Talk:Multi-factor authentication

Wiki Education Foundation-supported course assignment
This article was the subject of a Wiki Education Foundation-supported course assignment, between 25 August 2020 and 10 December 2020. Further details are available on the course page. Student editor(s): Apple1223. Peer reviewers: Kzw53, Muc6.

Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT (talk) 04:35, 17 January 2022 (UTC)

Merge two-factor authentication into multi-factor authentication
The article for two-factor authentication describes all three authentication categories in detail. When I'm looking at the article for multi-factor authentication, what I'm really looking for is the information in two-factor authentication. "Two factor" simply refers to using two out of three, nothing more, thus the articles should be merged. Anongork (talk) 20:23, 1 October 2012 (UTC)
 * Agree. I understand that the two are different, but the difference can be explained in the MFA page.  They are sufficiently similar that much of the same content applies to both, and writing two pages about them is redundant. Andrew (talk) 15:49, 27 November 2012 (UTC)
 * Strongly agree. This is a textbook case of concepts best treated together (like left handed and right handed). Besides the two-/multi- issue, "two-factor authentication" is a much more common term than "two-step verification." Check these searches of Ars Technica articles: 49 hits for "two-step verification" v. 671 for "two-factor authentication".—Neil 21:30, 6 February 2014 (UTC)
 * Note. The following relevant discussion took place on Talk:Two-step verification. I've adding a notice directing further comments here. —Neil 23:44, 28 February 2014 (UTC)
 * This page should not really exist, and the "Two factor authentication" stub certainly should not redirect here (it should got to "multi factor authentication" instead). "Two step" is the promotional name google gave to their solution. 2FA is what the industry call this, not "two step". — Preceding unsigned comment added by 120.151.160.158 (talk) 00:33, 9 November 2013 (UTC)
 * Agree. This page reads more like an ad for Google; one would think that Google invented this technology and that all others listed in the bulleted list came after. I daresay none of those listed use "Two-step verification", but rather "Two-Factor Authentication". If anything, Google should be a bullet on a page listing Two-Factor Authentications.Alphaman (talk) 21:28, 3 January 2014 (UTC)
 * Disagree. It appears that all those entities in the list given claim that they are using "Two-step verification". So there is definitely a place for this article in Wikipedia. It was definitely not intended as an advertisement for Google. If it sounds that way, could it be edited to make it look more neutral? Krishnachandranvn (talk) 01:31, 10 February 2014 (UTC)
 * Agree (partially). "Two factor authentication" stub certainly should not redirect here.  However two-step verification is not the same thing as -- or even a googleism for -- two factor authentication.  Two-step authentication simply involves "two steps", even if both of these are the same factor.  For example, entering a PIN and using a software token constitutes two-step authentication but not two-factor authentication.  173.228.119.252 (talk) 21:36, 18 February 2014 (UTC)
 *  Strongly disgree. It should be easily intelligible, that a timely sequential process as with two dependent subsequent steps is different from a modally twofold process with two logically independent and different and liberately used factors in one context.Wireless friend (talk) 09:50, 25 May 2014 (UTC)Wireless friend (talk) 23:37, 19 July 2014 (UTC)
 * Akward. Two hands from two persons are much different from two hands of one person. Logic is more complicated than just counting.Wireless friend (talk) 23:41, 19 July 2014 (UTC)
 * Agree - They are the same. Look at the words. One-Factor. Two-Factor, Multi-Factor. If someone wishes to put up pages that describe how the FFIEC, or other US Institutions, defines factors and MFA or TFA that is fine, and I encourage them to proceed. But in the real world, the MFA and TFA are the same. — Preceding unsigned comment added by Jwilleke (talk • contribs) 09:02, 26 October 2014 (UTC)

✅ After extensive discussion over a long period and a general census to proceed, I have completed the merge. ~Kvng (talk) 17:06, 19 July 2016 (UTC)

merge
I suggest merging the "strong authentication" and "two-factor authentication" articles into the "multi-factor authentication" article. These three things are similar enough that one article can cover all three things, and also clearly point out the subtle but important differences between them. I would also support merging all three into an article titled "authentication factor". --68.0.124.33 (talk) 18:21, 2 November 2009 (UTC)

--208.67.168.71 (talk) 14:25, 7 July 2011 (UTC) Northox: I believe it should all be merged in Strong Authentication since Multi-Factor Authentication (which include Two-Factor Authentication) is the technique used to implement Strong Authentication requirements.

✅ After extensive discussion over a long period and a general census to proceed, I have completed the merge. ~Kvng (talk) 17:06, 19 July 2016 (UTC)

Multi-factor authentication is not synonymous with two-factor authentication
Multi-factor authentication can use more than two factors. It can use all the three factors (knowledge, possession, body properties). MFA is a more general term than TFA. --pabouk (talk) 09:03, 3 November 2009 (UTC)

I too want to be on record that Multi-factor authentication is not synonymous with two-factor authentication as MFA is more general than TFA. Wikiold1 (talk) 04:20, 31 December 2009 (UTC)

I agree. Still, I thing that articles should be merged. 82.117.194.34 (talk) 13:34, 22 January 2010 (UTC)

No, they aren't synonymous, but 2FA is a subset of MFA. There is nothing in the 2FA page that isn't also in the MFA page, you can't describe MFA without describing 2FA in the process, and there is nothing about MFA that makes it more difficult or complicated to explain than 2FA. No matter how you write the articles, a 2FA article will be completely redundant. I agree that these pages should be merged. Pavon (talk) 22:04, 19 November 2014 (UTC)

TFA is not the same as MFA
From a risk and security perspective, Two factor is not the same as multi-factor. Two factor is just username and password which, from a security perspective, is not a high enough level and can be easily cracked. Multi factor is usually 3 items such as username, password and pin code or biometric. —Preceding unsigned comment added by 151.151.109.12 (talk) 18:29, 6 May 2010 (UTC)
 * Everything you said depends on circumstance or is just simply wrong. -- 14:32, 26 May 2010 (UTC) —Preceding unsigned comment added by 194.107.24.10 (talk)
 * Just simply wrong. "Username" is not a factor.  Username and password is single factor authentication. RandyFranklinSmith (talk) 20:48, 14 July 2010 (UTC)
 * Quite right. The username is the identification -- the claim to the identity. The (secret) password is the additional input to the authentication process, used to prove that the identification is correct. And as to the security level of that, it depends entirely on the complexity of the password, and the degree to which it is independent of the identity (and perhaps a few things more). But I also think the article should not mention 'something the user knows' in the context of username, as this simply adds to the confusion between the identification and the factors used to decide if the identification is correct. Athulin (talk) 08:51, 30 July 2010 (UTC)


 * TFA is username/password and something else --- the username/password is considered 1 factor.
 * I would like to just put it out there that the word for a username/password combination is called a credential pair, or credentials. But 'credentials' is not always plural. I have a (single) pair of pants. I have a (single) pair of credentials. I have many (pairs of) pants. I have many (pairs of) credentials. I hope this clears things up. 216.36.158.42 (talk) 21:10, 7 October 2018 (UTC)

--208.67.168.71 (talk) 14:40, 7 July 2011 (UTC)


 * Northox: Not it's not. Factors can only be three things: "something you known"/password/pin/passphrase, "something you have"/token, "something you are"/biometric. A username is not a factor. It a public identifier. Using only a password is One-Factor Authentication. While using a password a Token and a PIN to unlock the token is: something you have and two times something you known. Some people consider this as being Three-Factor Authentication but it's not, if we refer to the intent of the factors: "From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk.". I personally like to refer to this has Type 112 authentication in regard with NCSC-TG-017 types (two times type 1 (something known) and one type 2 (something you have))


 * In the real world, 2FA is part of MFA. In fact there are no "standards" that in general cover implementations of MFA. Further, the Factors are NOT as specific as spelled out in the article. MFA could involve a username/password, and a pin and verification of an image. ONLY in the world of FAS are they specifically spelled out and if someone wishes to do pages on FAS standard NCSC-TG-017, then that would be fine. In the rest of the world, 2FA and MFA is not so precise. — Preceding unsigned comment added by Jwilleke (talk • contribs) 08:37, 26 October 2014 (UTC)


 * One's user name is a type of identification, a claim as to one's identity, that this is me.
 * Authentication is a demonstration of the truth of that claim, and may take a number of forms ("factors"), each of which involves providing some sort of evidence that, in the normal course of events, only the person with the claimed identity would be able to provide. One type of factor used for authentication is the password. Another is a finger print, another is the ability to type in a code that has been sent to a mobile phone that can be reached through a number stored in the application's database and that should be in the user's possession, another is a PIV card, another is one's fingerprint. A password alone is a form of single-factor authentication. "Multi" means "more than one". Any authentication paradigm that involves more than one authentication factor is a form of multi-factor authentication. Two is more than one; two-factor authentication is a subset of multi-factor authentication. Largoplazo (talk) 21:23, 7 October 2018 (UTC)

No 'theory' or 'model' of n-factor authentication?
It seems to me that someone must have formulated a model and requirements somewhere -- on the lines of database normalization rules, say. If that has been done, it should be pretty clear that two-factor authentication is just a special case of multi-factor authentication, and it would probably help a lot in clearing up mistakes such as thinking that the identity is a factor, and not what is to be proved.

Such a model should probably have one main input (the identity to be proved), the different 'factors' that are used in that proof as additional inputs, and one output (TRUE/FALSE) indicating if the authentication was successful or not. There must be additional requirements -- taking the inspiration from database normalization, it seems pretty clear that the 'factors' should be independent of each other and the identity (and perhaps also 'the world at large') if the authentication should be any good. In that kind of model a two-factor authentication is a process that needs two 'factors' as additional input for the decision.

And such a model should probably also help clarify some smart-card based authentication models. For instance, the model where user enters an identity, and then inserts a smart card, which, in turn, requires a PIN code to generate the additional 'factor', is obviously single factor authentication, as the decision if the stated identity is correct is based on one single factor. The PIN code is not used in that decision at all but another, unrelated, one -- it's more of a 1+1 situation.

But surely something like this must have been done?Athulin (talk) 08:51, 30 July 2010 (UTC)


 * Out-of-Band solutions are at least two-factor and much more secure because of the multitude of systems that must be compromised in order to gain access...but all of these conversations would be moot if the customer Access Point was secure in the first place. Which will require customer education and certain controls the bank needs to have on customer APs that access their core network; such as DNS restriction, approved A-V programs, and patch updating. — Preceding unsigned comment added by 76.25.253.214 (talk) 17:39, 12 July 2011 (UTC)

"True" multifactor on the internet: isn't this a distinction without a difference?
Most of the examples given for "something the user is" and "something the user has" are facts the bank can't directly verify over an internet connection. When I log into my bank's website using a card number and password, the bank doesn't know that I "have" the card, just that I know the card number (in fact, many times I don't have the card: I have the number memorized, making it no different from a username). Even for fingerprints, the bank wouldn't really know that I had that fingerprint. They would only know that I had some input device that was capable of producing the same sequence of bits that scanning my fingerprint produces, which is not at all difficult, if you know what sequence of bits to copy. I can see how this works if the bank controls all the hardware, but in the context of online banking, how is n-factor authentication better than having n different passwords of equivalent length & entropy? AFAICT they're not any more resistant to phishing or packet-sniffing. (More resistant to being written on a sticky note, sure, but very few hackers actually do home visits.) A major downside I can think of is that card numbers are more of a hassle to change if compromised, and fingerprints are not only (reasonably) impossible to change, but must be reused between different service providers. I think it would help the article if someone could explain why multifactor is harder to compromise. Is it just that typically, real-world passwords are not as long/random? Or is there something else? --24.87.152.127 (talk) 01:41, 6 November 2012 (UTC)
 * I like this point a lot. You're exactly right in respect to bankcard numbers. I don't know about chip&pin but the old style, simple swipe cards are just a magnetic track that is read by a machine to speed up transaction times. What's important is the information, not the method. It seems to me that most of the sites/services I visit that employ MFA are using TOTP secret keys and the magic is in the key itself. It's basically a password that the site/service has generated for me that I'm supposed to re-provide to them each time. The only real difference is that I have to waste time plugging it into an algorithm first with another variable (current unix time) to get the shared output for the given time interval (usually every 30 seconds). But really I should have just been able to give them the pre-shared secret in the first place and that would be the end of it. Or as you allude to, simply have more unique passwords. Because I'm saving the secret key for MFA and my password in a password manager/database anyway. At the end of the day it's written down in something I have, encrypted with something I know. 216.36.158.42 (talk) 21:18, 7 October 2018 (UTC)

Two-factor vs two-step
I'd just like to point out that true two-factor authentication requires both factors simultaneously. By comparison, Google's "2-step" authentication requires each factor in sequence and thus is less secure. This is because an attacker gets feedback regarding the correctness of the first factor before having to provide the second. In true two-factor authentication the attacker gets no feedback until both factors have been supplied correctly. The weakest of all is asking for two factors but only requiring one, i.e. "Provide your password OR your ID card".

In terms of security, they rank as follows from most secure to least secure: --JHP (talk) 13:38, 19 April 2013 (UTC)
 * 1) Two-factor authentication
 * 2) Two-step authentication
 * 3) Single-factor authentication
 * 4) Either/Or authentication

Re: "Social Network Factor" - Please do not add unapproved factors to this article
"Social Network Factor" is not a factor recognized or approved by the FFIEC or any regulatory body. There are three factors approved by the FFIEC and only these three factors are defined in CJIS, FFIEC, HIPAA, and other regulatory guidelines. These three factors are "Something the user knows", "Something the user is", and "Something the user has". Adding other possible factors, such as "someone the user knows", simply confuses individuals who are reading this article in order to comply with regulatory requirements. You might just as easily make up factors such as "Something the user does", "Something the user smells", or "Someplace the user visits". While they may possibly work as authentication factors, they are not approved by the regulatory agencies whose compliance the reader may be attempting to satisfy. — Preceding unsigned comment added by 70.162.149.36 (talk) 15:32, 16 July 2013 (UTC)

This page is titled "Multifactor Authentication" and it describes and discusses the 3 authentication factors identified with Homeland Security Presidential Directive 12 (HSPD-12), the FFIEC's numerous publications, CJIS guidelines, and publications of other government entities. These 3 factors are specifically identified by these agencies, who are tasked with auditing private industry for adherence to these 3 factors. Permitting the addition of spurious "other" factors to be added to this page only confuses readers wishing to learn about the 3 approved authentication factors. While there may be other forms of authentication, such as "someone the user knows", "someplace the user visits", or "something the user smells", these other forms of authentication have not been approved or recognized by the regulatory agencies, whose compliance the reader must satisfy. A vendor or lab promoting these other factors will not help a bank or hospital who must satisfy federal regulators who wish to see compliance within the 3 approved authentication factors. If you wish to talk about other authentication factors, you should do so on another Wikipedia page not related to "Multifactor authentication". — Preceding unsigned comment added by 70.162.149.36 (talk) 00:35, 17 July 2013 (UTC)

Additional from the article's background header: "The U.S. Federal Financial Institutions Examination Council issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors."  — Preceding unsigned comment added by 70.162.149.36 (talk) 00:40, 17 July 2013 (UTC) Why do you think that just because a authentication factor is not approved by some government agency it would not be relevant?  Not everyone is reading the article in regards to "comply with regulatory requirements." Feel free to add a section regrading  regulatory requirements but do not suppress the information because is does not  "comply with regulatory requirements."-jim 18:58, 27 July 2016 (UTC)  — Preceding unsigned comment added by Jwilleke (talk • contribs)

Dead Link Replacement
Reference 10 is a dead link. It should be replaced by a link to http://www.dhs.gov/homeland-security-presidential-directive-12. I do not know how to edit the link. Would someone please fix it?—Gggustafson (talk) 16:06, 8 October 2013 (UTC)

Reference 4 (Biometrics for Identification and Authentication - Advice on Product Selection) is a dead link, there doesn't seem to be another source for the PDF. — Preceding unsigned comment added by 193.26.252.253 (talk) 13:08, 5 July 2016 (UTC)

Examples
Evan Hahn has compiled the most extensive list of sites that offer TFA or MFA that I have seen. It is located here: http://evanhahn.com/tape/two-factor-auth-list/ — Preceding unsigned comment added by 50.113.51.131 (talk) 20:23, 10 December 2013 (UTC)

The SMRTe reference does not provide much information, neither within Wikipedia nor from the Web page referenced (at least nothing that is available without first registering). Could someone please either add more information or remove that part? Right now, it does not have more than advertising value. MarcelW (talk) 10:06, 2 February 2017 (UTC)

Under construction
There is no need to report what is missing on this page as long as under construction. Thank you.Wireless friend (talk) 08:07, 12 May 2009 (UTC)

On compromised smartphones
Under the SMS section, should there be a discussion about what happens if the user's smartphone is compromised (hacked)? E.g., I rely on two 2-factor authentication services. Both use SMS tokens. If my smartphone was compromised, I assume the attacker could perform keylogging when I enter my password (e.g. through the browser), then log in at a later time while hiding the SMS token it received. If this attack is done through a trojan I assume it could affect users in bulk. Would e.g. Google's current security scheme be able to prevent this scenario? Bjornte (talk) 07:59, 19 March 2014 (UTC)

Knowledge and Possession confusion - chapter missing
There's a big confusion in what is knowledge and what is possession. In my opinion, everything that can get easily copied is knowledge. It doesn't matter if this is a 5-character password or a 10-page long certificate. Length shouldn't matter, so both are knowledge. The same applies to soft-tokens and all that related stuff. Even smartcards, as long as you can read the content, are knowledge. And for RSA tokens (and similar) they are knowledge if you know the seed value and the used algorithm. If we compare that to the traditional possession factor, a physical key to a lock, we can also copy it when we know the specifications of the holes etc, so my argument about knowledge has to be taken carefully. I think the difference is that we are mainly talking about IT systems and anything there that can be copied by software is knowledge, no matter how sophisticated the software has to be. Anything that requires some hardware (TPM, HSM, Smartcard that doesn't reveal keys, etc.) is possession. I don't like that companies tell us they have 2FA when they just use some softtokens or certificates - that's no 2FA for me. Can we add some chapter about this confusion, different opinions or whatever to this article? --193.134.254.26 (talk) 09:07, 17 April 2014 (UTC)
 * Agree on Concept, Disagree on Recommendation -- I see where you're going with this, and I too think it's an important discussion point. The way I understand it is that something you know is never written down or recorded in another way. Something you have, such as a pre-shared-secret or seed or certificate or whatever you might call it/use at the time is cumbersome to remember and is thus recorded digitally. This means it becomes something you have. To expand on your point, I'll provide an example  that demonstrates the confusion. I don't know about most people, but I use a password manager with randomly generated passwords. I don't know these passwords, so the database is something I have. But the master password to open the database is something I know, that is not written down anywhere in plain text. So are all my other passwords something I know, or something I have? Well....both....and neither at the same time. The passwords are something I "have" by proxy of something I know. But the passwords are not "known" or "had" on their own. The password database itself is an example of multi-factor authentication. It requires the encrypted file from my digital storage and the decryption key that is in my head. I just don't think it's in the scope of the wiki article to go over this distinction. Perhaps the wording could use adjustment by someone more skilled in writing than myself, but I don't think a new chapter or section is appropriate. --216.36.158.42 (talk) 21:42, 7 October 2018 (UTC)

Suggested merge?
Was the merge approved or not? The Two factor authentication article says in the lede that it's also called 2FA, but 2FA redirects to Multi-factor authentication.Timtempleton (talk) 19:00, 9 March 2015 (UTC)


 * I have fixed that redirect (and a bunch of others). It doesn't look like the merge discussion was ever completed. I will try to restart it. ~Kvng (talk) 14:29, 8 July 2015 (UTC)

✅ After extensive discussion over a long period and a general census to proceed, I have completed the merge. ~Kvng (talk) 17:06, 19 July 2016 (UTC)

Merge again
Reading through the talk pages there seems to be general appreciation that Two-factor authentication is an instance of Multi-factor authentication and there was consensus to merge the two in the past. The merge appears have been undone in April 2014 for reasons unknown. I think coverage would be improved if the two articles were merged. I believe, despite the fact that the overall topic could be technically best described as Multi-factor authentication, the methods are most widely known as Two-factor authentication so that might be the best title for the merged article. ~Kvng (talk) 14:42, 8 July 2015 (UTC)


 * I strongly disagree with merging. Both articles are relevant. However, we definitely need to improve the content. The article on two factor authentication reads more like an advertisement for one company than a stub. I suggest we all contribute with valuable sources to their improvement and make sure that they both make sense. ScienceGuard (talk) 07:04, 20 July 2015 (UTC)
 * do you have an explanation for why both articles are "separately relevant"? Is there a fundamental different between 2-factor, 3-factor, 4-factor and n-factor authentication? No one is proposing deleting any content. The proposal is to move all content to a single article. Readers will still quickly find this information when searching for "Two-factor authentication" or "Multi-factor authentication". ~Kvng (talk) 14:33, 20 July 2015 (UTC)


 * Everything should be merged to multi-factor (this article) which is the industry standard term. Two-factor is a form of multi-factor, should we have separate articles for every form (1 factor, 2 factor, 3 factor, n factor)... no. — Preceding unsigned comment added by 159.53.78.141 (talk) 20:12, 13 July 2016 (UTC)

✅ After extensive discussion over a long period and a general census to proceed, I have completed the merge. ~Kvng (talk) 17:06, 19 July 2016 (UTC)

Merge
I would be for merging the articles. Two-factor and multi-factor are used very interchangeably in IT security today. It makes sense to consolidate these. Some of the information on the "two-factor" page is inaccurate and is much better represented on the "multi-factor" page so I would suggest a review of which content from the "two-factor" page makes sense to include in the merged article. — Preceding unsigned comment added by Khade72 (talk • contribs) 22:10, 30 July 2015 (UTC)

✅ After extensive discussion over a long period and a general census to proceed, I have completed the merge. ~Kvng (talk) 17:06, 19 July 2016 (UTC)

External links modified
Hello fellow Wikipedians,

I have just added archive links to 1 one external link on Multi-factor authentication. Please take a moment to review my edit. If necessary, add after the link to keep me from modifying it. Alternatively, you can add to keep me off the page altogether. I made the following changes:
 * Added archive https://web.archive.org/20120916062033/http://hspd12.usda.gov:80/about.html to http://hspd12.usda.gov/about.html

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

Cheers.—cyberbot II  Talk to my owner :Online 01:37, 28 January 2016 (UTC)

Edit war
Hi and  - I've stumbled across this article, and notice the ongoing edit war. It would be easier and less disruptive to openly discuss what's going on. As I see it, the "blog" source being used by 120.151 is written/hosted by the subject in question (Bruce Schneier) and really should not be used to back up a claim (see WP:RS and WP:SELFPUBLISH for more). -- samtar talk or stalk 13:13, 1 May 2016 (UTC)


 * Wikipedia rules state this is acceptable when the party in question is a reliable expert in the subject matter, as is Bruce here. — Preceding unsigned comment added by 120.151.160.158 (talk) 14:19, 1 May 2016 (UTC)

Obsolescence Warring
Bruce Schneier talks extensively about the failure of MFA/2FA in his online "blogs", at conferences during webcasts, and in his books: https://www.google.com.au/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=schneier+books+

His books are for sale - I can't link to the text in them because it's on paper.

Wikipedia has multiple Exceptions for accepting these online blogposts from experts like Bruce - see some here:
 * See: https://en.wikipedia.org/wiki/Wikipedia:Identifying_reliable_sources#Self-published_sources_.28online_and_paper.29


 * Some news outlets host interactive columns they call "blogs", and these may be acceptable as sources if the writers are professional journalists or professionals in the field on which they write


 * Self-published material may sometimes be acceptable when its author is an established expert whose work in the relevant field has been published by reliable third-party publications. — Preceding unsigned comment added by 120.151.160.158 (talk) 13:16, 1 May 2016 (UTC)


 * The site you are referencing is definitely not a "news outlet". Please provide some evidence that this person is "an established expert whose work in the relevant field has been published by reliable third-party publications." Additionally, I do not refute the fact this person is a subject expert IP, however I think better sources exist - providing one will help solve this dispute and get us all back on track to improving the article --  samtar talk or stalk 13:19, 1 May 2016 (UTC)


 * Could you both refrain from editing whilst discussing this? You're both either over or just at the Three Revert Rule -- samtar talk or stalk 13:22, 1 May 2016 (UTC)


 * There is a difference between a failure of a technology and it's alleged 'obsolescence'. Nowhere in the blog article does it state that the technology is 'obsolete'. I also notice that instead of waiting for a consensus, you have continued to edit war and ignore warnings. Please find a more reliable source that actually unambiguously states that the technology is 'obsolete' before you make any further edits. Thank-you David.moreno72 (talk) 13:28, 1 May 2016 (UTC)


 * I will add more references. I notice that, even when I added references in the edit summary, the "revert" actions have occurred almost immediately.  It's pretty clear that nobody is reading the references!
 * Obsolete is the correct word. MFA used to work bak in the 80's.  Today it has "Failed".  That's the dictionary meaning of the term #1 "out of date"  *and* #2 "replaced with something new" (i.e. transaction signing) — Preceding unsigned comment added by 120.151.160.158 (talk) 13:46, 1 May 2016 (UTC)
 * You keep using the same reference, and yes I have read it. Nowhere in it does it state that the technology is 'obsolete'. A reference needs to unambiguously back up the claims made in the edit, that is, it is not inferred or interpreted. If you want to make the claim that the technology is 'obsolete', the actual word 'obsolete' needs to be in the reference. David.moreno72 (talk) 14:01, 1 May 2016 (UTC)


 * OK Guys - if you still don't like anything, let me know here and I'll fix it. — Preceding unsigned comment added by 120.151.160.158 (talk) 14:09, 1 May 2016 (UTC)
 * No, you can't edit the article yet. Cite the reliable source here and quote where it says that it is obsolete. David.moreno72 (talk) 14:12, 1 May 2016 (UTC)


 * Here's one reference to Obsolete: http://www.tripwire.com/state-of-security/security-awareness/are-these-4-security-technologies-on-the-verge-of-becoming-obsolete/  let me know if you need that in the actual article as well as the others. (I'll get some more as well just in case - although it seems a little bit petty to quibble over the use of the word when all the citations convey that *meaning* even if many don't use that exact word)  — Preceding unsigned comment added by 120.151.160.158 (talk) 14:14, 1 May 2016 (UTC)


 * There's some good discussion going on here, but 120.151 your constant reverting is probably going to get you blocked (see this report) - I would recommend not editing the article again until a consensus is met -- samtar talk or stalk 14:27, 1 May 2016 (UTC)


 * The article does NOT state that Multi-factor authentication is obsolete whatsoever. A reference needs to state that 'Multi-factor authentication is obsolete'.Not 'convey' the meaning, which can be easily misinterpreted, as in what you are doing. Please see WP:SYNTHESIS David.moreno72 (talk) 14:31, 1 May 2016 (UTC)


 * We can use a Bruce Schneier source for the statement that Bruce Schneier thinks that something is obsolete, but it's nowhere near strong enough to put that adjective in the opening sentence of the article. Reeling out WP:SYN lists of security breaches and obsolescence quotes isn't any better - it's trivial to find lists of examples where credit card PINs, text passwords, cash money and handwritten signatures are all compromisable and described by a few serious writers as "obsolete", but we would not (yet) open the Coin article with "A coin is an obsolete piece of hard material..." --McGeddon (talk) 14:25, 1 May 2016 (UTC)


 * If you don't like the word - what else should go there instead? "Obsolete" seems most appropriate on account of the fact it's 30+ years old - that's even older than the web itself! ... but if you prefer something else - I'm all ears.  (p.s. inflation is so rampant in many countries, that coins literally are obsolete by the way) — Preceding unsigned comment added by 120.151.160.158 (talk) 14:27, 1 May 2016 (UTC)


 * I don't think it necessarily needs one snappy adjective, but the lede section could definitely use some expansion to better summarise the rest of the article, per MOS:LEAD. Briefly summarising the "security" section as part of that - both the benefits and remaining vulnerabilities - would be fine. --McGeddon (talk) 14:33, 1 May 2016 (UTC)

Note on article history
For some reason, the merge of Two-factor authentication with this article was not done well back in 2015, and all 1,148 edits to the Two-factor authentication article were deleted and not restored. To ensure all content within this article (Multi-factor authentication) is appropriately attributed, I have now restored the history of the Two-factor authentication article; should you wish to see this information it can be found in the history of the Two-factor authentication redirect. fish &amp;karate 09:33, 16 November 2017 (UTC)

Definition of Two-step verification
The intro to this article contradicts itself about the definition of two-step verification. It says the second "step" must not be something you "have" or "are". But then it says a code from your phone (something you "have") is two-step verification. Also the source doesn't support the claim that the second factor must not be something you "have" or "are".

The body of the article also alternates between two-step verification and two-factor authentication, as if they are synonyms.

I think it would be best to edit the intro to say that they are largely regarded as synonyms, but different organizations have differing definitions for two-step verification. Or define it the way the Life Hacker article does. And then edit the body of the article to always say two-factor authentication. Bugefun (talk) 06:20, 25 January 2018 (UTC)


 * We should use consistent terminology in the article so I support changing two-step to two-factor. As to whether two-step and two-factor are actually two different things as Lifehacker claims, I think we need to find other sources before coming to conclusion on that. ~Kvng (talk) 16:02, 27 January 2018 (UTC)


 * I think this is trivial. Unless you present, and the authenticating agent reads, your multiple factors simultaneously, then you are presenting them, and they are being processed, in steps. If I have a chip card, either I have to insert it into the chip reader before the system will even talk to me and let me enter my password, or else, after I've entered my password, it will ask me to insert my chip card. Either way, it's multiple steps. The important circumstance is that more than one authentication factor is required. The singularity or seriality in time of their presentation seems beside the point. Largoplazo (talk) 21:08, 8 October 2018 (UTC)


 * My preference is to be in deference to the source and establishment on this page, of the distinction between two step and two factor: I think we should keep the distinction. Perhaps many people have read this page, and okayed the distinction without voicing that. Also the somewhat authoritative voice of the source should be recognised. I suggest that it's a good idea to state from the onset (as Bugefun suggested), that the terms are largely regarded as synonymous, but that different organisations have different definitions for these two terms. But I don't think we should fiddle with the distinction that flows in the article between these two terms.


 * I disagree with Largoplazo saying that the distinction is trivial. According to JHP elsewhere on this talk page, the distinction is important.


 * In regard to Bugefun's alleged contradiction, I suspect that the word 'only' is missing from the description/definition of knowledge factors: it probably should be "...something only they have..." The code generated on the phone is not something that they only have because the provider can also generate that code. The distinction with the OTP described earlier under two-factor authentication, is that the OTP is presumably something that only the user has. Perhaps the provider can only confirm the correct OTP but cannot generate the correct OTP (perhaps using asymmetric cryptography)?


 * You may think that the distinction is trivial, but myself I'm not a security expert and perhaps you are not either. Perhaps we should defer to the counsel of experts in this field?

MarkJFernandes (talk) 15:20, 30 May 2020 (UTC)

A users identity
This article reads "a method of confirming a user's claimed identity" but this is wrong. Authentication ensures that a user is the same that has previous been authorized is in fact the one logging in. It may or may not be whatever identity the user claims to be, it is merely the same as has been previously been authorized. The process of identifying a user is a problem in itself, and something neither two-factor authentication or multi-factor authentication solves. You can use 2FA or MFA together with a subsystem that does identification, but it is not a system that does identification by itself. Jeblad (talk) 16:06, 25 December 2018 (UTC)
 * For all practical purposes, "identity" means "whatever identification the user was first registered with". In other words, "claimed identity", as it says. It may not matter whether the system knows that the person registering as "iamagoodboy" is Steven Prometheus Hogglesworth, U.S. Social Security Number 999-99-9999, six-foot-two, eyes of blue. It matters that, on subsequent visits, the system is confident that the person authenticating with the factors iamagoodboy supplied upon registration is iamagoodboy.
 * In cases where it does matter, measures are taken at the time of registration of authentication factors to definitely associate the identity with the person behind the identity: registration in person with photo ID, response to a verification email sent to a definitely associated email address. For example, when I register for annual employee benefits enrollment, the health insurer that my company uses knows who I am at the time of online registration because I sign in with my name and Social Security number, which they know, and I am able to respond from my work email address to a verification request they send to my work email address, all of which they know because my employer gave them that information. From that point on, authentication does confirm my real identity. Largoplazo (talk) 20:49, 25 December 2018 (UTC)
 * Yes, and all of this seems to be covered in the Authentication lead so I have linked to that and removed "identity". Another option I considered was to use a piped link to Claims-based identity, i.e. claimed identity but that would arguably be more WP:ASTONISHING. ~Kvng (talk) 21:32, 28 December 2018 (UTC)
 * Seems to be better now, but I have not checked the whole text. Generally identification is not authentication which is not authorization, even if they all fit nicely together. Authentication does not imply identification, but given identification you may get tokens for authentication. Likewise with authorization. Jeblad (talk) 10:46, 16 January 2019 (UTC)

Correction needed
I would like to update this sentence: "Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are" with this sentence: "Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing something they know (password) and a second factor like something they have or something they are" because the factors are distinct. Liglin (talk) 12:58, 26 April 2019 (UTC)


 * My two cents: delete the paragraph in question since it does not properly distinguish between "two-step verification" and "two-step authentication." The latter is correctly defined earlier in the introduction. I've never heard a satisfactory explanation for the former. The citation at the end of that paragraph does not help much. Tom Scavo (talk) 17:22, 26 April 2019 (UTC)


 * 👎 I generally disagree with the correction, as the suggested change modifies the logic to what is probably not what was intended. What was probably intended was that the second factor has to be both not something they (only) have and not something they are. The word 'only' appears to be missing, which I'm commenting about elsewhere on this talk page in this same edit. The suggested change equates two step to be the same as two factor, which does not seem appropriate at all. Regarding the deletion suggestion, I think Tom Scavo probably meant to contrast two step with two factor... he probably made a typo.

MarkJFernandes (talk) 15:20, 30 May 2020 (UTC)

Time should be listed somewhere as an authentication factor
According to my understanding time is frequently used as a factor in multi-factor authentication. I do not see this in the article and I'm not entirely sure where it should be added. IIRC a security expert told me time was one of the factors beyond the typically-mentioned three.

AFAIK time can be used in 2 ways: 1. Common use in multi-factor authentication (e.g., Apple, Google) where the user looks at when a request was made as one of multiple factors in deciding whether to grant it. (Most users don't think about this until they see a request when it shouldn't have been made.) 2. Use in "Time-based authentication", see https://en.wikipedia.org/wiki/Time-based_authentication#:~:text=Time%2Dbased%20authentication%20is%20a,combination%20of%20objects%20is%20required.

Paultparker (talk) 17:22, 16 July 2020 (UTC)
 * Time-based authentication is mentioned twice in the article, with a link to another article that goes into a detailed example of it. Time is not itself the authentication factor, it's the determinant behind which factor will be displayed to the user and expected within a very brief window by the service to which the user is authenticating their identity.
 * However, there is a time-based authentication article, and this article should link to it. Largoplazo (talk) 00:40, 17 July 2020 (UTC)
 * The mention that I just linked was tied to the discussion of one-time passwords. Coverage should also be added for time-based generation of authentication codes. Largoplazo (talk) 00:44, 17 July 2020 (UTC)

minor copy-edit suggestion
The opening of the first section after the lead reads: " ... when someone tries to log into a mobile app or web account, and asks for proof the person's identity."

Multi problems here (specifically, two.) First, the ending clearly should be "... proof of the ..." Second, it isn't clear who is asking for the proof. The shorter edit would be "and is asked for", while the more elaborate version would be: " ... and the authentication system asks for..." (or similar).

(Some people say that I'm a pedant. I reply that I'm just a copy-editor with too much time on my hands.) Wayne 00:58, 26 September 2020 (UTC)


 * You're right, and that paragraph had problems from the outset anyway, as it gave the impression that MFA covers only mobile apps and web applications, as though it wasn't much older than the both of them. I substantially rewrote it. Largoplazo (talk) 03:25, 26 September 2020 (UTC)

man is born as he is. Faith in real time. — Preceding unsigned comment added by 93.183.169.165 (talk) 02:26, 23 October 2021 (UTC)

Lead section rewrite
This rewrite] of the lead section is more confusing than the older version. It conflicts with the article body by restricting the factors to three. It uses an informal tone ("for short"), and addresses the reader (see WP:YOU. It is not an improvement to the article. MrOllie (talk) 23:06, 8 November 2022 (UTC)

What an embarassment
We are the most popular web site in the western world that does not support multi-factor authentication without special request. I think that is notable, so I included it in the article. T`swift`rocks (talk) 03:03, 17 February 2023 (UTC)


 * And I have deleted it from the lead, which is meant to summarise the main text. If you believe reference to this should be in the article, then it should be at an appropriate part of the main text. Sbishop (talk) 10:35, 17 February 2023 (UTC)

Wiki Education assignment: Cybersecurity Policy
— Assignment last updated by MrLavoie (talk) 00:46, 20 February 2024 (UTC)