Multi-Factor Authentication Primer

Author: Brian Rhodes, Published on Feb 04, 2013

Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting them to certain individuals. The technique of 'multi-factor authentication' is applied when the end-user is concerned about who actually can use access control credentials. In this note, we examine the concept and detail the ways many access control designers choose to use it.

Multi-Factor Authentication Defined

** ****** *****, *** ******* ***** **** **** **** *** credential **** ** ********* ** ***** ** **** ******. *******, the *********** **** ** '*******' ** * *** **** **** validate **** *****. **** ***** **** *** '*****-******' *******, **** than *** ********** **** ** ************** ********, *** ****** ** option ** **** **** *** **** ** ***** ****.

** * ***** **** ***** ****** ******** ********* *****, *********** scans, ** * ****** **** ** ***** ** ** '***********', two ** **** *********** ***** ** ******* *** *****, *** just ********* ********** ****** *** ********** *** *** **** ** present ** *** ****. *** ***** ***** ***** ** ******* of * ******* '***** ******' ****** ******:


*** ********** ************** '*******' ****** ** *** ** *** **** type, *** **** ** *******, ********, *** ********** ******* ***** of ***********. ***** '****** ******' *** ******** ***** **:

  • ********* *** **** ***: * **********/********** ******* **************** ** *** ****. ********* ** access ******* *****, *****, ** ***. **** ******** * ********** key, ********** **, ** ********.
  • ********* *** **** *****: ********* * **** ** ******** **** ******* ** *** user. ********* * *** ******, *** **** ******* '******** *********' or '**** * ****** ******** *****' *************.
  • ********* *** **** **: ********* ******** **** *** **** ** **** ** *******. Typically ************ ** **** ******, *** ***** ******** ******** ********* face ***********, **********, ******/**** *****, *** **** ****.
  • ******* ******* ******** *** ****: ***** ******* **********, ******* ***** ********** *** *** ******* for *** ****. **** ***** ** * ****** *****, ** even * ************ **** ****** ****** ***** ** ***********.

Different *****

*** ****** ****** ** ******* ******* **** ********* ** ** end-user's ******** ********. ***** ****** ********* ***** *** ******** *** of **** *********** *** ******* *** *******, ***** ****-******** ************* may ******* ***** ** ****. ** ****** *** ******* ***** tiers *****:

*** ******:**** ***** * *********** ** '********* *** **** ***' *** '********* ** *****', **** ** ****** ******* ****** **** *** ************ *** number. **** ** *** **** ***** *** ****, ** ************ finder ****** *** ** ** **** ****** ****** **** **** know * ****, ***** ** ***** **** ** *** ****.

******* *********** ********** ****** *** **** *********, ** ** **** common ** *** *********** ** ***** ************* ******* **** **'********* *** **** **' ** *** ****** **************.

***** ******: **** ******** ******** ** **** ****** ***** ** **********, three ******* *** ********. **** ***** **** ** * *********** of **********, *** *****, *** ****** ******* ***********, *** ****** significantly **** ****** ** ********* *** ****** **** ****** '****** factor' **************.


** * ****** ** **** **** *** **** ** *** this ***** ** **************, ** ** **** ** ******** **************, military, *** ******** ********** *** *** ********* *** ********** ***-*****.

**** ******: *** ******* ***** ** ************** ** ***** **** ** military *** ***** ********* *********, ***** ****** *********** *** **** in *********** **** *** ***** *******. ******* **** ******* ***** the **** **** *** ** *** **** ***** *********, ** typically ** *** ******** ****** *** ******** **** ** **** high *** ******** ******** ** *********.


Multi-Factor ************

**** ***** ****** '****** ******' ************** ** **** ******, *** multiple ******* *** ******** ******** ** ******* ************* ******* ** access *******. **** ***** ******** ********:

  • ATM ********: Not only are debit cards required to be swiped, but PIN numbers are required every time a cash transaction takes place at one of these machines.
  • ******: ********** **** ****** *****, *****, ** *** ***** ******* takes ********* ** ********* '********* *** ****' *** ********* '********* *** ****' ** ******* ****** **********.

**** ** ***** ** ******** ******, *********** **** * ***** role. **** ** ***** ** ******** ***********, ******** ******* *** required.

Single ****** ***** **** ******

* ******** ** ********** ****** ******* ******* *** '****** ******' authentication, *** **** ** ********** *** *** *********** ******** ** most ***-*****. *** ****** ********** **** ** **** ** **** to *** ******** ** *** ******, *** *** ****** ******** (ie: *******, *****) ** ****** ******* **** ******.

*** *********** *** ******* *** **** ****** '****** ******' **********. No ***** ************ ** *** ****** ** ******** **** *** key *** **** ******. ***** ********* ******** ** ****-**** ********** access ***********, ********** **** ***** ******* ** ******** '***** *****' of ******** *** **** ******** ** **********.

*** ***** *******, ***** ******** ******* ** ****** ******** ***** be ********** ******. ******* ******* ********** ***** ****** *** **** expensive, *** ****** ****** ************ ***** ** ******** *** ****** justified ******* ******** *************, ****** ****** ******* *** ******** ****** used.

Comments (19)

Kok Long Pang

10/17/13 08:16am

Access time can be uses as multi factor authentication. In some access, we need at least 2 persons (max 3 persons) to present themselves at specific time range to verify to unlock a door, for example 1pm to 2pm. Door remain locked if any of them does not present, or outside the specific time range.

Bob Lowden

IPVMU Certified | 04/17/14 01:59am

The picture accompanying the Two Factor discussion appears to illustrate a key problem of access. Potential for second person allowed access in tandum with first person's credentials.

Rukmini Wilson

04/17/14 02:51am

Curious Brian, when using a credit card in a brick & mortar store and the attendant checks your signature on the slip against the one on the card, is that considered a crude but effective Biometric? Or is it actually an altogether different form, i.e., Something you can do...

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Rukmini Wilson | 04/17/14 03:14am

Interesting question. Handwriting is considered a biometric, at least by some.

Indeed when (more like 'if' in my experience) the clerk checks your signature on the back of the card, it is at least a two-factor check: One - you have the card, and two - you 'are' the person who was issued the card (validated by same signature).

In any case, handwriting is a weak biometric, since it can easily be spoofed. The time it takes for a finite comparison limits the applications. Not only this, but it appears to dramatically change over time. The way I write something when I am warm and sober will certainly change if I am cold and drunk, so handwriting has disadvantages that other biometrics do not.

Rukmini Wilson

In reply to Brian Rhodes | 04/17/14 04:12am

handwriting is a weak biometric, since it can easily be spoofed.

Who knows one day they might make it so that the pricey pressure-sensitive signature pad performs a check, with a very lenient algorithm, against your onfile J. Hancock instead of the spoofable one on your card. After that its a breeze to implement a contextual scheme that uses your pending purchases to estimate your BAC level and compensate the signature validation algorithim accordingly...

Do these systems usually come with a 'entry under duress' panic button? Even for badges, like use the wrong side or something? :)

P.S. I don't know about you but I am a 'warm drunk'...

Brandon Sobotka

IPVMU Certified | 01/21/15 04:00pm

We use PIN and biometrics to access narcotics in our facility. Requiring the PIN to be entered first shortens the search time for the thumb print verification. Rather that searching through all of the thumb prints when presented, the PIN identifies the users and only looks for the users thumb print for verification.

Thumbnail usa shield

Luis Carmona

IPVMU Certified | In reply to Brandon Sobotka | 01/21/15 05:36pm

Ordering the way layers are presented (pin first to queue up fingerprint for verification) is a good point, Ed, and something I myself have not considered before. A good question on the ability of the biometric manufcaturer to ask them about their equipment.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Luis Carmona | 01/21/15 05:46pm

This is called 'verification mode' for many biometric readers.

Products like HID's bioClass fingerprint readers use it exclusively, where the card itself contains both the fingerprint template and credential data. The user scans a badge to load the credential into the reader, but the reader does not actually send any information to the access system unless the fingerprint scan matches the one downloaded from the card.

Thumbnail saks

Aaron Saks

In reply to Brandon Sobotka | 01/22/15 02:00pm

Not only does it speed up the database search, but the other factors are not active until the other credentials are valid.

For example, an Iris reader that I have worked with had a mode where the iris reader would not become active until the card or card + pin was entered AND matched.

This way, you don't have someone trying to "hack" the biometric part. You would have to match the card or card + pin first.

There was some movie where they "defeated" an iris or retnia reader by holding up a specially crafted jewel that was a "backdoor" into the database or something like that. Having the additional factors helps prevent or delay the defeat requiring more steps to be taken...

Val Tsyrklevich

01/22/15 02:28am

Why would you need anything else, when you use biometrics authentication? Nobody else has the same fingerprint. I think it should fully identify you.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Val Tsyrklevich | 01/22/15 03:04am

Good question! There are several reasons why biometric isn't always a good answer, even as part of a 'multi-factor' setup:

Time: Biometric readers often take time. Comparing even a quick fingerprint to multiple possible matches takes time. People standing outside a locked door usually aren't very patient when they are waiting, and other factors may be faster.

Location: Sticking a fingerprint reader outside may be okay during summer, but when the weather is cold and icy, you might face considerable resentment if you force people to take off gloves simply to get in the door. Realistically, major problems like door propping and tailgating creep up. There are other factors too, like dirty hands, iris scanners facing the sun, and so on.

Culture: Some people are just outright uncomfortable with biometric scanners. Some users object to 'machines reading their bodies'. We may disagree and think it's silly, but not everyone is okay with biometrics when other credential options are readily available.

Physiology: Also, not everyone is equally 'readable' by biometric readers. For example, user age can greatly affect how easily a fingerprint can be read. An iris scanner is an unpopular choice for the blind, and so on...

Thumbnail saks

Aaron Saks

In reply to Val Tsyrklevich | 01/22/15 01:50pm

No all biometrics are created equally. Fingerprint biometrics can be "easily" hacked. So, if you are able to create a "gummy" fingerprint (google it...) from a latent print, then you have access. This is why you need a second factor.

Another example would be forcing someone to put their finger on the scanner.

For fingerprint, having a system that detects a pulse ensures that it is a live finger, and not a copy or otherwise.

Having a PIN like Rukmini mentions allows for a panic or duress capability. Typing in a wrong or altered pin trips a silent alarm triggering a response without alerting the intruder immediately...

Paul Salvato

01/22/15 02:53am

I am thinking in low traffic areas such as gated community, where one must pass some form of id to enter the gates. Residents wouldnt mind the extra time to include some form of biometrics and fob to enter their residence.

Kim Mentzer

IPVMU Certified | 01/22/15 04:08am

At one point in my career I worked at a facility that had a security officer at the gate who would verify the photo on the the badge was you, then let you use a reader and PIN pad. 3 layers without biometics.

Thumbnail headshot

Daniel Gelinas

IPVMU Certified | 09/24/15 07:59pm

I know I wasn't able to make the live class, but plan to watch the webinar. I've done the class readings and I'm curious what people think of facial recognition as a biometric crediential. When I was at Security Systems News, I wrote a story and did a video interview on FST21 (now FST BM) and a building-wide installation they'd done at a senior housing facility in Lynn MA and the solution seemed to work extremely well and was a perfect fit for a elders who didn't need to remember to carry a credential or understand where to place there fob, etc...


However, I now work in systems sales, and I don't see facial recognition--or biometrics in general--taking off. Are others installing any kind of facial recognition?

Thanks!

Tim Hamilton

IPVMU Certified | 10/13/16 09:27pm

Online: Everything from social media, email, to web based banking takes advantage of usernames 'something you have' and passwords 'something you know' to protect online identities.

It's odd that you describe a username and password being multi-factor authentication. Most security certifications consider it to be single-factor, as both username and password are considered something you know. I don't think a username could be something I have, as it can't be taken from me (like an access card can be). I grabbed this from my CompTIA Security+ guide:

The most basic form of authentication is known as single factor authentication (SFA) because only one type of authentication is checked. SFA is most often implemented as the traditional username/password combination.

Thumbnail mmsaltz

Mike Saltzgiver

IPVMU Certified | 10/17/16 06:50pm

This is very helpful information!!

Thumbnail steve hannah ii

Stephen Hannah II

IPVMU Certified | 04/19/17 11:37pm

Would the "gait" authentication be read by a floor unit or is it measured by recorded video? This one baffles me.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Stephen Hannah II | 04/20/17 12:16am

I've not seen commercially widespread use of 'gait' biometrics.

However, there are several 'proofs of concept' models at tradeshows that have used (visual) camera arrays or arrays of TOF sensors (ie: like those in IP Time of Flight Camera, TOF Turnstile).

I do think the market is pretty long from adopting gait as a biometric, but several claim the 'unique signature' is there.

However, stick me in a weird pair of boots or after a weekend of yardwork, and I can easily see differences in my own gait. :)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Favorite Access Control Manufacturers 2018 on Apr 26, 2018
150+ Integrators told IPVM "What is your favorite access control management software/system? Why? Unlike the 2016 access favorites where a group...
Favorite Biometrics 2018 on Apr 23, 2018
Biometrics are on the rise, or at least integrator opposition to them is declining, according to new IPVM integrator statistics.   Almost half of...
Dedicated Vs Converged Access Control Networks (Statistics) on Apr 20, 2018
Running one's access control system on a converged network, with one's computers and phones, can save money. On the other hand, hand, doing so can...
Worst Access Control 2018 on Apr 18, 2018
Three access control providers stood out as providing the most problems for integrators. In this report, we analyze the answers to: "In the...
Key Control For Access Control Tutorial on Apr 16, 2018
End users spend thousands on advanced systems to keep themselves secure, but regularly neglect one of the lest expensive yet most important aspects...
Alarm.com Business Market Expansion on Apr 13, 2018
Alarm.com has millions of subscribers, but the company has traditionally been mostly a residential/home focused offering.  ADC's new Smart Business...
Average Access Control Project Size 2018 on Apr 10, 2018
  The most common access control project size is 5 - 16 doors per project. This 2018 result mirrors previous statistics, most recently in 2016...
ISC West 2018 Access Control Rundown on Apr 06, 2018
For ISC West 2018, what is new and interesting in access control?  This rundown will bring you up to speed on the exhibitors, what they are...
VMS New Developments Spring 2018 (Avigilon, Exacqvision, Genetec, Hikvision, Milestone, Network Optix) on Apr 04, 2018
What's new with VMS software? In this report, we examine new features and releases for Spring 2018 to track different areas of potential...
Forced Door Alarms For Access Control Tutorial on Apr 04, 2018
One of the most important access control alarms is also often ignored. "Forced Door" provides a vital and even critical notification against...

Most Recent Industry Reports

Favorite Access Control Manufacturers 2018 on Apr 26, 2018
150+ Integrators told IPVM "What is your favorite access control management software/system? Why? Unlike the 2016 access favorites where a group...
Last Day Save $50 - May 2018 Camera Course on Apr 26, 2018
Today is the last day to save $50 on early registration. Register now (save $50) for the Spring 2018 Camera Course This is the only independent...
Hikvision DarkfighterX Vs Darkfighter PTZ Tested on Apr 26, 2018
Hikvision has focused on improving low-light performance for PTZs, an area that has traditionally been a problem, even more so than fixed cameras,...
Digifort VMS Profile on Apr 25, 2018
Digifort, a Brazilian company, has a strong presense in their home country. In a crowded and mature Enterprise VMS market, will they be able to...
Death Of A Dummy Camera Manufacturer on Apr 25, 2018
5 years ago, IPVM gathered insights from a dummy camera manufacturer, who was then the top selling dummy camera provider on Amazon and 3rd in all...
Hikvision Critical Cloud Vulnerability Disclosed on Apr 25, 2018
Security researchers Vangelis Stykas and George Lavdanis discovered a vulnerability in Hikvision's HikConnect cloud service that: just by...
The Yolo Bro And The Death of Journalism on Apr 24, 2018
There's an old quote: The job of the newspaper is to comfort the afflicted and afflict the comfortable Unfortunately, the opposite is more...
DMP Adds Ring Video Doorbell Integration on Apr 24, 2018
Video doorbells have become one of the hottest items for security systems. After several years with no doorbell, DMP has announced integration with...
Milestone 2017 Financials Examined on Apr 24, 2018
For ISC West 2018, Milestone released ... their financials, touting "strong revenue growth in 2017". However, there were discrepancies with the...
Chinese Manufacturer Kickstarter Campaign Huge Success (EverCam) on Apr 23, 2018
In a week, a Chinese manufacturer's expertly done Kickstarter campaign has received $1.4 million in pledges, an incredible amount for a video...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact