Three-factor authentication: Something you know, something you have, something you are

Last updated: 16 May 2018

Authentication technology is really not all that different to the way you would think about securing a building – some tools and techniques are more secure than others and having a number of different mechanisms in place generally increases security. At its most basic level, security is about what you know, adding something you have and completing the identity picture with something you are, making it virtually impossible to beat the system.

Passwords are the original and most widely used authentication technique, but also the easiest to crack. It would be like securing your front door with nothing else but a simple code typed into a keypad. Not only might it be easily guessed based upon some basic information about you, but over time you will have given it out to a number of people who in turn may have shared it with others. If this technique was used for a house or building, I doubt would make anyone inside feel secure.

To add an extra layer of security, you can add a second factor: something that the user ‘has’ or ‘possesses’ – like a key to a front door. Tokens have already been around for quite some time in the corporate world and now many retail banks have introduced them as an extra element of security for online banking. Unlike the keypad security of our first example, if the key to your house got stolen, the chances are you are going to notice it very quickly – and probably change your lock. However, IT tokens are smarter than keys in the way that they give you a different access code each time you log in, as if the key and lock change their shape each time you want to get into your front door, thus making it harder for intruders to gain access.

If your house is full of valuables that need bullet-proof protection, having the first two security mechanisms in place might not be enough, however.  It is at this point where adding a third-factor can provide significant authentication strength by relying on something that the user ‘is’. This means something about their person that cannot be changed, such as fingerprints, facial features or eyes, which can be used as a factor of identity verification.

While for the average house three-factor authentication may be excessive, for many organisations it is becoming a necessity. One thing to remember, however, is that ease-of-use is key and any IT security solution is only as strong as its weakest link. While it is in the end-user’s best interest to keep their data secure, many take time to adapt to new technologies. HSBC, for example, recently received complaints for introducing tokens for its online banking customers, who resent the extra complexity.

Even with technology becoming increasingly sophisticated, at its core security remains very simple. For the best protection, it’s just a case of 1,2,3:

  1. Something you know
  2. Something you have
  3. Something you are

Ready to learn more about authentication and access management? Get started by downloading the Access Management Handbook, or watch the webinar “Developing and implementing risk-based access policies to match Authentication & IAM strategies”.