September 25 2012

Defining multifactor authentication

I was recently having a discussion about the definition of multifactor authentication and what actually constitutes one, two or three factor authentication.  There seems to be confusion around these definitions, so I am posting some industry accepted definitions for all to see or reference.  Authentication methodologies involve three basic “factors”:

  1. Something the user knows (eg. password, personal identification number, personally identifiable information)
  2. Something the user has (eg. smartcard, security token, telephone, signed digital certificate)
  3. Something the user is (eg. fingerprint, voice, retinal pattern, DNA)


According to the Federal Financial Institutions Examination Council’s Authentication in an Internet Banking Environment, August 15, 2006, two-factor authentication (aka multifactor authentication) is described as:


“By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category would not constitute multifactor authentication.”


Therefore, two factor (aka multifactor) authentication is a combination of any two of these factors. For example – a fingerprint scan and a password is two factor authentication; a password and a signed computer digital certificate is two factor authentication.  However if you use a password, a signed computer digital certificate, a PIN and a number generated from your RSA SecurID token then you are still using two factor authentication as the identifiers only come from two of the three categories listed above.

There is a great article here ( which discusses this in detail, and it is also worth checking out the PCI Security Standard Council Quick Reference Guide, especially section 8.3 (, FFIEC’s Authenitcation Guidance whitepaper ( and Australia’s DSD security advice article (



I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.