Multi Factor Authentication: An idea whose time has come. Again.

Multi Factor Authentication (MFA) is a current topic of discussion, as well as a term that has been in use for some time. According to Jim Reno (2013), MFA in some form has been around for a long time. Reno uses the example of a Centurion at the entrance to the Roman Senate, who may require both a password as well as a look at the Senator’s ring before allowing entry.

For decades, both information technology and information security personnel spoke of so-called Two Factor Authentication (2FA) utilizing two factors of authentication, such as “something you know” and “something you have,” as in Reno’s Roman Centurion example above. If you can speak the correct password and are able to show the ring of the Senator, then you may pass.

But what about a third factor to gain admittance into the Roman Senate? Perhaps a thief robbed the Senator’s ring, and discovered the correct password to be spoken at the door. Perhaps identifying oneself as a Roman Senator, by name, might provide an extra layer of security should the other factors be compromised. If a robed gentlemen claiming to be Senator Cassius did not match the description of Cassius, then perhaps further investigation is needed and entry is barred morte ente.

In today’s online and mobile world, it is often the case where a “description” of a customer is assessed against a known profile. Perhaps the customer is using an unfamiliar platform to access the resource, or a different machine, or one that is in a different geographic area and time zone? Such characteristics extend not only to identification of a user, but also to user behavior. Risk-based analysis (Reno, 2013) takes into account inconsistencies, such as unusual spending, unusual velocity of activity, or physical movement that is impossible (e.g.: user logon originates in Chicago moments after logging in from Los Angeles).

A model discussed by Sharma and Lenka (2015) includes taking MFA a step further with Quantum Key Distribution (QKD), applying a model of encryption to communications and authentication traffic between a user and the resource (in the case of Sharma and Lenka, an Online Banking application is discussed) to promote trust between the bank and the user using two or more authentication factors coupled with redundant encryption methodologies. The theoretical model thwarts a number of attacks affecting the traditional MFA model ranging from eavesdropping, theft of authentication credentials, to impersonation, and others (Sharma and Lenka, 2015).

It comes as no surprise then, that in the latest release of the PCI DSS v3.2, one of the new adoptions to the standard by the Payment Card Industry Security Standards Council (PCI SSC) is a shift away from “two-factor” terminology to MFA. In the PCI DSS v3.2, the SSC defines MFA as “two or more factors” of authentication replacing language in previous versions of the PCI DSS, referring simply to two factor authentication, (Johnson, 2016). This shift in terminology from 2FA to MFA represents more than semantics. By changing requirements to MFA, it encourages those organizations that assess against and seek to comply with the PCI DSS to adopt MFA using traditional and emerging technologies and methodologies, while maintaining compliance and security for existing deployments. The shift in the updated PCI DSS requirements further shifts the paradigm away from physical tokens, certificates, and bio readers to additional layers of out of band, multi-channel, or risk-based identification and authentication mechanisms, acknowledging the changing landscape of anti-fraud measures for both online and for mobile environments.

References

Johnson, L. (2016). Preparing for PCI DSS 3.2: What to Expect in 2016. PCI Security Standards Council, retrieved from http://blog.pcisecuritystandards.org/preparing-for-pci-dss-32.

Reno, J. (2013). Multifactor authentication: Its time has come. Technology Innovation Management Review, 3(8), 51-58.

Sharma, A., & Lenka, S. K. (2015). Analysis of QKD multifactor authentication in online banking systems. Bulletin of the Polish Academy of Sciences Technical Sciences, 63(2), 545-548.