Editing Authentication (section)

=== Authentication factors ===
[[File:US Navy 050308-N-2385R-029 Master-at-Arms Seaman Carly Farmer checks an identification card (ID) before allowing a driver to enter the gate at U.S. Fleet Activities Sasebo, Japan.jpg|thumb|A military police officer checks a driver's identification card before allowing her to enter a military base.]]
The ways in which someone may be authenticated fall into three categories, based on what is known as the factors of authentication: something the user knows, something the user has, and something the user is. Each authentication factor covers a range of elements used to authenticate or verify a person's identity before being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.

Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified.<ref>{{Cite web |url=http://www.ffiec.gov/pdf/authentication_guidance.pdf |title=Authentication in an Internet Banking Environment |author=Federal Financial Institutions Examination Council |year=2008 |access-date=2009-12-31 |url-status = live|archive-url=https://web.archive.org/web/20100505203410/http://www.ffiec.gov/pdf/authentication_guidance.pdf |archive-date=2010-05-05 }}</ref><ref>{{Cite journal |last=Lee |first=Robert D |date=Winter 2007 |title=Authentication in Internet Banking: A Lesson in Risk Management |url=https://www.fdic.gov/bank-examinations/authentication-internet-banking-lesson-risk-management |journal=Supervisory Insights |publisher=[[Federal Deposit Insurance Corporation]] |pages=42}}</ref> The three factors (classes) and some of the elements of each factor are:

# Knowledge: Something the user knows (e.g., a password, [[partial password]], [[pass phrase|passphrase]], [[personal identification number]] (PIN), [[challenge–response]] (the user must answer a question or pattern), [[security question]]).<ref name=":2">{{Cite journal |last1=Wang |first1=Chen |last2=Wang |first2=Yan |last3=Chen |first3=Yingying |last4=Liu |first4=Hongbo |last5=Liu |first5=Jian |date=April 2020 |title=User authentication on mobile devices: Approaches, threats and trends |url=https://linkinghub.elsevier.com/retrieve/pii/S1389128618312799 |journal=Computer Networks |language=en |volume=170 |pages=107118 |doi=10.1016/j.comnet.2020.107118}}</ref>
# Ownership: Something the user has (e.g., wrist band, [[ID card]], [[security token]], [[Microchip implant (human)|implanted device]], cell phone with a built-in [[hardware token]], [[software token]], or cell phone holding a [[software token]]).<ref name=":2" /> 
# Inherence: Something the user is or does (e.g., fingerprint, [[Retinal scan|retinal pattern]], [[DNA]] sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other [[biometric]] identifiers).<ref name=":2" /> Historically, fingerprints have been used as the most authoritative method of authentication, but court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability.<ref>{{cite book |last1=Moenssens |first1=Andre A. |url=https://www.ojp.gov/pdffiles1/nij/225333.pdf |title=The Fingerprint Sourcebook |last2=Meagher |first2=Stephen B. |date=2014 |publisher=CreateSpace Independent Publishing Platform |isbn=9781500674151 |location=United States |language=en-us |chapter=13 |access-date=3 November 2022 |archive-url=https://web.archive.org/web/20220522184117/https://www.ojp.gov/pdffiles1/nij/225333.pdf |archive-date=22 May 2022 |url-status=live}}</ref> Outside of the legal system as well, fingerprints are easily [[spoofing attack|spoof]]able, with [[British Telecom]]'s top computer security official noting that "few" fingerprint readers have not already been tricked by one spoof or another.<ref>[https://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated ''The Register'', UK; Dan Goodin; 30 March 2008; ''Get your German Interior Minister's fingerprint, here''. Compared to other solutions, "It's basically like leaving the password to your computer everywhere you go, without you being able to control it anymore", one of the hackers comments.] {{webarchive|url=https://web.archive.org/web/20170810131615/https://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated|date=10 August 2017}}</ref> Hybrid or two-tiered authentication methods offer a compelling{{According to whom|date=December 2016}} solution, such as private keys encrypted by fingerprint inside of a USB device.

==== Single-factor authentication ====
As the weakest level of authentication, only a single component from one of the three categories of factors is used to authenticate an individual's identity. The use of only one factor does not offer much protection from misuse or malicious intrusion. This type of authentication is not recommended for financial or personally relevant transactions that warrant a higher level of security.<ref name="Turner-DigitalAuthentication-Basics">{{cite web |last1=Turner |first1=Dawn M. |date=2 August 2017 |title=Digital Authentication: The Basics |url=http://www.cryptomathic.com/news-events/blog/digital-authentication-the-basics |url-status=live |archive-url=https://web.archive.org/web/20160814214552/http://www.cryptomathic.com/news-events/blog/digital-authentication-the-basics |archive-date=14 August 2016 |access-date=9 August 2016 |publisher=Cryptomathic}}</ref>

==== Multi-factor authentication ====
{{Main|Multi-factor authentication}}

Multi-factor authentication involves two or more authentication factors (something you know, something you have, or something you are). Two-factor authentication is a special case of multi-factor authentication involving exactly two factors.<ref name="Turner-DigitalAuthentication-Basics" />

For example, using a bank card (something the user has) along with a PIN (something the user knows) provides two-factor authentication. Business networks may require users to provide a password (knowledge factor) and a pseudorandom number from a security token (ownership factor). Access to a very-high-security system might require a [[mantrap (access control)|mantrap]] screening of height, weight, facial, and fingerprint checks (several inherence factor elements) plus a PIN and a day code (knowledge factor elements),<ref>{{Cite book |last1=Ali |first1=Saqib |title=Cyber Security for Cyber Physical Systems |last2=Al Balushi |first2=Taiseera |last3=Nadir |first3=Zia |last4=Khadeer Hussain |first4=Omar |publisher=[[Springer Nature]] |year=2018 |isbn=978-3-319-75879-4 |series=Studies in Computational Intelligence |language=en |chapter=ICS/SCADA System Security for CPS |doi=10.1007/978-3-319-75880-0 |eissn=1860-9503 |issn=1860-949X}}</ref> but this is still a two-factor authentication.