So yes, today we will take a look at what 2FA means in security. It's shorthand for "Two-factor Authentication".
Authentication Factors
During authentication, we make use of authentication factors. This could be just a password, or a thumbprint, or a codephrase. Something for the system to identify you by before allowing entry.There are generally three types of authentication factors - Knowledge, Possession and Inherence.
Knowledge
This factor type is about what you know. It's something you memorize. In its most common form, it's a password, or a PIN number. If you've watched Mission Impossible: Fallout recently, there's this sequence where Tom Cruise's character, Ethan Hunt, supplies a phrase to a fellow agent."I am the storm."
Ethan Hunt: There's a storm coming.
Agent: And the warrior whispers back...
Ethan Hunt: I am the storm.
"There's a storm coming." and "I am the storm." are the passphrases and those serve as useful examples of Knowledge authentication factor types.
Possession
Possession isn't about exorcism in this context (heh heh) but it's something you have. Something you keep on your person such as a mobile phone or a security token. Using it, the system can send a one-time password which the user can then use for authentication.A typical RSA token.
Other examples of a Possession authentication factor type are - ATM card, NRIC card and credit card. Again, things you keep on your person.
Inherence
Don't be intimidated by this term - it basically means what you are. Things that are part of you, that we use in authentication. Like thumbprints, retina scans, facial recognition, voice recognition and so on. Biometrics.Eye scan.
There's even something that scans the inner lining of your ear. It sounds weird as heck, but we live in strange times. Hey, if it works...
An authentication system is made out of authentication factors. There may be multiple factors, but whether a system is Single-factor Authentication, Two-factor Authentication (2FA) or Three-factor Authentication (3FA), depends on the number of different authentication factor types. For example, a simple Login screen is Single-factor authentication, even though the user has to key in both a login id and a password.
Instagram login screen.
Examples of Single-factor Authentication
As previously stated, a typical login screen is Single-factor Authentication. So is any type of system that only uses one authentication factor type.ActiveSG gantry.
Unlocking your mobile phone can be done via thumbprint scan (Inherence), facial recognition (Inherence) or a PIN (Knowledge). That's Single-factor Authentication.
Examples of Two-factor Authentication (2FA)
As mentioned previously, using your SingPass is 2FA. You key in your login id and password (Knowledge), then the systems sends an OTP to your mobile phone (Possession) for you to continue the login process.Automatic Teller Machine.
The gantries in Changi Airport (all terminals) are 2FA. First, you scan your passport (Possession) and then your thumbprint (Inherence).
Examples of Three-factor Authentication (3FA)
There are virtually no examples of 3FA on websites. Biometrics are all but impossible right now on browsers. (CAPTCHA doesn't count because while it does - kind of - verify that you're not a bot, it can't verify that you're you.) Therefore, we're limited to only two authentication factor types - Knowledge and Possession.Hi-tech security.
However, advanced security systems might require an electronic pass, a biometric scan and a passcode. That would qualify as 3FA.