What is MFA?


  • Multi Factor Authentication
  • Something you know
  • Something you carry
  • Something unique about you
  • Reliable method to vouch for your identity.

MFA or 2FA denote methods to gain access to a website, a database, or even a room or your car. Authentication is verification that you are allowed in. Older cars need a key. Most doors need a key, but a modern cell phone machine is a useful illustration of the evolving science of authentication.

Authentication, though, does more that just allow you in the door. Modern authentication also identifies who, that is name, rank and social security number, is coming through the door.

With a door that is opened by a key, or a car that is driven with the key, we have a basic level of security that reduces theft and unwanted visits. But these days, authentication goes hand in hand with authority. Think of for example, a valet key for an expensive sports car, the valet can drive the car, but cannot open the trunk.

Two Factor – 2FA – Authentication

2FA often uses a cell phone to verify that a username and password combination is not being abused. Something you know is the username and password. Something you carry is your cell phone. Cell phones protected with fingerprint scanners or facial recognition make this in practice the gold standard, three factor authentication.

Authentication at NCIS

My favorite television show is NCIS with Leroy Gibbs. But, while generally well written, it gets authentication all wrong. In many episodes, the retina scan to enter the ‘Coms’ room is a feature of the show. But in practice, this would be combined with a keypad. Something unique about you (your retina) PLUS something you know (a unique numeric code)

This is done so that the bad guys don’t steal your eyeball to gain access to the ‘Coms’ room. There was another episode with eyeballs, but I don’t think it was related to retinal scans.

Another flawed authentication premise

In another episode, a Navy conscript has his hand taken to gain secure access to a military facility. This is also flawed, as, properly implemented, access would require at least two factors. The fingerprint scanner would be combined with a keypad. Something you know.

Something unique about you

Fingerprints and retinal scans are two ways to satisfy a third authentication identity factor, but there are more methods. Facial recognition, as we’ve mentioned, has become widely accepted for cell phone screen unlocking. Other devices implemented are palm scanning and voice recognition. We widely recognize friends and neighbors in other ways too, such as a unique gait, their body language, body type, the way they cock their head. All these things may someday be used to create a more robust third method of authentication

Four or Five factors of authentication

Occasionally we may hear that there are more dimensions or factors, but this misleading claim obfuscates the suitable attainment of best practices in the care and preservation of data and property. There are three factors.

Authentication and Authorization

In the design of database access and application flow, especially in the arena of MVC structured development efforts, authentication is often mixed and matched with the word authorization, but they are really different but related components of valid and effective design. As vernacular, we call this vouch and sway.

VOUCH

Vouch is authentication. If you’ve been vouched for, it is now certain that you are Homer Simpson, Drill Instructor, selective service number 123-456-789.

SWAY

But, and this is an entirely different, but still related topic, does Homer Simpson, ssn 123-456-789 have the privilege to enter this door? This is what we call sway, and the orthodox name for this is authorization.

So Very Sorry

OK, we promised to explain two factor and multi factor authentication, and then we got into a television show, and then we added authorization and proper design. But the truth is that it is all important, related, and exciting. If you are confused, then start by reading and understanding the first two paragraphs on this page. Over and over again. Paragraph one – paragraph two – paragraph one, paragraph two, repeat. And remember. There are three factors, or dimensions to modern authorization. And two is better than one, but three is the best.