Multi-factor authentication

{underconstruction}

Multi-factor authentication is an extension to two-factor authentication. The common demand for protection of physical or functional access is not fulfilled, when simple procedures allow for transfer of authenticity between members of staff or users or an authenticated access to a room or a work position is maintained, even when the requesting user leaves the room with the door open or the work position with the application not terminated or the account not closed.

Authentication with several factors is a common approach. An independent factor is understood as an information type requested to the user and the groupwise or individually distinct information response to be provided in return by the user.

When the factorial authentication information is not independent from another factor, the factor does not contribute to improvement of security, but just eases the handling and mostly reduces the security level.

Two factor authentication applies two independent authentication factors. See main article on Two factor authentication.

A problem with two factor authentication generally is the lack of significantly increasing security: Answering a screen request with user name (factor 1) and password (factor 2) is some authentication, but does not prevent from the following typical risks:

• first factor user name is known to other persons as long as logically connected to vocal addressing the user
• second factor password may be easily guessed by hacking due to shortneess and /or binding to common vocabulary
• second factor password is known to several users after giving knowledge to these individuals by the original owner
• second factor password is unintentionally disclosed by visual or optical supervision of keyboard
• typed password sequences are optivally recorded
• typed password sequences are electronically sniffed

This list may be extended aknowledging threat variation reports ^[1][2][3][4]. It is no querstion whether all these reports are authentic, dregs of success are sufficient to start thriving for improvement.

The only escape are additional factors that may raise the effort to break through security fences, as far as these factors are independent.

A very well supported improvement are one-time-passwords. These passwords are numeric or alpha-numeric codes, generated by a code generator according to pseudo-stochastic algorithms. As long as the algorithm is kept secret and the code is strong, this is a secure added value for authentication. However, the keying in of the code rad from the generator and typed at a work position is a tedious procedure. And when the code generating utensil is lost, the securits problem may recur as with other püassword generation.

When the authenticity is kept valid until the user leaves the location where access was granted, the offenso to authentication procedures will generally require cooperation in any fraud attempts. Then, however, the only escape for a party threatening the registered user is imposing physical force to make this user present where authenticity is required.

Sufficient solutions are offered with RFID technology, where the readability of a wireless tag will fade out as soon as the user leaves the range of the respective reader. However, this RFID approach is not discriminating adjacent work positions when using long range readers. Hence the user may be limited in mobility at the work position. Additional freedom may be gained with RTLS technology, where the distance limit between the work position and the user or the relative position is assessed during the session at the work position.

• Authentication
• Real-time location
• Real-time locating system