The five authentication factors

I thought I had blogged about the five factors of authentication, either here or at jebredcal, but I guess I haven’t explicitly written a post just on this topic. (You’d expect an identity content marketing expert to do that.)

And I’m not going to do that today either (at least in any detail), because The Cybersecurity Man already did a good job at that (as have many others).

However, for those like me who get a little befuddled after authentication factor 3, I’m going to list all five authentication factors.

  • Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
  • Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
  • Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
  • Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
  • Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

Now when these factors are combined via multi-factor authentication, there is a higher probability that the person is who they claim to be. If I enter the password “12345” AND I provide a picture of my driver’s license AND I provide a picture of my face AND I demonstrate the secret finger move AND I am within 25 feet of my documented address, then there is a pretty good likelihood that I am me, despite the fact that I used an extremely poor password.

I don’t know if anyone has come up with a sixth authentication factor yet. But I’m sure someone will if it hasn’t already been done. And then I’ll update to update this post in the same way I’ve been updating my Bredemarket 2021 goals.

Published by bredemarket

Marketing and writing services.

17 Comments

  1. Pingback: Communicating benefits (not features) to identity customers (Part 2 of 3) – Bredemarket
  2. Pingback: Has your firm provided your “spiky points of view” on the draft NISTIR 8334 yet? – John E. Bredehoft
  3. Pingback: The Pandora’s Box of the “passwords are dead” movement – Bredemarket
  4. Pingback: Biometric (and other) authentication CAN be spoofed…but it isn’t easy – Bredemarket
  5. Pingback: The difference between biometrics and biometrics – Bredemarket
  6. Pingback: Excerpt from “The difference between biometrics and biometrics” – John E. Bredehoft
  7. Pingback: Friction and emerging threats: two items to consider when implementing multifactor authentication – Bredemarket
  8. Pingback: Remember the newer factors of authentication – Bredemarket
  9. Pingback: The sixth factor of multi factor authentication (you heard it here first!) – Bredemarket
  10. Pingback: Testing My Sixth Authentication Factor on One Real and Two Imagined Corporate Office Visits – Bredemarket
  11. Pingback: Bredemarket’s Name for the Sixth Factor of Authentication – Bredemarket
  12. Pingback: The Difference Between Identity Factors and Identity Modalities – Bredemarket
  13. Pingback: Communicating How Your Firm Fights Synthetic Identities – Bredemarket
  14. Pingback: Converting Prospects For Your Firm’s “Something You Are” Solution – Bredemarket
  15. Pingback: Why Knowledge-Based Authentication Fails at Authentication – Bredemarket
  16. Pingback: When Rapid DNA Isn’t – Bredemarket
  17. Pingback: Defeating Synthetic Identity Fraud – Bredemarket

Leave a Comment