tiers *****:

*** ******:**** ***** * *********** ** '********* *** **** ***' *** '********* ** *****', **** ** ****** ******* ****** **** *** ************ *** number. **** ** *** **** ***** *** ****, ** ************ finder ****** *** ** ** **** ****** ****** **** **** know * ****, ***** ** ***** **** ** *** ****.

******* *********** ********** ****** *** **** *********, ** ** **** common ** *** *********** ** ***** ************* ******* **** **'********* *** **** **' ** *** ****** **************.

***** ******: **** ******** ******** ** **** ****** ***** ** **********, three ******* *** ********. **** ***** **** ** * *********** of **********, *** *****, *** ****** ******* ***********, *** ****** significantly **** ****** ** ********* *** ****** **** ****** '****** factor' **************.


** * ****** ** **** **** *** **** ** *** this ***** ** **************, ** ** **** ** ******** **************, military, *** ******** ********** *** *** ********* *** ********** ***-*****.

**** ******: *** ******* ***** ** ************** ** ***** **** ** military *** ***** ********* *********, ***** ****** *********** *** **** in *********** **** *** ***** *******. ******* **** ******* ***** the **** **** *** ** *** **** ***** *********, ** typically ** *** ******** ****** *** ******** **** ** **** high *** ******** ******** ** *********.


Multi-Factor ************

**** ***** ****** '****** ******' ************** ** **** ******, *** multiple ******* *** ******** ******** ** ******* ************* ******* ** access *******. **** ***** ******** ********:

  • ATM ********: Not only are debit cards required to be swiped, but PIN numbers are required every time a cash transaction takes place at one of these machines.
  • ******: ********** **** ****** *****, *****, ** *** ***** ******* takes ********* ** ********* '********* *** ****' *** ********* '********* *** ****' ** ******* ****** **********.

**** ** ***** ** ******** ******, *********** **** * ***** role. **** ** ***** ** ******** ***********, ******** ******* *** required.

Single ****** ***** **** ******

* ******** ** ********** ****** ******* ******* *** '****** ******' authentication, *** **** ** ********** *** *** *********** ******** ** most ***-*****. *** ****** ********** **** ** **** ** **** to *** ******** ** *** ******, *** *** ****** ******** (ie: *******, *****) ** ****** ******* **** ******.

*** *********** *** ******* *** **** ****** '****** ******' **********. No ***** ************ ** *** ****** ** ******** **** *** key *** **** ******. ***** ********* ******** ** ****-**** ********** access ***********, ********** **** ***** ******* ** ******** '***** *****' of ******** *** **** ******** ** **********.

*** ***** *******, ***** ******** ******* ** ****** ******** ***** be ********** ******. ******* ******* ********** ***** ****** *** **** expensive, *** ****** ****** ************ ***** ** ******** *** ****** justified ******* ******** *************, ****** ****** ******* *** ******** ****** used.

Comments (19)

Kok Long Pang

10/17/13 08:16am

Access time can be uses as multi factor authentication. In some access, we need at least 2 persons (max 3 persons) to present themselves at specific time range to verify to unlock a door, for example 1pm to 2pm. Door remain locked if any of them does not present, or outside the specific time range.

Bob Lowden

IPVMU Certified | 04/17/14 01:59am

The picture accompanying the Two Factor discussion appears to illustrate a key problem of access. Potential for second person allowed access in tandum with first person's credentials.

Rukmini Wilson

04/17/14 02:51am

Curious Brian, when using a credit card in a brick & mortar store and the attendant checks your signature on the slip against the one on the card, is that considered a crude but effective Biometric? Or is it actually an altogether different form, i.e., Something you can do...

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Rukmini Wilson | 04/17/14 03:14am

Interesting question. Handwriting is considered a biometric, at least by some.

Indeed when (more like 'if' in my experience) the clerk checks your signature on the back of the card, it is at least a two-factor check: One - you have the card, and two - you 'are' the person who was issued the card (validated by same signature).

In any case, handwriting is a weak biometric, since it can easily be spoofed. The time it takes for a finite comparison limits the applications. Not only this, but it appears to dramatically change over time. The way I write something when I am warm and sober will certainly change if I am cold and drunk, so handwriting has disadvantages that other biometrics do not.

Rukmini Wilson

In reply to Brian Rhodes | 04/17/14 04:12am

handwriting is a weak biometric, since it can easily be spoofed.

Who knows one day they might make it so that the pricey pressure-sensitive signature pad performs a check, with a very lenient algorithm, against your onfile J. Hancock instead of the spoofable one on your card. After that its a breeze to implement a contextual scheme that uses your pending purchases to estimate your BAC level and compensate the signature validation algorithim accordingly...

Do these systems usually come with a 'entry under duress' panic button? Even for badges, like use the wrong side or something? :)

P.S. I don't know about you but I am a 'warm drunk'...

Brandon Sobotka

IPVMU Certified | 01/21/15 04:00pm

We use PIN and biometrics to access narcotics in our facility. Requiring the PIN to be entered first shortens the search time for the thumb print verification. Rather that searching through all of the thumb prints when presented, the PIN identifies the users and only looks for the users thumb print for verification.

Thumbnail usa shield

Luis Carmona

IPVMU Certified | In reply to Brandon Sobotka | 01/21/15 05:36pm

Ordering the way layers are presented (pin first to queue up fingerprint for verification) is a good point, Ed, and something I myself have not considered before. A good question on the ability of the biometric manufcaturer to ask them about their equipment.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Luis Carmona | 01/21/15 05:46pm

This is called 'verification mode' for many biometric readers.

Products like HID's bioClass fingerprint readers use it exclusively, where the card itself contains both the fingerprint template and credential data. The user scans a badge to load the credential into the reader, but the reader does not actually send any information to the access system unless the fingerprint scan matches the one downloaded from the card.

Thumbnail saks

Aaron Saks

In reply to Brandon Sobotka | 01/22/15 02:00pm

Not only does it speed up the database search, but the other factors are not active until the other credentials are valid.

For example, an Iris reader that I have worked with had a mode where the iris reader would not become active until the card or card + pin was entered AND matched.

This way, you don't have someone trying to "hack" the biometric part. You would have to match the card or card + pin first.

There was some movie where they "defeated" an iris or retnia reader by holding up a specially crafted jewel that was a "backdoor" into the database or something like that. Having the additional factors helps prevent or delay the defeat requiring more steps to be taken...

Val Tsyrklevich

01/22/15 02:28am

Why would you need anything else, when you use biometrics authentication? Nobody else has the same fingerprint. I think it should fully identify you.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Val Tsyrklevich | 01/22/15 03:04am

Good question! There are several reasons why biometric isn't always a good answer, even as part of a 'multi-factor' setup:

Time: Biometric readers often take time. Comparing even a quick fingerprint to multiple possible matches takes time. People standing outside a locked door usually aren't very patient when they are waiting, and other factors may be faster.

Location: Sticking a fingerprint reader outside may be okay during summer, but when the weather is cold and icy, you might face considerable resentment if you force people to take off gloves simply to get in the door. Realistically, major problems like door propping and tailgating creep up. There are other factors too, like dirty hands, iris scanners facing the sun, and so on.

Culture: Some people are just outright uncomfortable with biometric scanners. Some users object to 'machines reading their bodies'. We may disagree and think it's silly, but not everyone is okay with biometrics when other credential options are readily available.

Physiology: Also, not everyone is equally 'readable' by biometric readers. For example, user age can greatly affect how easily a fingerprint can be read. An iris scanner is an unpopular choice for the blind, and so on...

Thumbnail saks

Aaron Saks

In reply to Val Tsyrklevich | 01/22/15 01:50pm

No all biometrics are created equally. Fingerprint biometrics can be "easily" hacked. So, if you are able to create a "gummy" fingerprint (google it...) from a latent print, then you have access. This is why you need a second factor.

Another example would be forcing someone to put their finger on the scanner.

For fingerprint, having a system that detects a pulse ensures that it is a live finger, and not a copy or otherwise.

Having a PIN like Rukmini mentions allows for a panic or duress capability. Typing in a wrong or altered pin trips a silent alarm triggering a response without alerting the intruder immediately...

Paul Salvato

01/22/15 02:53am

I am thinking in low traffic areas such as gated community, where one must pass some form of id to enter the gates. Residents wouldnt mind the extra time to include some form of biometrics and fob to enter their residence.

Kim Mentzer

IPVMU Certified | 01/22/15 04:08am

At one point in my career I worked at a facility that had a security officer at the gate who would verify the photo on the the badge was you, then let you use a reader and PIN pad. 3 layers without biometics.

Thumbnail headshot

Daniel Gelinas

IPVMU Certified | 09/24/15 07:59pm

I know I wasn't able to make the live class, but plan to watch the webinar. I've done the class readings and I'm curious what people think of facial recognition as a biometric crediential. When I was at Security Systems News, I wrote a story and did a video interview on FST21 (now FST BM) and a building-wide installation they'd done at a senior housing facility in Lynn MA and the solution seemed to work extremely well and was a perfect fit for a elders who didn't need to remember to carry a credential or understand where to place there fob, etc...


However, I now work in systems sales, and I don't see facial recognition--or biometrics in general--taking off. Are others installing any kind of facial recognition?

Thanks!

Tim Hamilton

IPVMU Certified | 10/13/16 09:27pm

Online: Everything from social media, email, to web based banking takes advantage of usernames 'something you have' and passwords 'something you know' to protect online identities.

It's odd that you describe a username and password being multi-factor authentication. Most security certifications consider it to be single-factor, as both username and password are considered something you know. I don't think a username could be something I have, as it can't be taken from me (like an access card can be). I grabbed this from my CompTIA Security+ guide:

The most basic form of authentication is known as single factor authentication (SFA) because only one type of authentication is checked. SFA is most often implemented as the traditional username/password combination.

Thumbnail mmsaltz

Mike Saltzgiver

IPVMU Certified | 10/17/16 06:50pm

This is very helpful information!!

Thumbnail steve hannah ii

Stephen Hannah II

IPVMU Certified | 04/19/17 11:37pm

Would the "gait" authentication be read by a floor unit or is it measured by recorded video? This one baffles me.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Stephen Hannah II | 04/20/17 12:16am

I've not seen commercially widespread use of 'gait' biometrics.

However, there are several 'proofs of concept' models at tradeshows that have used (visual) camera arrays or arrays of TOF sensors (ie: like those in IP Time of Flight Camera, TOF Turnstile).

I do think the market is pretty long from adopting gait as a biometric, but several claim the 'unique signature' is there.

However, stick me in a weird pair of boots or after a weekend of yardwork, and I can easily see differences in my own gait. :)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Backboxes for Video Surveillance Tutorial on Aug 15, 2018
Backboxes are a necessity in surveillance, whether for managing cable whips, recessing cameras, adding wireless radios. But it can be confusing to...
Camera Focusing Tutorial on Aug 09, 2018
A camera's focus is fundamental to quality imaging. Mistakes can cause important problems. In this guide, we explain focus issues and proper...
RealNetworks Free School Facial Recognition on Aug 03, 2018
The company that created RealPlayer is moving beyond media delivery and into the security space with a new facial recognition platform they have...
Installing Surveillance Cameras Into Synthetic Stucco (EIFS) Tutorial on Jul 30, 2018
Mounting cameras into synthetic stucco, commonly known as EIFS finishes, can be problematic If not properly planned, EIFS/stucco can be downright...
Door Swing Tutorial on Jul 24, 2018
The direction a door swings might seem minor, but it can greatly impact door hardware selection. There are four basic ways a door can swing, and...
Improved Security And Surveillance Bidding - 2018 MasterFormat Divisions Examined) on Jul 19, 2018
Navigating the world of system specifications and bidding work can be complex and confusing, but a standard format exists, and understanding it...
FST Fails on Jul 17, 2018
FST was one of the hottest startups of the decade, selected as the best new product at ISC West 2011 and backed with tens of millions in...
Installing Dome Cameras Indoors Guide on Jul 16, 2018
IPVM is producing the definitive series on installing surveillance cameras. This entry covers one of the most common scenarios - installing dome...
Belgium Bans Private Facial Surveillance on Jul 06, 2018
Belgium has effectively banned the use of facial recognition and other biometrics-based video analytics in surveillance cameras for private,...
GDPR For Access Control Guide on Jul 03, 2018
Electronic access control is common in businesses plus organizations are increasingly considering biometrics for access control. With GDPR coming...

Most Recent Industry Reports

Chinese OEM Avycon Gets ADI Push on Aug 15, 2018
Who is Avycon? An American company? A Korean company? A couple of guys relabelling Chinese products? The latter is the best explanation. While...
Backboxes for Video Surveillance Tutorial on Aug 15, 2018
Backboxes are a necessity in surveillance, whether for managing cable whips, recessing cameras, adding wireless radios. But it can be confusing to...
Genetec Stratocast / Comcast 'Motion Insights' Examined on Aug 15, 2018
Comcast recently announced "SmartOffice Motion Insights", an extension to their Genetec OEMed cloud video service (covered by IPVM here). This...
SimpliSafe Violating California, Florida, and Texas Licensing Laws on Aug 14, 2018
IPVM has verified that DIY security system provider SimpliSafe, founded in 2006 and acquired in June of 2018 at a billion dollar valuation, is...
Ban of Dahua and Hikvision Is Now US Gov Law on Aug 13, 2018
The US President has signed the 2019 NDAA into law, banning the use of Dahua and Hikvision (and their OEMs) for the US government, for US...
Cut Milestone Licensing Costs 80% By Using Hikvision and Dahua NVRs (Tested) on Aug 13, 2018
Enterprise VMS licensing can be quite expensive, with $200 or more per channel common, meaning a 100 camera system can cost $20,000 in VMS...
Nortek Sues SDS, Battle Over Unpaid Bill and Cancelled Lines on Aug 13, 2018
Nortek and SDS legal battle continues. As IPVM reported, SDS sued Nortek alleging bribery and antitrust violation. However, Wave fired back at SDS,...
Uniview Intrusion Analytics and VMD Tested on Aug 13, 2018
IPVM's IP Camera Analytics Shootout featuring Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision created some ill will with a Uniview distributor who...
ADT Employees Protest ADT CEO on Aug 10, 2018
So many ADT employees were so upset with ADT's CEO speech reported on by IPVM, that ADT's CEO was forced to send a mass email to employees to...
Axis / Avigilon Legal Battle Rises on Aug 09, 2018
In what is shaping up to be high-powered, will-not-back-down battle, Axis and Avigilon are squaring off in multiple legal contests. In 2017, IPVM...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact