When browsing the Internet, you can find much contradictory information about authentication factors. Some argue that there are three authentication factors. There are also a few sources claiming that there are four or five authentication factors. But who is right? How many authentication factors are there?
How Many Authentication Factors Are There?
There are three authentication factors:
- Knowledge Factor (something you know)
- Possession Factor (something you have)
- Inherence Factor (something you are)
Any of these three factors can successfully verify the identity of a user if we assume that no attempt at spoofing was made. For example, although someone else may know your password, such a situation is already considered an anomaly. If we assume that you are the only person who knows your password, then this piece of evidence is enough proof to identify you as you.
Likewise, while a malicious actor may steal your phone or gain remote access to your phone, both of these situations are already examples of security incidents.
What is and what is not an authentication factor should be decided independently of possible compromise scenarios. In the end, anything can be broken, and then we end up with abstract situations in which a cut finger is no longer something you are but something you have.
More Than Three Factors?
Some experts argue that more than three factors of authentication exist and enumerate authentication factors such as the Location Factor (somewhere you are), the Time Factor (what time is it), and the Behavior Factor (something you do).
On the other hand, means such as time, location, and behavior are often said to be just security controls that increase security but should not be treated as authentication factors.
What Does NIST Say?
It is important to discuss theory. You must know the theory before you get to practice. On the downside, if you get too deep into theory, you risk falling into a trap of overthinking the meaning of words instead of choosing the most secure practical implementation that fits your needs.
Authentication factors are a loosely defined concept, and the theory surrounding this concept may change in the future. Since there is no single source that indisputably sets the standards and dispels all doubts, the next best thing you can do is trust an authority on the subject.
The National Institute of Standards and Technology (NIST) is a federal agency within the United States Department of Commerce. NIST releases official papers and guidelines concerning cybersecurity.
4.3.1 Authenticators of the NIST Special Publication 800-63 accentuates that “classic paradigm for authentication systems identifies three factors” and later adds “[…] other types of information, such as location data or device identity, may be used by an RP or verifier to evaluate the risk in a claimed identity, but they are not considered authentication factors.”.
NIST releases new versions of their publications and delivers a list of errata. Still, it is not very likely that NIST will change their definition of authentication factor any time soon, so it is better to stick to the canonical definition of just three authentication factors and treat any other means simply as an additional security control.
Why Do Some People Claim There Are More Than Three Factors?
The discussion about the number of factors is heavily based on semantics.
Somewhere you are, what time is it, and something you do either boil down to one of the three classic factors or are security controls.
For a security control to qualify as a possible authentication factor, the control needs to allow the system to determine the identity of a user, that is if a person is who they say they are.
Somewhere You Are
One argument against location being an authentication factor is that you cannot determine somebody’s identity by only knowing that somebody tries to log in from a given location. Many users may stay in the same location. Even if there is no attempt at faking somebody’s location, Bob and Alice may both stay in the same room in the same office in the same city, but they are clearly two different people. As a result, the location itself is not sufficient to determine the user’s identity.
Conversely, you can successfully use any of the three classic authentication factors to determine the user’s identity. A malicious actor can still spoof these factors, but in a perfectly secure environment, these three factors can unambiguously identify the user.
To tell where the user is, a security system most often checks their IP address or their device’s MAC address.
The IP address is not an inherent part of a device. IP is assigned to a device but may change in the future. As a result, an IP address is not a perfect means of validating device identity.
The MAC address can be successfully used to validate device identity. However, according to NIST, device identity should not be treated as an authentication factor.
What Time Is It
You cannot use the current time to identify a person. You can however use the current time as access control.
For example, you may pre-define a set of rules that deny users who try to log in during off-hours. If work hours are defined as 9 AM – 5 PM and Bob tries to log in at 8 PM, they will be denied access.
The preceding example is a type of access control but not authentication.
Something You Do
When you unlock your phone by swiping the screen in a series of patterns, it is something you do. However, it can be reduced to something you know, even if these movements are only in your muscle memory. The same goes for picture passwords that require you to follow a series of movements on a picture. You know what movements you have to perform.
Something you do may also be based on machine learning. A security system assisted with AI analyzes the user’s behavior and tries to decide if the user is who they claim to be. Such analysis has its name: behavioral biometrics, which is just a little bit more nuanced form of something you are.
But again, how can a system identify a user by their behavior? Is it the user’s typing cadence? They say every person has their own, so it’s clearly something you are. The same goes for mouse or touch screen movements or the use of shortcuts on the keyboard. Incidentally, typing is not a good factor because the same person types differently when angry and when calm, which may confuse the system into believing this one user is two different people. However, when you combine the user’s typing speed, use of shortcuts, touch screen tap pressure, and gyro information, such a system may prove to be successful. All the same, even if behavioral biometrics can identify each user with 100% certainty, they are still just a variation of something you are.
Are the Three Classic Authentication Factors All We Need?
If implemented properly, controls such as location, time, and behavior can be a very useful addition to MFA. As a matter of fact, many Adaptive Authentication systems use these controls to decide the security risk involved with each user login and adjust authentication factors accordingly. For example, a risk-based authentication system may detect that the user logs in from unusual geolocation or during off-hours, and for this reason, deny the user or require the user to go through the authentication process again, this time using more secure authentication factors.
Do Not Think Factors. Think Security.
At Rublon, we believe that security should be your number one concern. For this reason, location, time, and behavior should not replace any of the three canonical authentication factors. Use means such as location or behavior only as an additional step next to at least two of the three canonical authentication factors.
Every Rublon Mobile Push authentication request contains information about the location and time of the login. This information is a helpful security control for the user to decide if the request really comes from them. However, Mobile Push is the Possession Factor itself, and we do not replace the Possession Factor with just the location-time data. Instead, we use the location-time data in addition to the existing factor to make our users’ logins even more secure.
