This content is part of the Essential Guide: Advances in access governance strategy and technology

What knowledge factors qualify for true two-factor authentication?

Can two-factor authentication be applied to a mobile device that's used as a 2FA factor? Michael Cobb explores the different knowledge factors and uses for mobile devices.

We have a group of users who will be accessing HTTPS applications from their smartphones and tablets. We will require them to use standard usernames and passwords, but we also want to incorporate two-factor authentication (2FA). If we require the user to enroll their employee-owned device into our proposed 2FA system -- Duo -- and the user installs the Duo security app, is this really 2FA?

The user will be accessing the application from the same device they will use to confirm their identity. When the Duo security app sends the allow access request, or if the user enters in a six-digit passcode, this information originates from the same device that will access the application we are trying to protect. If the employee device ends up lost or stolen, is this process still 2FA, and how so?

The proposed authentication system does provide two-factor authentication (2FA), and I will explain why.

Authentication, which is the process of confirming the identity of someone and ensuring they are who they say they are, is a vital element of access control, and is the key to who can do what on a device or network. The ways in which someone can be authenticated fall into three categories based on what are known as factors of authentication:

  1. Knowledge factors, or something you know: a password, PIN or personal knowledge question, such as the name of a pet.
  2. Ownership factors, or something you have: this could be an ID card, a hardware or software token, or a phone, for example.
  3. Inherence factors, or biometrics: these are personal attributes, such as fingerprints and face and voice recognition. This also includes behavioral biometrics, such as keystroke dynamics.

If you're not sure who someone is, you can't safely assign them access to data or services, and you can't log and audit what they do -- a key activity in keeping systems and data secure.

Knowledge factors, like passwords and personal knowledge questions, have been used to identify people for thousands of years, but static, knowledge-based authentication is struggling to keep systems and information safe now that we live in a very connected world in which we log into multiple systems and accounts every day and publish our daily lives online.

The famous cartoon caption by Peter Steiner, which states "On the internet, nobody knows you're a dog," probably doesn't hold true anymore. The internet now makes it very easy to profile someone and uncover facts about them that could comprise their knowledge factors.

There are also plenty of tools and techniques for quickly cracking passwords, and only those that are long and complex can still qualify as sufficiently robust knowledge factors that can be used to authenticate someone. However, people just can't remember long complex passwords, and particularly not the number needed to access the myriad accounts most users have.

These shortcomings are why many online services now require two methods to verify a user's identity: a username and password, combined with a biometric identifier, such as a fingerprint, or an ownership factor, most often a phone or hardware token.

To prove ownership of a device, the device either generates a time-limited code or one is sent by the authentication server -- in this instance, Duo -- to the user's device. Although it's often referred to as a passcode, it is not being used as a knowledge factor, but as a means of proving possession of the device registered to the username. Although a user may have entered the correct username and password, if they're not in possession of their device to receive or generate the correct code, then authentication will fail, as the ownership factor hasn't been proven.

If a user loses their registered device, there is obviously a risk of data theft, but any malicious user who finds it won't be able to use it to access services that require two-factor, even though they can prove they are in possession of the device, as they won't know the correct password, and the knowledge factor will fail authentication. There should be processes in place to enable a user to easily notify network administrators that a registered device has been lost or stolen so that any attempts to use it can be blocked, and sensitive information can be remotely wiped.

Next Steps

Find out more about how hackers can bypass 2FA

Learn about the difference between mobile remote wipe and selective wipe

Read more on multifactor authentication products in this Buyer's Guide

This was last published in October 2017

Dig Deeper on Identity and access management