Methods of Authentication

Site: Saylor Academy
Course: CS406: Information Security
Book: Methods of Authentication
Printed by: Guest user
Date: Friday, July 19, 2024, 5:14 PM


This article calls the authentication factors we are familiar with the ownership factor, knowledge factor, and inherence factor. These names relate to something you have, something you know, and something you are, respectively.

System Fundamentals For Cyber Security/Authentication/Methods of Authentication

The ways in which someone may be authenticated fall into three categories, known as the factors of authentication:

  • The ownership factor - Something the user has
  • The knowledge factor - Something the user knows
  • The Inherence factor - Something the user is or does

Each authentication factor covers a range of elements used to authenticate or verify a person's identity prior to being granted access, approving a transaction request, signing a document or other product, granding authority to others, or establishing a chain of authority.

Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Ownership Factor

Security Token

A security token may be a physical device that an authorized user is given to ease authentication. It acts as an electronic key to access something. Examples include:

  • USB Devices
  • Key Fob
  • Smart Card
  • RFID Tokens

Software Token

In contrast to hardware tokens, where credentials are stored on a dedicated device, software tokens are stored on general-purpose devices such as mobile phones.

Knowledge Factor


password is the most common form of authentication in use on computer systems. It is simply a word or string of characters known by the user that is used for authentication. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.

Most organizations specify a password policy that sets requirements for the composition and usage of passwords, typically dictating minimum length, required characters(e.g. upper and lower case, numbers, and special characters), prohibited elements (e.g. own name, D.O.B., address, telephone number). Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.

Password Cracking

Attempting to crack passwords by trying as many possibilities as time and resources permit is known as a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.

Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Passwords easily discovered are termed weak or vulnerable; passwords very difficult or impossible to discover are considered strong. There are several programs available for password attack (or even auditing and recovery by systems personnel), some of which use password design vulnerabilities to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users.

Inherence Factor

The inherence factor generally relates to the use of biometric data or some form of visual or audio recognition.

Examples include:

  • Fingerprint scanners
  • Retinal pattern
  • DNA sequence
  • Voice recognition
  • Facial recognition
The inherence factor generally relates to the use of biometric data or some form of visual or audio recognition. Examples include: Fingerprint scanners Retinal pattern DNA sequence Voice recognition Facial recognition

Multi-Factor Authentication

Multi-factor authentication is an approach to authentication which requires two or all of the three authentication factors. Multi-factor authentication can drastically reduce the chance that an attacker accesses a protected resource or account because the victim's password would no longer be enough to give the attacker access to that resource. A common example of this is single-use passwords used by many web services. A user can request a single-use password, which will be forwarded to the user's mobile phone or another device so the device is needed in order to obtain the password. This involves both the ownership and knowledge factors.