Explanation: Multi-factor authentication | Biometric update
Multi-Factor Authentication (MFA) is a layer of security that ensures that a person provides at least two pieces of information to perform an authentication verification that grants additional access to a digital service or application. With the massive popularization of online services that cover deeply personal and vital data such as identity and banking services, MFA has become a necessary protection against third party intruders and malicious actors. Important recent developments supporting the adoption of the AMF include the adoption of regulations such as the European Union’s Payment Services Directive (PSD2) in 2018 and the emergence of the FIDO Alliance. AMF generally encompasses three factors: knowledge, possession and inheritance.
Knowledge factors are based on what the user knows. Passwords or passcode that only the user would know, or answers to personal history questions are common knowledge factors used in authentication. Variants of passwords include passphrases, made up of several words, and personal identification numbers (PINs), which are usually shorter and purely numeric.
Possession factors provide security by granting access to something that only the user has. This method is usually found in the form of disconnected, connected, or software tokens. A disconnected token does not have a direct connection to the main device and usually has a built-in screen that displays a randomly generated password that is entered by the user, such as RSA’s SecurID. A connected token is directly linked to the main device to transmit data to unlock access, very similar to the traditional lock and key. Common examples are USB tokens, card readers, and wireless beacons. Software tokens are stored on a general purpose device, such as a smartphone and a computer, which allows access to the main device and can be duplicated.
Inherence factors are data that only the user has, or biometric data. Biometrics of the face, fingerprints and voice are often used as inherent factors. Biometrics in AMF is becoming more prevalent with the massive adoption of smartphones and laptops that can be used as data capture devices.
PSD2 was implemented as a means to update the EU’s digital payment system, protect customer safety and promote competition. A major change is the requirement for strong customer authentication for all digital transactions, which would require the use of at least two or more forms of MFA. Indeed, any company with a digital footprint operating in the EU must now comply with PSD2 via MFA.
The FIDO Alliance is an industry body launched in 2013 with members including PayPal, Apple, Google, Amazon, American Express, Meta and Microsoft that aims to promote “authentication standards to help reduce overreliance on world of passwords ”. The FIDO protocol works by registering a user’s device (for example, a smartphone) that creates a connected pair of a private and public key. The private key held on the device is authenticated by providing MFA, including biometric data such as a fingerprint and voice, or knowledge and possession factors, which will signal the public key to grant access. .
Click here for more explanation of the concepts of biometrics.
access management | authentication | biometrics | cybersecurity | explanatory | FIDO Alliance | multi-factor authentication | PSD2 | secure transactions