Domain 4 · 4.6 Identity & Access Management

4.6.4 Multifactor Authentication

Biometrics, tokens, security keys.

10 min

Multifactor authentication (MFA) is a security mechanism that requires a user to provide two or more distinct categories of credentials to verify their identity.

The Five Factors of Authentication Authenticating a user relies on different categories of "factors." Using two items from the same category (e.g., a password and a PIN) is still single-factor authentication. - Something You Know (Knowledge): The most common factor, including passwords, PINs, or answers to security questions. These are easily compromised if written down or shared. - Something You Have (Possession): Physical items such as smart cards, hardware tokens, USB security keys (like YubiKeys), or mobile devices receiving an OTP (One-Time Password) via SMS or app. - Something You Are (Inherence): Biological traits or biometrics. Examples include fingerprint scanners, facial recognition, iris patterns, and retina scans. - Something You Do (Behavior): Actions unique to the individual, such as keystroke dynamics (typing speed/rhythm), gait analysis (walking style), or signature transitions. - Somewhere You Are (Location): Restricting access based on geofencing or IP address geolocation.

Biometric Performance Metrics Biometrics must balance security with user accessibility. - False Acceptance Rate (FAR): The "Type II" error where the system incorrectly grants access to an unauthorized user. This is a security failure. - False Rejection Rate (FRR): The "Type I" error where the system denies a legitimate user. This is a functional/usability failure. - Crossover Error Rate (CER): The point where FAR and FRR are equal. A lower CER indicates a more accurate and higher-performing biometric system.

Centralized vs. Decentralized Authentication - Centralized Authentication: User credentials and policies are stored in a single unified database (e.g., Active Directory). This facilitates Single Sign-On (SSO), where one set of credentials allows access to multiple resources across the enterprise. - Decentralized Authentication: Each host or resource maintains its own local database of users and passwords. This is difficult to scale and manage as the organization grows.

Quick recall - Entropy: Refers to the randomness and complexity of a secret; higher entropy makes credentials harder to guess or brute-force. - FIDO2/WebAuthn: Open standards for passwordless authentication using public-key cryptography and hardware security keys. - Time-based One-Time Password (TOTP): An OTP that expires after a short window (e.g., 30–60 seconds). - Security Posture: The overall security status of an organization’s systems, including its MFA implementation and access controls.