Talk:Two-factor authentication

This article is not intended to advertise specific products, but is intended to educate the reader on the different categories of two-factor authentication and what makes them different from each other. If your product introduces a new type of TFA, such as a "bio-electric doo-duh token' then you may describe it here in simple terms, but if you are simply trying to advertise your specific product or its features, and your product type has already been discussed within the article, please don't add anything else. For example, this page already has a section called "USB token". That section is intended to help people understand what a USB token IS, not why your specific company's USB token is the best! Again, if you can add something about a different type of TFA, feel free, but don't advertise specific products within these sections!

This article is about two-factor, or multi-factor authentication. Individuals and companies who are searching for those terms are likely doing so in order to comply with regulatory guidelines such as FFIEC, PCI, FACTA, etc. Adding other authentication methods, even for "information" purposes, only confuses and misleads. If you wish to write about behavior-based authentication, picture tokens, or "knock-knock, who's there" authentication methods, do so on another Wikipedia page please. Lets keep this page about true "multi-factor" or "two-factor" authentication methods please.

Please cease attempting to merge virtual tokens with the "soft" token category. The two technologies are fundamentally different. Soft tokens typcally emulate a token device by deploying software to the end user. Virtual tokens do not deploy software to the end user.

The word "Virtual" *means* "software emulation"; so what makes you think it's something different? 208.69.177.139 (talk) 04:07, 12 April 2012 (UTC)[reply]

The section on Virtual Tokens appears to be blurb for a security company. No technical information is given on how these systems work, and indeed the company's own website is very cagy about it, other than talking about "patent-pending technology". In security terms, this is equivalent to snake-oil until demonstrated otherwise. A Google search produces little or no useful information. This section should either be removed or complemented with references to an actual technical description. — Preceding unsigned comment added by Knytpic (talk • contribs) 16:32, 10 April 2012 (UTC)[reply]

A common example of T-FA is a bank card (credit card, debit card);

My credit card doesn't require the second form of authentication so it's just "something you have"

Credit cards do utilize T-FA. The second factor is your signature, which is rudimentary biometric authentication. (of course, it's not like anybody checks signatures any more...)

the article also shows another example of T-FA:

>> IBM's new ThinkPad, which includes a fingerprint reader that signs users into all their passwords.

>Fingerprint is something you are. Unless it also requires a password or a token, (and I don't think it does) then this is not T-FA, it's O-FA.

reference: http://www.schneier.com/crypto-gram-0205.html Your fingerprint is not always something that YOU are, it may be something that someone else can be. Please see the section titled "Fun with Fingerprint Readers".

Some people claim that various biometrics are 'something that you are' seperate from keys/tokens which are 'something that you have'. Though some measures are more difficult to alter/copy/steal, it is not overly difficult to obtain a finger from someone else. They may be unhappy if you cut it off, but that does not make it impossible.

I Agree - the Thinkpad is clearly a case on O-FA and as a result I think it should be removed. Perhaps in general we should clearly list in these examples which TWO factors are shown in this example ... ie for SecureID - the 2 factors are something you have (the Token) and something you know (a password which is also required)

"Something you do" is not a factor supported by the FFIEC, the PCI data security standards, the U.S. Dept of Commerce, HIPPA, or any other regulatory guidelines currently governing online commerce. Let's keep the article focused on relavent facts pertinent to the interested readers please.

Research is ongoing into a fourth authentication factor, "Something you do". This method of authentication works by identifying a common activity pattern or specific personal nuances of a user. Examples include identifying computing users by the way they type or move the mouse, and cellular mobile phone users by their waking/sleeping activity cycles.

Sounds a bit like Biopassword. But wouldn't that still be inclusive of biometric? Typing, mouse movement and waking/sleeping cycles are all biologically-based. B.K. 16:02, 20 October 2006 (UTC)[reply]

That's exactly how this has been classified in my involvement with biometrics. "something you do" is the same as "something you are", because you 'are' the entity that 'does' whatever it is you are measuring. I would as soon consider things along the lines of "where you are" (geolocation) or "when you are" (time based access)...but these are actually parameters that can be used to determine authorization, not necessarily Authentication. No, I disagree that there even is a 4th factor; I haven't heard anyone smart enough to come up with one yet. - jglide 20:20, 31 January 2007 (UTC)

Note: federal regulators have repeatedly rejected "something you do" as a legitimate second factor. The FFIEC and the FDIC have clarified repeatedly that there are only THREE authentication factors they consider acceptable for multi-factor authentication (something you know, have, and are). Unfortunately, some security vendors whose products fail to meet the regulatory definition of multi-factor authentication have been promoting their user profiling and other "something you know" products as valid MFA products. Such approaches are fine, in and of themselves, but they do NOT satisfy regulators when they are reviewed in terms of MFA compliance. Just FYI...

My bank (CIC, a French bank) is using a password calendar in addition to my regular password. Basically, the password calendar comes a paper sheet (send by postal mail) where each day is associated to a particular password (the calendar is user-specific).

This is a case of the "something you have" sort of authentication, although it can be considered to be a hybrid form of that and the "something you know" form. In reality, this is merely a form of S/Key, which is a well-established and relatively old form of rotating password.

Is this "password calendar" the same as a transaction authentication number list? Tell me more. --68.0.124.33 (talk) 18:27, 2 November 2009 (UTC)[reply]

This article is riddled with ads. I suggest we link to one vendor for each medium; USB, CD, biometric, one link to a provider for standard security tokens.

I think the vendor information solutions are helpful - they are to me. However we need to keep an eye on the blurring of lines where a vendor solution defines a technology....such as mobile phones and CAT which is not a standard pe se, it's a vendor product. B.K. 16:04, 20 October 2006 (UTC)[reply]

The article 'Strong Authentication' redirected to 'Two-Factor' for me recently. I'm not really complaining, but I do think this is a narrow position. Multi-factor is a bit more robust in the description. There is no "Three Factor" article or redirect that I can find, however biometrics (commonly considered 'the third factor' or assumed to mean three-factor authentication) are discussed frequently in this article.

Wouldn't it make more sense to use Strong Authentication as the article name, with the various two and three factor article names pointing to it, and have a discussion about factors, what constitutes a factor, and various descriptions of 'two' and 'three' factor solutions?

I'm willing to put forth some, maybe most, of the effort to do this; I'd guess 90% of this is simply some structure and article linking, the content of the page would remain intact. Thoughts?

- jglide 22:38, 21 January 2007 (UTC)

Why don't we rename "Two-factor authentication" into "Multi-factor authentication" (MFA)? Strong Authentication can be considered as synonymous to MFA, while 2FA and 3FA are examples of implementation of MFA. I can take it a stab at this, I have 6 years experience in this industry.

- cbrehaut 16:23, 23 April 2007 (PST)

T-FA is a popular and mature commercial information encryption technology. If we rename it M-FA, we need to propose such kind of solutions are acceptalbe to all. OTP came to us in 1980' and PKI came in 1990', T-FA is kind of solution based on PKI technology. We have been developing our security technology level and hope to make strong authentication up to M-FA. As I know, there is kind of interactive ePass solution, which based on T-FA but stronger. Since there is another press key on the USB Token, which is designed against things like Trojan Horse. You can check it and hope the actual M-FA come true with your helps. —Preceding unsigned comment added by FTsafe (talk • contribs) 04:10, 1 February 2008 (UTC)[reply]

I agree with renaming the article to Multi-factor authentication and explaining Two-factor authentication as a special case of it (there does not need to be many existing implementations as suggested above by User:FTsafe) but I do not agree that there is a commonly respected definition of the term Strong authentication. It is not always used in the sense of Multi-factor authentication and this should be explained in the article. --pabouk (talk) 13:22, 1 February 2008 (UTC)[reply]

--- Strong authentication should not be used when describing two-factor or multi-factor authentication for the simple reason that they are two different things. Using a login ID, a password, an answer to a challenge question, and a secret image may be considered 'strong authentication', but it does NOT meet the regulatory definition of two-factor or multi-factor because only 1 factor is being used (all something the user 'knows'). The use of the term 'strong authentication' has caused many US banks, credit union, and financial services considerable grief over the past year due to the fact that these organizations needed to implement MFA to comply with federal regulatory MFA guidelines, but their managers were tricked into purchasing 'strong authentication' products instead because certain unscrupulous vendors convinced their managers that 'strong' and 'multi-factor' meant the same thing. BearingPoint reported in a study that 94% of US banks have adopted non-compliant 'strong authentication' products instead of regulatory-recommended 'multi-factor' authentication products as a result of this confusion. —Preceding unsigned comment added by 70.190.16.168 (talk) 23:08, 17 June 2009 (UTC)[reply]

This page has now been re-written by an expert.

I am planning to make a page on Wikipedia for my company which I assume is safe to do as a lot of large companies have their own Wiki Pages, but my question is weather or not I am allowed to add to a page like this and mention my company with a link to the Wiki page for the company? According to the rules you shouldnt do this if you own the page or are representing it, any suggestions? —Preceding unsigned comment added by ArjunDave (talk • contribs) 10:31, 6 November 2009 (UTC)[reply]

Take your time to create it within your user space. Make sure you have a fair amount of references from news articles and perhaps a few peer-reviewed papers. If your only reference is the company's web page, I can guarantee that it will be swiftly deleted. Keep in mind that there is almost nothing to be gained by your company having a wiki page. However, there may be something to lose. If the page becomes, in your opinion, bias against the company, then conflict-of-interest guidelines may prevent you from "correcting" it. Skippydo (talk) 17:04, 20 November 2009 (UTC)[reply]

Would the Blizzard Authenticator for the popular game World of Warcraft qualify as a significant thing? 67.161.80.124 (talk) 09:49, 19 February 2010 (UTC)[reply]

I'd say yes. It's a soft token, a perfectly viable and legitimate second factor.Amicaveritas (talk) 22:47, 7 December 2010 (UTC)[reply]

I find the wireless tokens section very hard to follow. It seems like some of the sentences are missing some words? —Preceding unsigned comment added by 79.53.13.204 (talk) 20:41, 16 February 2011 (UTC)[reply]

	An image used in this article, File:SWsecuritycredential.jpg, has been nominated for speedy deletion at Wikimedia Commons for the following reason: Copyright violations What should I do?
	Speedy deletions at commons tend to take longer than they do on Wikipedia, so there is no rush to respond. If you feel the deletion can be contested then please do so (commons:COM:SPEEDY has further information). Otherwise consider finding a replacement image before deletion occurs. This notification is provided by a Bot --CommonsNotificationBot (talk) 08:45, 16 June 2011 (UTC)[reply]

Currently a search on Wikipedia for this doesn't return ANY auth-related articles. Would it be sensible to create another redirect and a short mention of it in the article for now, pending a longer article if this discussion shows it's needed?

This is a vendor article and not suitable for a reference I guess but it's a good backgrounder: http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/ Infojunkie23 (talk) 16:52, 28 June 2011 (UTC)[reply]

There's quite a lot of stuff in here that is overly verbose, as well as some factually incorrect and outdated things, and it's all screaming out for some pictures - using multiple sentences to describe things like "PPP" when a small photo would do it 10x better is crazy.

Also - there's a fair amount of stuff missing - especially things that "vendors" would not want to see - like vulnerabilities and attack vectors etc. Sure - some of this is covered, but it's woefully inadequte.

If visitors to this page are looking to learn about the relative strengths of all these different things, they're plain out of luck right now... — Preceding unsigned comment added by 120.151.160.158 (talk) 12:51, 23 January 2012 (UTC)[reply]

Virtual tokens are not "soft" tokens. Please cease attempting to merge virtual tokens with the "soft" token category. The two technologies are fundamentally different. Soft tokens typcally emulate a token device by deploying software to the end user. Virtual tokens do not deploy software to the end user. — Preceding unsigned comment added by 70.190.0.52 (talk) 00:51, 9 February 2012 (UTC)[reply]

Hi, I do not really agree that biometrics is a authentication method. It is more an identification method. It checks who you are : it is not sufficient to provide real authentication but has to be followed by a "what you know" - for instance - process. — Preceding unsigned comment added by 193.54.194.17 (talk) 13:07, 2 March 2012 (UTC)[reply]

'Perfect Paper Passwords' are neither a one-time pad, nor a 'something you have'. They are a 'something you know' with some protection against re-play attacks. It is basically asking for certain characters from password that is always the same (akin to saying 'third, fourth, last character'). The fact that the password is printed on a grid on a plastic card does not change this.

If it was a true one-time pad then the grid would be used once only, and a new card used for each authentication.

Mauls (talk) 14:19, 9 March 2012 (UTC)[reply]

Someone should probably find the relevant facts from these (as well as other non-USA standards) and mention them in the article: PCI DSS, NCUA, FACTA, NIST 800-63, HIPAA/HITECH, CJIS, Sarbanes-Oxley, and FFIEC. 208.69.177.139 (talk) 04:03, 12 April 2012 (UTC)[reply]