Single-factor authentication (SFA) or one-factor authentication involves matching one credential to gain access to a system (i.e., a username and a password). Although this is the most common and well-known form of authentication, it is considered low-security and the Cybersecurity and Infrastructure Security Agency (CISA) recently added it to its list of Bad Practices.
The main weakness is that single-factor authentication provides just one barrier. Hackers only need to steal the credentials to gain access to the system. And practices such as password reuse, admin password sharing, and relying on default or otherwise weak passwords make it that much easier for hackers to guess or obtain them.
Two-factor authentication (2FA) adds a second layer of protection to your access points. Instead of just one authentication factor, 2FA requires two factors of authentication out of the three categories:
- Something you know (i.e., username and password)
- Something you have (e.g., a security token or smart card)
- Something you are (e.g., TouchID or other biometric credentials)
Keep in mind that although a username and password are two pieces of information, they are both knowledge factors, so they are considered one factor. In order to qualify as two-factor authentication, the other authentication method must come from one of the other two categories.
2FA is more secure because even if a user’s password is stolen, the hacker will have to provide a second form of authentication to gain access—which is much less likely to happen.
Three-factor authentication (3FA) requires identity-confirming credentials from three separate authentication factors (i.e., one from something you know, one from something you have, and one from something you are). Like 2FA, three-factor authentication is a more secure authentication process and adds a third layer of access protection to your accounts.
Multi-factor authentication (MFA) refers to any process that requires two or more factors of authentication. Two-factor and three-factor authentication are both considered multi-factor authentication.
Single Sign-On Authentication
Single sign-on (SSO) authentication allows users to log in and access multiple accounts and applications using just one set of credentials. We see this most commonly in practice with companies like Facebook or Google, which allow users to create and sign in to other applications using their Google or Facebook credentials. Basically, applications outsource the authentication process to a trusted third party (such as Google), which has already confirmed the user’s identity.
SSO can improve security by simplifying username and password management for users, and it makes logging in faster and easier. It can also reduce helpdesk time focused on resetting forgotten passwords. Plus, administrators can still centrally control requirements like MFA and password complexity, and it can be easier to retire credentials after a user leaves the organization.
A one-time password (OTP) or one-time PIN (sometimes called a dynamic password) is an auto-generated password that is valid for one login session or transaction. OTP is often used for MFA. For instance, a user will start to log in with their username and password, which then triggers the application to send an OTP to their registered phone or email. The user can then input that code to complete the authentication and sign in to their account.
Passwordless authentication, as the name suggests, doesn’t require a password or other knowledge-based authentication factor. Typically, the user will enter their ID and will then be prompted to authenticate through a registered device or token. Passwordless authentication is often used in conjunction with SSO and MFA to improve the user experience, reduce IT administration and complexity, and strengthen security.
Certificate-based authentication (CBA) uses a digital certificate to identify and authenticate a user, device, or machine. A digital certificate, also known as a public-key certificate, is an electronic document that stores the public key data, including information about the key, its owner, and the digital signature verifying the identity. CBA is often used as part of a two-factor or multi-factor authentication process.
Biometric authentication relies on biometrics like fingerprints, retinal scans, and facial scans to confirm a user’s identity. To do this, the system must first capture and store the biometric data. And then when the user goes to log in, they present their biometric credentials and the system compares them to the biometric data in their database. If they match, they’re in.