A username and password can be enhanced through the use of multifactor authentication. In this video, you’ll learn about something you know, something you have, something you are, and somewhere you are.
When you log into a website, it’s very common to use a username and password. There might be a mobile app that provides a pseudo random code or it may take into account your GPS location. We refer to these different types of login parameters as authentication factors, and some very common authentication factors might be something you know, something you have, something you are, or somewhere you are. Although these are very popular authentication factors, there are others you could use as well.
Something you know is probably one of the most popular authentication factors because this includes the password that you’ve memorized. Obviously, your password is made up of a string of characters or a particular phrase, and it’s something that’s only known to you. Another good example of something you know is a personal identification number. If you put your card in to an ATM, you’re commonly asked to provide a four-digit PIN. This personal identification number isn’t written down anywhere, so it clearly would be something that only you know.
And you might have a mobile phone or a tablet that uses some type of pattern to be able to unlock that system. This is also referred to as something you know since you’re the only one who knows the specific pattern that allows you access to that device.
Another type of authentication factor is something you have. For example, you might have an ID, and that ID is part of a smart card. That smart card can be inserted into a device, and usually it’s used in conjunction with the personal identification number to provide multiple types of authentication.
Another good example of something you have is a USB security key. The security key has a certificate on that key that is specific to you. So if you plug in that key, it’s assumed that must be because you’re the only one with that USB drive. You might also have a hardware device that creates a seemingly randomized set of numbers, and those numbers are also duplicated on the server. So when you log in with the username and password, you might also be asked to input the number that happens to be on your hardware token.
There are also software tokens available that you can use on your mobile phone so that you don’t have to carry around yet another device. And carrying your phone with you also is something you have, and it’s not uncommon to use SMS or text messages to send a code to your phone that you can use during the login process.
A type of authentication factor that is very personal is something you are. This is commonly used with biometric authentication where you’re using a fingerprint, a voiceprint, or something else that is specific to you as a person. This works by storing a mathematical representation of the biometric. So a picture of your fingerprint itself is not being stored and compared. It’s actually a mathematical representation of your fingerprint.
This is also a very difficult type of authentication factor to change or modify since it’s very difficult to change something like a voiceprint or a fingerprint. And usually this type of authentication factor is used in conjunction with other factors at the same time, especially since we’ve seen situations where biometrics can be circumvented. So you may want to include this something you are along with one of the other authentication factors as well.
Our mobile devices are very good at determining our location, and we can use that location information as an authentication factor we call somewhere you are. For example, if a login is attempted from a country that’s different than where you were 10 minutes ago, the system may not allow that login to occur because it’s checking on somewhere you are.
We can also get an idea of where someone might be based on their IP address. This is not a perfect representation of where someone might be, and it becomes much more difficult when we start having much larger addresses, such as the ones found with IP version 6. And of course, we could use multiple types of location services to determine where someone might be. We could query their IP address, combine that with GPS coordinates to help understand where a person may physically be located. And once that geolocation process is complete, it can all be used as another authentication factor to allow you to log into the system.