The Accredited Standards Committee X9 develops American National Standards for the financial services industry. One of these standards, ANS X9.49, Secure Remote Access Mutual Authentication, is undergoing its mandatory 5-year review now. In a recent X9 meeting when we discussed updating this standard, we had an interesting discussion about exactly what “multi-factor authentication” is. Everyone agreed on the two following points:
It’s not really defined in any standard
The generally-accepted definition and its interpretation is really the result of vendors’ marketing efforts rather than anything substantial
Many books, articles, etc., define three “factors of authentication” which are typically defined roughly as:
Something that you know, like a password
Something that you have, like a token of some sort
Something that you are, like a biometric
There’s clearly some fuzziness here because of the way these are defined. One type of biometric is a behavioral biometric, like biometrics that look at how you type on a keyboard or write with a pen. Within this framework, you could argue that a password is just a behavioral biometric that tests whether or not you can remember a particular string. You could even argue that proving possession of a cryptographic key, like you do in the X.509 authentication protocol, is just like a behavioral biometric that tests whether or not you can flip a coin and get a particular series of heads and tails, although you probably wouldn't get many people to agree with you at this point.
Multi-factor authentication is usually assumed to be a technique that uses more than one of these factors. It’s often claimed that multi-factor authentication is inherently more secure than single-factor authentication, but if you look at the history of this claim, it actually came from a vendor that wanted to make their multi-factor authentication product sound better than competitors’ products.
Is there any substance to this claim?
Let’s compare two authentication schemes:
Scheme A, which requires a username/password plus a biometric
Scheme B, which requires two different username/password combinations
Which one is more secure and why? Is there any reason to say that one is inherently more secure than the other? Particularly because it’s easy to force people to use reasonably strong passwords but essentially impossible to get the same level of security from biometrics, does using a biometric just because it’s a different authentication factor really add anything? Or will it actually provide an overall weaker authentication scheme when it's used?
Nobody at the X9 meeting was convinced that authentication using two or more authentication factors is actually any more secure than authentication using two or more independent means of authentication that happen to be the same factor, so the updated standard will probably reflect this. I’m looking forward to seeing the comments on this when the document gets voted on.