The Move Toward Multifactor Authentication

Like the man who wears both a belt and suspenders, the owners of Web sites and applications protected by multifactor authentication are looking to reduce the possibility of accidental exposure. Multifactor authentication combines two or more different security methods for authenticating a user's identity.

The first method of multifactor authentication usually requires a "what-you-know" response from the person seeking access. This is typically a password, but it can also be the answer to a challenging question such as, "What is your mother's maiden name?" This technique is known as knowledge-based multifactor authentication.

The second multifactor authentication method is usually based on something a user has in his or her possession. This object is usually a physical device, such as a smart card with a built-in chip or a hardware token that generates one-use-only passwords. Other personally possessed types of items could be biometric assets for multifactor authentication, such as a fingerprint or the eye's iris.

Multifactor authentication, as the name indicates, makes use of multiple factors to confirm a user’s identity when they request access to an online account, application, or website. Multifactor authentication is different from simply entering a password to gain access to a resource. You have to enter the answer to two or more questions, which may or may not include entering a one-time password (OTP) that is sent to another one of the user’s accounts or the actual user’s smartphone, which is linked to the one being accessed. 

So basically any authentication method that asks for a combination of two or more factors is multifactor authentication. However, a method making use of two factors only is often referred to as two-factor authentication. Multifactor authentication aims to provide greater assurance of a user being who they claim to be by asking for identification in multiple ways. This should lower the threat of unauthorized personnel gaining access to critical personal or business data. It is typically classified in the following three ways:

• Something you know— PIN/password/ answer to the multifactor authentication security question.
• Something you are— facial recognition/ fingerprint/ retinal scan.
• Something you have— OTP, trusted device, smart card, badge, or token.
   

Some common examples of multifactor authentication methods are:

• Biometric
• SMS text
• Push to approve notifications
• Automatically generated one-time passwords (OTPs)
• Software token or soft token
• Hardware token or hard token

Multifactor authentication's fundamental goal is to enhance security by making it more difficult for fraudsters to obtain system access. Attack-proof security is a concern shared by many businesses, yet due to the large amounts of money they handle, banks and other financial institutions are at the forefront of the drive toward multifactor authentication. In the United States, the APACS (Association of Payment and Clearing Systems), the FDIC (Federal Deposit Insurance Corp.) and a variety of other banking organizations have all urged banks to begin offering multifactor authentication.

Many banks also view multifactor authentication as a way of enhancing customer confidence. A study conducted earlier this year by Javelin Strategy & Research revealed that 67 percent of consumers in the United States do not bank online for fear of having their identity stolen. Fifty-three percent of those surveyed would like to see banks offer identity-protection software, and 33 percent would like their bank to offer biometrics. The study shows that banks stand to realize a gain of $8.3 billion per year through customer adoption and increased loyalty by making identity-protection software available to their customers.

Many retailers would also like to see increased adoption of multifactor authentication for Web-based sales. Unfortunately, few American Web shoppers have the smart cards, hardware tokens, or biometric readers required for such transactions. European shoppers, on the other hand, are ahead of their American counterparts on the multifactor authentication adoption curve. Multifactor authentication use is on the upswing in Europe, with a growing number of retailers adopting some form of technology.

Europeans may be more accepting of multifactor authentication due to their experience with the related technology when shopping in brick-and-mortar stores. Until relatively recently, European retail shops didn't have easy access to cheap data lines for online verification of credit card transactions. This forced European retailers to pressure financial institutions to adopt some type of offline multifactor authentication solution, such as a device that a retail clerk could use to scan a smart card-generated code, then compare it with the PIN entered by the consumer. Given this track record, it was more natural for Europeans to adopt multifactor authentication for consumer Web applications as well.

In the U.S., many online bankers and retailers continue to hope that they will be able to perform multifactor authentication without issuing consumers extra hardware or software, such as by using monitoring systems to observe customer behavior and detect any anomalies. Most of these organizations want to focus on their core business and would prefer not to involve themselves in the cost and complexity of technology support. This mindset has slowed the deployment of multifactor authentication in the United States, except perhaps for certain niche applications, such as high-end investing and corporate cash management.

Still, the prejudice against multifactor authentication may ease in the years ahead, as credit card issuers and financial regulators press their business partners to tighten security with multifactor authentication. In a 2007 study, financial industry research firm The TowerGroup Inc. reported that online banking is becoming the most powerful tool retail banks have ever deployed, outpacing everything from ATMs to call centers, and is increasing in use at an annual rate of 27 percent. With online shopping growth also skyrocketing, it seems inevitable that more banks and retailers will eventually embrace enhanced security technologies, with multifactor authentication standing at the front of the line of potential solutions.

Readers interested in seeing multifactor authentication in action need to look no further than PayPal .