Multi-factor Authentication – CompTIA Security+ SY0-401: 5.2

If you want to secure your authentication process, then you’ll probably implement some form of multi-factor authentication. In this video, you’ll learn how to secure your authentication by using something you are, something you have, something you know, something you are, and something you do.

<< Previous Video: Single-factor AuthenticationNext: One-time Password Algorithms >>


When we’re authenticating to a resource we may be using multiple factors of authentication. We categorize these factors as something you are, something you have, something you know, something you are, and something you do. These might be very expensive methods of authenticating, perhaps using separate hardware tokens, or it’s something that might be less expensive, like an application that would run on a smartphone.

Something you are generally refers to something like biometric authentication, so we would be using a fingerprint or a voiceprint or an iris to be able to really identify that you are the person who you say you are. The process of capturing these biometrics from the beginning is not taking an actual picture of your fingerprint, it’s making a mathematical model of your fingerprint or your voice print or whatever you’re using, so that later on it can compare your fingerprint using this exact same mathematical model to see if the two things match.

These types of things are difficult to change. It’s not often that we would change out a fingerprint, and our voice tends to be exactly the same day after day, week after week. But these processes are still not foolproof. We want to be able to consider using these in very specific instances and perhaps combining them with other factors of authentication as well.

An authentication type I use often is something I have. This means that you have something with you that will help identify you as an individual. This may be something like a smart card. This is something you might slide into or get close to a particular resource reader, and it may then also require you to input a PIN, so that somebody couldn’t simply steal your card and gain the access. We’re going to add additional layer of security to your smart card.

Another piece is a USB token. There is a certificate on the USB drive that you must insert, and that certificate would then also require something like a PIN to be able to gain that access. Or there might be something like software tokens or hardware tokens, where you are presented with a pseudo random number, so you not only have to provide your username and your password, but you also have to put in whatever number happens to be listed on this particular software token.

Another way to do this is with our telephones. Once we put in our username and password, the system may send us a text message, and we then have to repeat back into the system what was listed in that text message. This is just another way to help prove who we are based on something we might have with us.

A very common and very inexpensive factor of authentication is something you know. This would be something that you’ve got in your brain. It’s in your head. A password is a very good example of something you know. It’s a secret phrase or secret word or string of characters put together.

Another example of something you know is a PIN. That stands for personal identification number, and it’s usually associated with an ATM card or a smart card or some other device, so that you’re combining both that device and the special personal identification number to help link those things together.

A third piece of something we might know may be a pattern. This is something you see on Android devices, for instance, where you can lock the screen and then unlock it, if you happen to know the right pattern to move your finger around on the screen. This is a little bit different than knowing a word or a pass phrase or a set of numbers. You have to now remember what that particular pattern was, and then repeat that every time you want to authenticate.

A relatively new method of authentication is something like somewhere you happen to be. This is all based on your location whenever you’re trying to authenticate. This would check to see what geography you happen to be in and then allow or disallow access based on that information. One way to do this might be with your IP address. In many cases, at least with IPv4, we can identify what country an IP address was originally assigned to.

So that if we know that you’re logging in from an IP address that’s located in the United States, we might allow you to continue the authentication process. But if that IP address is trying to authenticate from an IP address that was registered to China, we might automatically restrict any logins from those IP addresses.

You can these days combine this with even additional services, like location services, on our mobile devices. This would really give you some very specific geolocation information, and then you can provide that information then up to the authentication mechanism, and they’ll know that you’re standing in the front door of where you should be when you’re trying to authenticate into the building.

The last factor of authentications that we’ll look at is something you do. This is your own personal way of doing things. Everybody has a certain way of signing their name. That is certainly something that we do that’s very unique to us. Handwriting analysis is a very common way to do this since everybody has a different style or technique of signing their name.

This might also be something like a pattern of typing. Whenever you type in your password, there might be always a very similar structure you have to that typing, and that might identify you as somebody very unique. This is very similar to biometrics in a way which is something you are. In this particular case we’re taking it a little bit further into more of an artistic level and defining it as something you do.