Talk:Two-factor authentication

Removed product advertising
This article is not intended to advertise specific products, but is intended to educate the reader on the different categories of two-factor authentication and what makes them different from each other. If your product introduces a new type of TFA, such as a "bio-electric doo-duh token' then you may describe it here in simple terms, but if you are simply trying to advertise your specific product or its features, and your product type has already been discussed within the article, please don't add anything else. For example, this page already has a section called "USB token". That section is intended to help people understand what a USB token IS, not why your specific company's USB token is the best!  Again, if you can add something about a different type of TFA, feel free, but don't advertise specific products within these sections! — Preceding unsigned comment added by 70.190.0.52 (talk • contribs) 00:12, 6 March 2012‎

Who are you? ^^^
I thought all "talk" stuff gets signed, or if not, auto-signed? Who are all these people changing stuff without saying who they are?

The article is still a mess. It's got the briefest mention of the topic, then spends the majority of the rest of the article discussing just one implementation of it (maybe these anonymous people have erased what else used to be there?)

Where are all the facts? The standards using it? The hacks that work against it? Alternatives that can be used to protect people instead of it? We may as well write articles about smoking and drugs, and put no health sources into them as well next...

120.151.160.158 (talk) 13:36, 28 July 2015 (UTC)

Removed "other" authentication methods
This article is about two-factor, or multi-factor authentication. Individuals and companies who are searching for those terms are likely doing so in order to comply with regulatory guidelines such as FFIEC, PCI, FACTA, etc. Adding other authentication methods, even for "information" purposes, only confuses and misleads. If you wish to write about behavior-based authentication, picture tokens, or "knock-knock, who's there" authentication methods, do so on another Wikipedia page please. Lets keep this page about true "multi-factor" or "two-factor" authentication methods please.

Virtual tokens are not "soft" tokens
Please cease attempting to merge virtual tokens with the "soft" token category. The two technologies are fundamentally different. Soft tokens typcally emulate a token device by deploying software to the end user. Virtual tokens do not deploy software to the end user.
 * The word "Virtual" *means* "software emulation"; so what makes you think it's something different? 208.69.177.139 (talk) 04:07, 12 April 2012 (UTC)

Virtual tokens are not adequately explained
The section on Virtual Tokens appears to be blurb for a security company. No technical information is given on how these systems work, and indeed the company's own website is very cagy about it, other than talking about "patent-pending technology". In security terms, this is equivalent to snake-oil until demonstrated otherwise. A Google search produces little or no useful information. This section should either be removed or complemented with references to an actual technical description. — Preceding unsigned comment added by Knytpic (talk • contribs) 16:32, 10 April 2012 (UTC)

credit card and signature
My credit card doesn't require the second form of authentication so it's just "something you have"
 * A common example of T-FA is a bank card (credit card, debit card);
 * Credit cards do utilize T-FA. The second factor is your signature, which is rudimentary biometric authentication.  (of course, it's not like anybody checks signatures any more...)

another one-factor issue
the article also shows another example of T-FA:

>> IBM's new ThinkPad, which includes a fingerprint reader that signs users into all their passwords.

>Fingerprint is something you are. Unless it also requires a password or a token, (and I don't think it does) then this is not T-FA, it's O-FA.

reference: http://www.schneier.com/crypto-gram-0205.html Your fingerprint is not always something that YOU are, it may be something that someone else can be. Please see the section titled "Fun with Fingerprint Readers".

Some people claim that various biometrics are 'something that you are' seperate from keys/tokens which are 'something that you have'. Though some measures are more difficult to alter/copy/steal, it is not overly difficult to obtain a finger from someone else. They may be unhappy if you cut it off, but that does not make it impossible.

I Agree - the Thinkpad is clearly a case on O-FA and as a result I think it should be removed. Perhaps in general we should clearly list in these examples which TWO factors are shown in this example ... ie for SecureID - the 2 factors are something you have (the Token) and something you know (a password which is also required)

"Something you do" is not an approved factor
"Something you do" is not a factor supported by the FFIEC, the PCI data security standards, the U.S. Dept of Commerce, HIPPA, or any other regulatory guidelines currently governing online commerce. Let's keep the article focused on relavent facts pertinent to the interested readers please. Just because it is not approved by some Government Entity, does not imply it is not useful or valid. -jim 18:44, 27 July 2016 (UTC) — Preceding unsigned comment added by Jwilleke (talk • contribs)

an additional authentication factor
Research is ongoing into a fourth authentication factor, "Something you do". This method of authentication works by identifying a common activity pattern or specific personal nuances of a user. Examples include identifying computing users by the way they type or move the mouse, and cellular mobile phone users by their waking/sleeping activity cycles.

Sounds a bit like Biopassword. But wouldn't that still be inclusive of biometric? Typing, mouse movement and waking/sleeping cycles are all biologically-based. B.K. 16:02, 20 October 2006 (UTC)

That's exactly how this has been classified in my involvement with biometrics. "something you do" is the same as "something you are", because you 'are' the entity that 'does' whatever it is you are measuring. I would as soon consider things along the lines of "where you are" (geolocation) or "when you are" (time based access)...but these are actually parameters that can be used to determine authorization, not necessarily Authentication. No, I disagree that there even is a 4th factor; I haven't heard anyone smart enough to come up with one yet. - jglide 20:20, 31 January 2007 (UTC)

Note: federal regulators have repeatedly rejected "something you do" as a legitimate second factor. The FFIEC and the FDIC have clarified repeatedly that there are only THREE authentication factors they consider acceptable for multi-factor authentication (something you know, have, and are). Unfortunately, some security vendors whose products fail to meet the regulatory definition of multi-factor authentication have been promoting their user profiling and other "something you know" products as valid MFA products. Such approaches are fine, in and of themselves, but they do NOT satisfy regulators when they are reviewed in terms of MFA compliance. Just FYI...

other factor: password calendar?
My bank (CIC, a French bank) is using a password calendar in addition to my regular password. Basically, the password calendar comes a paper sheet (send by postal mail) where each day is associated to a particular password (the calendar is user-specific).

This is a case of the "something you have" sort of authentication, although it can be considered to be a hybrid form of that and the "something you know" form. In reality, this is merely a form of S/Key, which is a well-established and relatively old form of rotating password.


 * Is this "password calendar" the same as a transaction authentication number list? Tell me more. --68.0.124.33 (talk) 18:27, 2 November 2009 (UTC)

Getting rid of ads
This article is riddled with ads. I suggest we link to one vendor for each medium; USB, CD, biometric, one link to a provider for standard security tokens.

I think the vendor information solutions are helpful - they are to me. However we need to keep an eye on the blurring of lines where a vendor solution defines a technology....such as mobile phones and CAT which is not a standard pe se, it's a vendor product. B.K. 16:04, 20 October 2006 (UTC)

Why "Two Factor" and not "Multi-factor" or even "Strong" Authentication
The article 'Strong Authentication' redirected to 'Two-Factor' for me recently. I'm not really complaining, but I do think this is a narrow position. Multi-factor is a bit more robust in the description. There is no "Three Factor" article or redirect that I can find, however biometrics (commonly considered 'the third factor' or assumed to mean three-factor authentication) are discussed frequently in this article.

Wouldn't it make more sense to use Strong Authentication as the article name, with the various two and three factor article names pointing to it, and have a discussion about factors, what constitutes a factor, and various descriptions of 'two' and 'three' factor solutions?

I'm willing to put forth some, maybe most, of the effort to do this; I'd guess 90% of this is simply some structure and article linking, the content of the page would remain intact. Thoughts?

- jglide 22:38, 21 January 2007 (UTC)

Why don't we rename "Two-factor authentication" into "Multi-factor authentication" (MFA)? Strong Authentication can be considered as synonymous to MFA, while 2FA and 3FA are examples of implementation of MFA. I can take it a stab at this, I have 6 years experience in this industry.

- cbrehaut 16:23, 23 April 2007 (PST)

T-FA is a popular and mature commercial information encryption technology. If we rename it M-FA, we need to propose such kind of solutions are acceptalbe to all. OTP came to us in 1980' and PKI came in 1990', T-FA is kind of solution based on PKI technology. We have been developing our security technology level and hope to make strong authentication up to M-FA. As I know, there is kind of interactive ePass solution, which based on T-FA but stronger. Since there is another press key on the USB Token, which is designed against things like Trojan Horse. You can check it and hope the actual M-FA come true with your helps. —Preceding unsigned comment added by FTsafe (talk • contribs) 04:10, 1 February 2008 (UTC)

I agree with renaming the article to Multi-factor authentication and explaining Two-factor authentication as a special case of it (there does not need to be many existing implementations as suggested above by User:FTsafe) but I do not agree that there is a commonly respected definition of the term Strong authentication. It is not always used in the sense of Multi-factor authentication and this should be explained in the article. --pabouk (talk) 13:22, 1 February 2008 (UTC)

--- Strong authentication should not be used when describing two-factor or multi-factor authentication for the simple reason that they are two different things. Using a login ID, a password, an answer to a challenge question, and a secret image may be considered 'strong authentication', but it does NOT meet the regulatory definition of two-factor or multi-factor because only 1 factor is being used (all something the user 'knows'). The use of the term 'strong authentication' has caused many US banks, credit union, and financial services considerable grief over the past year due to the fact that these organizations needed to implement MFA to comply with federal regulatory MFA guidelines, but their managers were tricked into purchasing 'strong authentication' products instead because certain unscrupulous vendors convinced their managers that 'strong' and 'multi-factor' meant the same thing. BearingPoint reported in a study that 94% of US banks have adopted non-compliant 'strong authentication' products instead of regulatory-recommended 'multi-factor' authentication products as a result of this confusion. —Preceding unsigned comment added by 70.190.16.168 (talk) 23:08, 17 June 2009 (UTC)

in need of attention from an expert on the subject
This page has now been re-written by an expert.

Question - Conflict of Interest
I am planning to make a page on Wikipedia for my company which I assume is safe to do as a lot of large companies have their own Wiki Pages, but my question is weather or not I am allowed to add to a page like this and mention my company with a link to the Wiki page for the company? According to the rules you shouldnt do this if you own the page or are representing it, any suggestions? —Preceding unsigned comment added by ArjunDave (talk • contribs) 10:31, 6 November 2009 (UTC)


 * Take your time to create it within your user space. Make sure you have a fair amount of references from news articles and perhaps a few peer-reviewed papers. If your only reference is the company's web page, I can guarantee that it will be swiftly deleted. Keep in mind that there is almost nothing to be gained by your company having a wiki page. However, there may be something to lose. If the page becomes, in your opinion, bias against the company, then conflict-of-interest guidelines may prevent you from "correcting" it. Skippydo (talk) 17:04, 20 November 2009 (UTC)

Market Acceptance
Would the Blizzard Authenticator for the popular game World of Warcraft qualify as a significant thing? 67.161.80.124 (talk) 09:49, 19 February 2010 (UTC)

I'd say yes. It's a soft token, a perfectly viable and legitimate second factor.Amicaveritas (talk) 22:47, 7 December 2010 (UTC)

Wireless Tokens
I find the wireless tokens section very hard to follow. It seems like some of the sentences are missing some words? —Preceding unsigned comment added by 79.53.13.204 (talk) 20:41, 16 February 2011 (UTC)

One-and-a-half factor
Currently a search on Wikipedia for this doesn't return ANY auth-related articles. Would it be sensible to create another redirect and a short mention of it in the article for now, pending a longer article if this discussion shows it's needed?

This is a vendor article and not suitable for a reference I guess but it's a good backgrounder: http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/ Infojunkie23 (talk) 16:52, 28 June 2011 (UTC)

Big and Messy still
There's quite a lot of stuff in here that is overly verbose, as well as some factually incorrect and outdated things, and it's all screaming out for some pictures - using multiple sentences to describe things like "PPP" when a small photo would do it 10x better is crazy.

Also - there's a fair amount of stuff missing - especially things that "vendors" would not want to see - like vulnerabilities and attack vectors etc. Sure - some of this is covered, but it's woefully inadequte.

If visitors to this page are looking to learn about the relative strengths of all these different things, they're plain out of luck right now... 208.69.177.139 (talk) 04:07, 12 April 2012 (UTC)

Biometrics and authentication.
Hi, I do not really agree that biometrics is a authentication method. It is more an identification method. It checks who you are : it is not sufficient to provide real authentication but has to be followed by a "what you know" - for instance - process. — Preceding unsigned comment added by 193.54.194.17 (talk) 13:07, 2 March 2012 (UTC)

One time pads
'Perfect Paper Passwords' are neither a one-time pad, nor a 'something you have'. They are a 'something you know' with some protection against re-play attacks. It is basically asking for certain characters from password that is always the same (akin to saying 'third, fourth, last character'). The fact that the password is printed on a grid on a plastic card does not change this.

If it was a true one-time pad then the grid would be used once only, and a new card used for each authentication.

Mauls (talk) 14:19, 9 March 2012 (UTC)

Regulatory Compliance mentions
Someone should probably find the relevant facts from these (as well as other non-USA standards) and mention them in the article: PCI DSS, NCUA, FACTA, NIST 800-63, HIPAA/HITECH, CJIS, Sarbanes-Oxley, and FFIEC. 208.69.177.139 (talk) 04:03, 12 April 2012 (UTC)

Smartcards at Banks
In the Smartcards section there is the following sentence on problems of Chip Authentication Program: "The technology offers some support against transaction alteration by facilitating Transaction Data Signing, where information from the transaction is included in the calculation of the one-time password, but it does not prevent man-in-the-middle attacks or man-in-the-browser attacks because a fraudster who is in control of the user's Internet or is redirecting the user to the legitimate website via a hostile proxy may alter the transaction data "in-line" before it arrives at the web-server for processing, resulting in an otherwise valid transaction signature being generated for fraudulent data."

The Bank I'm Client to uses the ChipTAN procedure. They use a nonce, the destination account number and the amount of money as additional manual inputs. The only thing that is not getting signed is the destination Bank. In my opinion this definitely prevents man-in-whereever attacks opposing to the statement in the sentence. However, since I may be wrong, I wanted to put this to discussion before giving a reader of the article a false impression of security. Furthermore, I'm not sure if the CAP (Chip Authentication Program) is something completely different from the ChipTAN program. If this is the case, one may make that clear instead. — Preceding unsigned comment added by 137.226.116.42 (talk) 09:33, 27 April 2012 (UTC)

The part about "USB tokens" is a bit subjective and doesn't cover the whole picture
The "USB token" section basically says that USB tokens are not secure and not recommended, this section doesn't feel very indifferent. As can be seen from these pages http://en.wikipedia.org/wiki/Security_token, http://en.wikipedia.org/wiki/One-time_password, USB tokens like Swekey, Yubico YubiKey don't store users credentials but instead provide one-time password to authenticate, thus eliminating the risk of credentials being copied. Such solutions require low cost and low complexity to implement. I think we should include this point in the "USB tokens" section.

-Hahaglo (talk) 09:26, 14 August 2012 (UTC)

Examples
I would like to add some well known examples, such as Facebook and Gmail. Do you think this warrants its own section at the bottom of the page? It would help people who are new to computer security understand what TFA is all about.Andrewman327 (talk) 23:01, 18 October 2012 (UTC)

Outdated Thinking
I am a strong believer in the underlying concept of multi-factor authentication. But I think the DEFINITION of multi-factor authentication needs to be rephrased.

Traditionally a password was considered something you "know" because people speak of "remembering" passwords. However, in today's world, if you remember your passwords, you are either Rain Man, or you are using the same or similar password for all your accounts, which is not secure. Everyone needs to REMEMBER very few passwords: one to unlock their device, and another to unlock their secure password repository (like a software password safe). All their other passwords should be unique, highly random, sufficiently long strings of letters, digits, etc.

Thus, for anyone with a normal memory, strong, unique passwords are not known.

A factor should be anything that used alone, cannot grant access to the thing being protected. My list of OTPs is useless without my password, and vice-versa. These are two factors. Maybe mutual-exclusivity, or something like it should be part of the definition. Like the guys who sat in bunkers to launch nuclear missiles during the Cold War. Two keys at opposite ends of the room had to be turned simultaneously to prevent any one-person from launching a missile.

Multi-factor authentication is about not putting all your eggs in one basket. It's a little bit like Separation of Duties, but instead of making collusion necessary in order to commit a crime, Multi-factor authentication requires involvement of two or more distinct sources of information (that a thief would have to acquire separately).

So in order to gain access, you'd need two things that would have to be stolen separately. To me, that is two-factor authentication.--GlenPeterson (talk) 20:51, 30 January 2013 (UTC)

Merged from Talk:Two factor authentication
It seems to me that this should be merged with Two-step verification, as the current articles are both describing the exact same thing: the use of two factors specifically stated to be of different classes to authenticate.

IF there is a reason to keep both pages separate, then there should be a clear distinction made in the body between the two pages.

Some possible differences between two-step verification and two-factor authentication:

1. Two-factor authentication requires that both factors be entered at the same time. In the case of authentication failure, the user is left not knowing which factor failed (higher security). In contrast, two-step authentication implies a chronological order where each factor is entered in sequence. Since the user cannot proceed to the second factor until the first factor is verified, the user knows exactly which factor does not authenticate in the case of failure. This gives malicious users more information and a specific point of attack. In other words, two-step verification is slightly less secure because it is a sequential system instead of a simultaneous system like two-factor authentication.

AND / OR

2. Two-step verification, as the name implies, only requires two steps, not necessarily two (different kinds of) factors, whereas two-factor authentication requires two (different kinds of) factors. In other words, a two-step verification system might require two passcodes, which are both of the same class (knowledge factors), whereas two-factor authentication might require a passcode and a biometric scan, which are of different classes (knowledge and inherence factors)

There may be other possible differences.

Fingerprints
Given how easy it is to fake fingerprints, is it really wise to keep that bit? — Preceding unsigned comment added by Igalic (talk • contribs) 14:18, 27 December 2014 (UTC)

Suggested merge
There's a discussion on the Multi-factor authentication talk page about merging that article with this one. I think they should be merged, especially since this article says two factor authentication is also called 2FA, but 2FA redirects to Multi-factor authentication.Timtempleton (talk) 18:57, 9 March 2015 (UTC)

Requested move 24 May 2015

 * The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review. No further edits should be made to this section. 

The result of the move request was: page moved. Calidum T&#124;C 00:21, 31 May 2015 (UTC)

Two factor authentication → Two-factor authentication – This is a compound modifier and should include a hyphen per WP:HYPHEN. In fact, the text of the article already uses the hyphenated form. This will also be consistent with Multi-factor authentication, where the sources predominantly include the hyphen. kennethaw88 • talk 01:45, 24 May 2015 (UTC)
 * Speedy and obvious support - someone could probably just move this. Red Slash 12:51, 24 May 2015 (UTC)
 * Support, correct spelling 76.120.162.73 (talk) 16:31, 25 May 2015 (UTC)


 * The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page or in a move review. No further edits should be made to this section.

Two-factor authentication effectiveness
The statement in this article that "Two-factor authentication is ineffective against modern attacks" is not correct. The source referenced is referring specifically to work-around attackers have used to bypass bank security and other specific scenarios. This statement is way too broad and highly inaccurate as two-factor authentication for things like email accounts and other online credentials has proven very effective at stopping things like phishing. — Preceding unsigned comment added by Khade72 (talk • contribs) 22:07, 30 July 2015 (UTC)


 * It's actually wildly wrong, I mean you could stomp it down with reality (by pointing out that an ATM card, for example, isn't a security factor precisely because any idiot can copy it and that the issue is banks don't actually care about your security) - but it's wikipedia; why have truth when you can cite things people who don't know what they're talking about said on their blog right? --Streaky (talk) 02:20, 16 September 2015 (UTC)

This article is completely wrong in some regards
Most important, it seems to confuse two-factor authentication with two-step authentication. Sending a code to a phone via sms is NOT a two-factor authentication. — Preceding unsigned comment added by 217.196.113.30 (talk) 11:26, 1 September 2015 (UTC)