Database Reference
In-Depth Information
C H A P T E R 9
Two-Factor Authentication
What would life be like if there were no imposters, no charlatans, and no thieves? Sorry, that rhetorical
question does not provide any security. Neither does putting on a set of rose-colored glasses and
believing that we are secure just because we've implemented substantial security measures. We will
always be susceptible to trickery and carelessness. The weakest link, even with upright associates, is
always a person taking shortcuts. Social engineering and lack of attention to our computer security code
of conduct (like, don't write down your password, don't share your password, use complex passwords,
and change your password periodically) give thieves entrance to our most secure systems.
So, we are looking for further constraints on identity that can assure us that the person sitting at the
keyboard is who they claim to be. There are many things that are being done in computer security to
attempt to achieve this, such as the following:
•
Requiring a second password or PIN code.
•
Assuring there is a person at the computer instead of an automated program by
having the person enter a non-computer-readable graphic representation of a
word, called a CAPTCHA, which stands for completely automated public turing
test to tell computers and humans apart (named in part after Alan Turing, the
father of computer science and artificial intelligence).
•
Requiring the user to answer personal questions, like giving the name of their first
pet.
•
Having a biometric scanner, like fingerprint, retina, or facial recognition.
•
Having a secure ID token that synchronizes a code with the server to provide a
one-time password, along with a PIN code.
•
Out-of-band communication to a separate account or device, e.g., pass codes sent
to your e-mail, pager, or cell phone.
Several of these efforts can be considered two-factor authentication. Combining them, you can even
achieve three-factor authentication. For example:
1.
What you know (passwords and PIN)
2.
Who you are (human and biometric)
3.
What you have (a Secure ID token or cell phone)
Perhaps a second password or additional PIN could also be considered two-factor authentication,
but not so much. It is still just (1) what you know.
