An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance.

Using more than one factor is sometimes called strong authentication. However, strength is always bound to secrecy under which the factors are kept and protected against any third party challenge.

Authentication factors apply for a special procedure of authenticating a person as an individual with definitively granted access rights. There are different factor types for authentication:

• Human factors are inherently bound to the individual, for example biometrics ("Something you are").
• Personal factors are otherwise mentally or physically allocated to the individual as for example learned code numbers. ("Something you know")
• Technical factors are bound to physical means as for example a pass, an ID card or a token. ("Something you have")

Each of the types may apply independently for demanding access according to given rules and procedures. The presenting of a factor proves compliance with access rules and therefore has to be effected in a specified procedure. In two factor authentication a minimum of two factors compliance is required.
Often a combination of methods is used, e.g., a bankcard and a PIN, in which case the term two-factor authentication (T-FA) or multi-factor authentication is used.

It should be remembered, however, that strong authentication and multi-factor authentication are fundamentally different processes. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The Federal Financial Institutions Examination Council has issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true
multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."

The most common forms of the 'something you have' are smart cards and USB tokens. Differences between the smart card and USB token are diminishing; both technologies include a microcontroller, an OS, a security application, and a secured storage area. In both cases, vendors are beginning to add biometric readers on the devices, thereby providing multi-factor authentication. Users biometrically authenticate via their fingerprint to the smart card or token and then enter a PIN or password in order to open the credential vault.

For all biometric identifiers, the actual biometric image is not stored and checked against - a scanning algorithm extracts critical information from the image and stores the result as a string of data. Comparison is therefore made between two data strings, and if there is sufficient commonality a pass is achieved. It may be appreciated that choice of how much data to match, and to what degree of accuracy, governs the accuracy/speed ratio of the biometric device.

Smart cards, like those used in the RAPTOR Program, are about the same size as a credit card. Vuance offers smart cards that perform both the function of a proximity card and network authentication. Users can authenticate into the building via proximity detection and then insert the card into their PC to produce RAPTOR network logon credentials. They can also serve as ID badges commonly referred to as a flash pass

Security does not happen without organizational embedding. This applies as well to structures as to individuals and their training and motivation. Users have natural problems retaining a single authentication factor like a password. It is not uncommon for users to be expected to remember dozens of unique passwords. T-FA where one factor is a password or PIN code, does not eliminate this problem. One possible solution is to have the second factor be a biometric, instead of an entity that the user needs to memorize.

The information from this FAQ topic was quoted and paraphrased with some editorial additions from

Bibliographic details for "Two-factor authentication"

• Page name: Two-factor authentication
• Author: Wikipedia contributors
• Publisher: Wikipedia, The Free Encyclopedia.
• Date of last revision: 12 May 2009 07:56 UTC
• Date retrieved: 15 May 2009 11:41 UTC
• Permanent link: http://en.wikipedia.org/w/index.php?title=Two-factor_authentication&oldid=289420043
• Primary contributors: Revision history statistics
• Page Version ID: 289420043