Last updated on March 28th, 2024
The concept of an authentication factor is essential to understanding Multi-Factor Authentication (sometimes spelled Multifactor Authentication). But do not fret. There are only three authentication factors, and this article will walk you through all of them.
An authentication factor is a category of evidence that a person has to present to prove they are who they say they are.
The three authentication factors are:
- Knowledge Factor – something you know, e.g., password
- Possession Factor – something you have, e.g., mobile phone
- Inherence Factor – something you are, e.g., fingerprint
Knowledge Factor
When you log in to an application, a security system asks you to provide your username and password. An example of something you know is a password because something you had already known before authentication took place is all you need to get past the Knowledge Factor.
Passwords come with a set of issues. Since a password is essentially just a sequence of letters, numbers, and special characters, a malicious actor can easily steal, crack, or guess your password. Low security of passwords is the main reason why you need more than the Knowledge Factor.
Passwords are not the only authentication method based on something you know. Another example of the Knowledge Factor is a security question. Some systems allow users to set up one or more security questions. Security questions ask you questions you previously set up yourself. From your dog’s name to your favorite color, security questions request answers other people can either easily find out about or deduce from a conversation through skillful manipulation (social engineering).
Personal Identification Number (PIN) is another example of a factor based on something you know. When you want to pay with your credit card or withdraw money from ATM, the credit card terminal or a computer inside the ATM asks you for your PIN. Naturally, PIN alone is not enough. You also must have a physical card. Such a combination is already an example of Multi-Factor Authentication (MFA).
Authentication based on something you know is a nice relic of the bygone days when authentication security was solely based on a string of characters. But times have changed, and modern authentication requires modern means.
During Multi-Factor Authentication, the user has to also provide the second factor, and sometimes even the third factor to prove their identity. The other two factors of authentication are the Possession Factor and the Inherence Factor.
Possession Factor
The Possession Factor requires a user to provide evidence of their possession of a physical item such as:
- SIM Card
- Mobile Phone
- Smart Card
- Hardware OTP Token
- FIDO2 Security Key
With the advent of modern technology, it became much easier to implement the Possession Factor. Nowadays, it is much easier to use multiple authentication methods, much more secure than a username and password.
The Possession Factor checks if a user has a piece of hardware, making it much harder to crack than the Knowledge Factor. A malicious actor can conduct a successful swapping attack, gain remote access to a piece of hardware, or even steal that piece of hardware. Still, doing any of these is incomparably much more difficult than running a simple brute force attack.
While SIM cards are much less secure than they seem, the fact a user possesses a SIM card can be successfully used in the SMS Passcode authentication method.
A user’s mobile phone (smartphone) can be used as a powerful authentication device after the user installs an authenticator app, e.g., Rublon Authenticator.
A credit card combined with a Personal Identification Number (PIN) is a type of Multi-Factor Authentication based on something you have and something you know.
Hardware OTP tokens may cost you money, but they generate a one-time password that you can use as a second factor of authentication.
Finally, FIDO2 standard security keys such as WebAuthn and U2F Security Key are cryptographically strong security tokens that constitute the Possession Factor. A security key that supports biometrics combines what you have with what you are to deliver top security and resistance to most attacks. Breaking such keys requires the attacker to gain physical access to a security key and take it apart to tamper with it.
Inherence Factor
The Inherence Factor is often said to be the strongest of all authentication factors. The Inherence Factor asks the user to confirm their identity by presenting evidence inherent to their unique features. Biometrics such as a fingerprint scan, retina pattern scan, or facial recognition are all examples of the Inherence Factor. Some security keys such as YubiKey Bio use fingerprinting, combining the Possession Factor with the Inherence Factor.
What Are the Risks Associated With Authentication Factors?
Multi-Factor Authentication improves user security and ensures secure access. A good MFA solution gives administrators the power to manage access control. For example, Rublon does that using Access Policies.
Each of the three authentication factors comes with a unique set of risks. One thing you have to remember is that factors of authentication are wide categories that accumulate many authentication methods. As a result, a security risk may apply to one authentication method but not the other. We wrote an article on the risks associated with each authentication method if you need a more in-depth look at the topic. What follows is a short summary of the risks associated with factors of authentication.
Knowledge Authentication Factor Risks
The knowledge authentication factor comes with all risks associated with using a username and password. Your password or PIN can be guessed, broken, stolen, or shoulder surfed. A user who wants to access data may have a keylogger installed on their computer.
Possession Authentication Factor Risks
The possession authentication factor is entirely based on a physical device. If a malicious actor gains access to your device, the factor is as good as broken. In the modern-day world, when all communication happens over a network, the malicious actor does not even have to steal your device. They can use social engineering to convince you to give them remote access to your device. Sometimes, the malicious actor does not even have to access your phone in any way. Some authentication methods are vulnerable to MITM attacks, which allow hackers to steal a user’s identity by eavesdropping on the communication between the user and the security system. A strong authentication method based on the possession factor makes the job of compromising your device much harder for the attacker. Mobile Push is one example of such a strong authentication method. WebAuthn/U2F Security Key are known for their high resistance to MITM attacks as well.
Inherence Authentication Factor Risks
The inherence authentication factor allows users to authenticate using their biometric features. Latent fingerprint and photo manipulation are only two of many ways to cheat a biometric system. Modern biometric systems use liveness detection, which allows the system to spot most attempts at spoofing biometric methods of authentication.
The biggest disadvantage of biometrics is that a biometric that was spoofed once cannot be reused. While you can change your password or buy a new phone, you cannot get a new retinal pattern.
Use All Three Authentication Factors With Rublon
Rublon allows for modern Multi-Factor Authentication (MFA) using two authentication factors (Two-Factor Authentication) or three authentication factors (Three-Factor Authentication). Three-Factor Authentication is possible in at least two scenarios:
- Password + Mobile Push + Fingerprinting
- Password + YubiKey Bio or another WebAuthn/U2F Security Key that supports biometrics
In the first scenario, the user installs the Rublon Authenticator mobile app on their Android or iOS smartphone and enables fingerprint scanning (FaceID is also possible for iOS devices). Then, when logging into an application, the user first provides their password (Knowledge Factor), and then receives a Mobile Push authentication request to their phone (Possession Factor). Before the user can accept the authentication request, however, they have to scan their fingerprint to unlock the Mobile Push mobile app (Inherence Factor). This scenario covers all three authentication factors and proves to be a very secure type of Three-Factor Authentication.
In the second scenario, the user provides their password and then plugs in their biometric WebAuthn/U2F Security Key. The YubiKey Bio key is a separate device that constitutes the Possession Factor but also requires fingerprint authentication which is the Inherence Factor. This scenario covers all three authentication factors and proves to be the most secure out of all authentication methods. On the downside, WebAuthn/U2F Security Key can be expensive which leads to customers most often opting for the first scenario instead.
Along with the preceding two most secure scenarios, Rublon allows you to authenticate using a plethora of other authentication methods.
To protect your cloud apps, VPNs, and RDP with Multi-Factor Authentication, start Rublon’s 30-Day Free Trial.
