Authentication is the process of determining whether someone or something is, in fact, who or what it says it is. The number of factors required for users to prove their identities often depends on the sensitivity of the data and digital resources involved.
For example, online retail stores often only require users to provide one piece of verifiable information, such as a password, to access their online accounts. You might not want others to know what you purchased on a particular site, but sensitive information is not at risk. However, financial institutions handle much more sensitive data, such as account balances and payments, so they often require users to provide at least two pieces of verifiable information to access their online accounts.
The number of factors required for each authentication method is reflected in its name:
Single-factor Authentication (SFA): Requires users to provide one verifiable credential to access online resources.
Two-factor Authentication (2FA): Requires users to provide two verifiable credentials to access online resources.
Multi-factor authentication (MFA): Requires users to provide at least two verifiable credentials to access online resources.
If one factor is compromised, others are unlikely to be, so there’s greater security in requiring users to authenticate themselves using additional factors. The goal is to appropriately balance the security needed to protect online resources with the user experience and make the overall authentication experience as painless as possible.
Verifiable information falls into three different categories:
Knowledge factors: Things that you know.
Possession factors: Things that you have.
Inherence factors: Things that you are.
To learn more about the most common types of verifiable information used and the pros and cons of each, see Authentication.
With SFA, users are only required to provide one piece of verifiable information to authenticate. This information might be anything from a knowledge factor, such as a password, to a biometric factor, such as a fingerprint.
Note that SFA is not necessarily less secure than 2FA or MFA. SFA refers to the number of factors used -- in this case, one -- to authenticate, and not to the type of authentication used. Passwords are the most common type of SFA used and are often compromised or forgotten. However, fingerprints are another type of SFA and are considered one of the most secure methods available because they’re difficult to fake.
Also note that SFA and single sign-on (SSO) are not the same thing. SFA refers to the number of pieces of verifiable information required to authenticate, while SSO is an authentication process that allows users to sign on to their applications and services with one set of credentials.
SFA requires users to provide one piece of verifiable information to authenticate.
Users provide the required information, which could be a password, a PIN, or fingerprints.
The online resource compares the information provided with the authentication information it has stored in the system.
If the authentication information provided matches the information in the system, users are granted access. If it doesn’t match, users are denied access.
With 2FA, users are required to provide two pieces of verifiable information to authenticate. 2FA was designed to add an additional layer of security to sensitive information. Primary credentials and passwords are often forgotten or compromised, so 2FA can be used to help ensure that sensitive information is secure.
The two pieces of verifiable information requested must be from different categories. For example, sign-on processes might require that users provide their usernames and passwords (something they know), and a fingerprint (something they are) to access their systems and applications. Or, sign-on processes might require that users provide their usernames and passwords (something they know), and proof that their smartphone is in their possession (something they have).
2FA requires users to provide two pieces of verifiable information to authenticate. The verifiable information requested must be from different authentication categories.
With multi-factor authentication, users are required to provide more than one piece of verifiable information to authenticate. MFA was designed to add additional layers of security to sensitive information.
Note that 2FA is also considered MFA because more than one credential is required to sign on. But MFA often involves more than two credentials.
As with 2FA, the pieces of verifiable information requested must be from different categories. Sign-on processes might require that users provide their usernames and passwords (something they know), but also require either something they have, such as a fob or smartphone, or something they are, such as a fingerprint or retina scan.
MFA works the same way as 2FA, but users are required to provide a minimum of two pieces of verifiable information to authenticate. Both of these diagrams show examples of MFA authentication.
As you can see, there are a wide variety of ways users can be authenticated, and the methods used depend on the sensitivity of the information being accessed.
At first, it might seem like a good idea to protect all of your digital resources with the most secure methods available, such as facial recognition or fingerprints. However, those methods require users to have recognition technologies available, which can be expensive. On the other hand, if you’re not protecting sensitive information, you might consider using SFA with a password or PIN, or 2FA with a mobile phone if most of your users have them. Although these methods might not provide the highest level of security, they are easier and less expensive to implement. The trick is finding the appropriate balance between security and the user experience.
Related Resources
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a free demo
Thank you! Keep an eye on your inbox. We’ll be in touch soon.