Earlier this month we asked if this would be the year that two-factor authentication (2FA) would be taken seriously.
Since then further areas have also emerged in the authentication arena to prove that there is more than something you have and something you know, meaning that there is more than just 2FA. Talking with Validsoft, that focuses on card not present financial fraud, it became obvious that authentication can be taken as far as you want it.
Validsoft CEO Patrick Carroll told me about four-factor authentication (4FA), which comprises something you know, something you have, who you are and where you are. In terms of determining where a customer is for reducing ATM fraud, Carroll said that the fourth factor is deployed afterwards and the third factor is deployed to use voice recognition to authenticate the user.
Carroll said: “You can turn a negative customer experience into a positive one as the bank is looking after you, but at the moment they cannot detect fraud and cannot resolve it. There can be many transactions before the bank wakes up to the activity, they can use an active resolution or simply call the cardholder.”
Talking about 4FA, Carroll said that typically 2FA is strong enough but it is about how many factors you bring together and what rules there are on what is used.
Dave Abraham, CEO of Signify, said that 4FA is niche at the moment and may not be something that a company would put in explicitly. “It is one of the things that it may do. Firstly, say where do you normally come in from using geolocation and that could combine with a hosted service to show that not only do they normally come in from somewhere else, but five minutes ago they authenticated in San Francisco,” he said.
“So there are ways that it can be used as a very first stage of authentication, but moving to more mobile authentication to generate a number or coming in from this place, we need to step this up to decide.”
Asked if he thought 4FA was overkill on authentication. Abraham admitted that, as it is so often unutilised because 2FA is enough. It is a combination of the four options, such as password plus biometric, and if you combine the two options you get the strength of both factors.
He said: “One of the common things with biometric authentication is that it is often implemented as a single factor, so you can take away the password at the login point. The reality is that users are resistant to two factors so for most applications, going to three is too much of a pain for a user and more costly.
“For highly secure needs like data centres and banks, you may have two people with two or three factors so there is always more security, but with 3FA it would be overkill for logging on to a desktop. It is about applying the right level for what you need.”
Jim Fulton, vice president of marketing at DigitalPersona, said that he shared the scepticism about complication with authentication, but that he did believe that it will evolve in the future.
“I tend to see multi-factor authentication heading in the direction of allowing policies like ‘require N factors from the following M types of credentials'. Geolocating might not be a factor, but could be used to select which policy to enforce based on where someone is or whether they are connected to the physically-secured corporate network,” he said.
“For example, we've already had people ask for the ability to express policies such as ‘if your machine is connected to the corporate network (or your assigned subnet), then require one credential (such as password or fingerprint or face), but if your machine is out in the world, require two or more credentials'.”
Asked about the take-up of multiple-factor by businesses, Fulton said that to go beyond two factors, you have to look at usability. Typing in a password is a relatively active action, as you have to go out of your way to do it, while facial recognition can potentially be relatively passive. Fingerprints, particularly with the placement-style sensors that you touch instead of swipe, are in the middle.
Other aspects, such as what network your machine is connected to, what geolocation you are in and whether or not you supplied a credential to another system, such as an electronic door lock, will potentially play a role as even more passive techniques that will be examined when people authenticate.
“All of this will be important as businesses look to raise the assurance they have about the people who are accessing information. In essence to be able to know, for sure, who does what,” said Fulton.
The fact is that there is more to user authentication than a username and password and more than a one-time password should you want to use other technology. It really comes down to what you are trying to secure and what you are trying to keep out. Could I imagine myself using all four authentication methods in one instance? Admittedly not, but it would still be nice to see more B2C rollout of stronger authentication technology.