Multi-factor Authentication

From MgmtWiki
Revision as of 11:09, 31 July 2018 by Tom (talk | contribs) (The Solutions)

Jump to: navigation, search

Full Name and Scope

Originally known as Two-factor Authentication, this concept covers a wide range of technologies designed primarily for strong assurance as to the either the real-world identity, or at least a persistent identity, for purposes of establishing the authorization from an individual to a online resource of some type.


As a part of authorizing a Subject to access a digital resource the Web Site hosting that resource will need to acquire a set of Claims that apply to the Subject for the duration of the access. While this Authorization process can begin with the Authentication of the Subject with something as simple as a statement from the Subject, additional steps may be necessary including using other Authentication factors. Standards like NIST SP 800-63 address this need as a part of the Authentication process by requiring the additional factors prior to attempting access. Most commercial Web Sites use a hybrid approach where Authentication is minimal and additional factors are address as needed to avoid early drop off by Consumers of their resources.

The Problems

Originally a distinction was made between Authentication (the process of determining who you are) and Authorization (the process of determine what you can access).

The Solutions

A broad range approach to multi-factor Authentication will need to address processes that occur during Authentication as well as processes that occur later during the Authorization step. This distinction becomes blurred, especially in Sites with different requirements for different resources.

As originally conceived, MFA was primarily a means to increase the assurance of an authentication being accurate. The technique of having multiple factors is in the process of changing into one that is used by Authorization services to determine if users have specific Attributes or Proof of Possession of some secret supplied by the Resource owner.


  1. W3C Credential Management Level 1 describes an imperative API enabling a website to request a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use.
  2. U2F
  3. Web Authentication: An API for accessing Public Key Credentials Level 1 defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.
  4. WebAuth an effort is to define a simple challenge-response authentication mechanism for PKI (X509) roll-outs, with a standardized token format for transporting the claim and a standard API for website developers to request for that authentication token, to overcome a set of issues present with client certificate authentication in the web context.