single-factor authentication (SFA)

What is single-factor authentication (SFA)?

Single-factor authentication is a process for securing access to a given system, such as a network or website, that identifies the party requesting access through only one category of credentials.

The most common example of SFA is password-based authentication. Password security relies on the diligence of the system administrator or user who sets up the account. SFA best practices include creating a strong password policy and ensuring no one can guess or brute-force it.

Password-based security challenges and best practices

One of the main troubles with relying on just passwords for authentication is that most users either don't understand how to make strong and memorable passwords or underestimate the need for security. Extra rules that increase password complexity increase call volumes for password-related issues to help desks proportionately. This can result in IT and management letting password standards slip, and as a result, passwords of shorter length and complexity tend be chosen, such as simple seven-character words.

Malicious actors can easily crack shorter, less complex passwords in a matter of a few minutes, making them almost as ineffective as no password at all. Passwords need to also be less predictable to machines. A test of password entropy predicts how difficult a given password would be to crack through guessing, brute-force cracking, dictionary attacks or other common methods.

While passwords need more entropy to be less predictable, employers need to train employees to create passwords with entropy they can remember. Throwing several rules at employees often makes for passwords no one remembers. Users should be encouraged to create long but memorable passphrases. The addition of capitals, numbers and special characters greatly increases entropy due to the larger character set. Password meters can motivate users to create stronger passwords, especially those meters that show a live updated numerical rating.

Even stronger passwords can be cracked by brute-force, dictionary and rainbow table attacks -- for example, if an attacker captures the password database that resides on the protected computer. Administrators must do their part to protect passwords from dictionary attacks -- for example, by adding random characters to the hashes of password encryption to make them less vulnerable to dictionary-based attacks, a technique known as password salting.

With the speeds of central processing units today, brute-force attacks pose a real threat to passwords. Developments, such as massive parallel general-purpose graphics processing unit password cracking and rainbow tables, enable malicious hackers to produce more than 500 million passwords per second, even on lower-end gaming hardware. Depending on the software, rainbow tables can crack 14-character alphanumeric passwords in about 160 seconds. Rainbow tables do this by comparing the password database to a table of all possible encryption keys. This memory-intensive task is only possible because of the increasing amount of memory in computers.

Password threats continually become more advanced: Purpose-built field-programmable gate array cards offer 10 times the performance at a minuscule fraction of a graphics processing unit power draw. A password database doesn't stand a chance when it is a real target of interest against an attacker with extensive computing and technical resources.

Social engineering is another major threat to password-based authentication systems. To decrease its social engineering attack surface, an organization must train all users, from management to staff. Password strength means nothing if an attacker tricks a user into divulging their credentials. Even IT staff, if not properly trained, can be exploited with invalid password-related requests. All employees must be aware of phishing tactics, where false emails and forged websites are used to acquire sensitive information from an unwitting recipient. Other threats, such as Trojans, can also come in email messages. In short, passwords are one of the most easily stolen and broken types of authentication.

The bottom line is that password-based security can be adequate to protect systems that don't require high levels of security, but even in those cases, constraints should be enforced to make them reasonably stringent. Any system that needs high security requires stronger authentication methods.

Strong authentication vs. multifactor authentication

SFA isn't necessarily weak and doesn't always have to be password-based. Many biometric authentication methods, for example, are strong when properly implemented.

Multiple challenge-response questions can also ensure secure SFA when properly implemented. Biometrics can also ensure secure SFA if the right kinds and implementations are chosen. Retina scans, finger vein scans and voice recognition are strong candidates. Organizations must be doubly sure about the biometric scanner and its implementation when it is standalone SFA rather than a component of multifactor authentication (MFA).

Biometric verification systems may require a significant outlay for enterprise deployment. Depending on the degree of security required, it may be preferable to implement MFA.

What are authentication factors?

An authentication factor is an independent category of credential used to verify user identity. With MFA, each additional factor increases the assurance that an entity requesting access to some system is who or what they say they are and decreases the likelihood that an intruder can masquerade as them to gain access. The three most common categories of authentication factors are the knowledge factor, something you know; the possession factor, something you have; and the inherence factor, something you are.

Additional factors include the following:

• Location factors are where the user is at the time of login. The ubiquity of smartphones can help ease authentication burdens here: Most smartphones have Global Positioning System capabilities, enabling reasonable confirmation of the login location.
• Time factors monitor employee logins against work schedules -- for example, to prevent user hijack attacks. Another example is a bank customer: Some can't physically use their ATM card in North America and then again in China within a few hours. This additional factor could be used to confirm ATM transactions and prevent online bank fraud.

What are the levels of multifactor authentication?

The username-password combination is the most common form of SFA. More complex systems include two-factor authentication (2FA), three-factor authentication (3FA), four-factor authentication (4FA) and five-factor authentication (5FA).

A 2FA system strengthens security by requiring the user to provide dual means of identification from separate categories. Typically, one proof of identity is a physical token, such as an ID card, and the other is something memorized, such as a security code or password. The second factor helps to ensure that, even if an intruder steals a user password, they would also have to access the physical device to get into the user account.

3FA adds another factor for further difficulty in falsifying authentication. Typically, a biometric trait measurement is added for the inherence factor. The system verifies that the person logging in knows the password, has their ID card and that their fingerprint matches the stored record.

4FA ups the authentication ante by taking four unique factors of authentication. It starts to seem like Mission: Impossible-type gadgets are needed to break the security -- for example, a spy using a portable computing device to hack a password, while plugging in a cloned USB token, and finally the matching employee's eye for a retina scan.

A five-factor authentication system would use the three commonly used factors -- knowledge, possession and inherence -- plus location and time. In such a system, users have to reproduce something they know or remember, provide proof that they have some item with them, provide a biometric sample for matching and have their location verified -- all within allowed times before being granted access.

From that last scenario, it's easy to see how increasing the number of factors involved makes authentication more difficult to fake. That's why SFA has largely been abandoned and replaced with risk-appropriate levels of MFA.

Editor's note: This article was written in 2015. TechTarget editors revised it in 2023 to improve the reader experience.