Websites and apps are increasingly utilizing layered authentication to promote security and privacy online. As a backgrounder, layered authentication is an identity and access management process that uses two or more layers based on the so-called factors of authentication.
A user needs to present two or more factors to grand him or her access to a website or app, as well as to prove the legitimacy of his or her identity. There are several implementations of layered authentication to include two-factor authentication, multi-factor authentication, and two-step verification.
The Three Factors of User Authentication
There are several factors used in authenticating a user. Take note that they are categorized into three: knowledge factors, possession factors, and inherent factors. Collectively, these categories comprise the three types of authentication factors.
1. Knowledge Factors: Something You Know
Knowledge factors are the most common factors used in user authentication. Also called “Something You Know,” they include registered usernames, passwords, and personal identification numbers or PINs. Other examples of these factors include security questions, as well as personal data such as mobile number and physical address.
2. Possession Factors: Something You Have
Based on physical objects, possession factors are also called “Something You Have.” Note that a key is a prime example of this factor. However, in digital communication, these factors include smart cards, device identities to include MAC and IP address of a smartphone or desktop computer, token devices, and external hardware based on solid-state storage.
3. Inherent Factors: Something You Are
Inherent factors are those associated with the biological identity of a user. Also known as “Something You Are,” these factors usually include biometric data and thus, utilize biometric methods such as fingerprints, voice recognition, retina and iris scans, and facial recognition.
Newer Factors of User Authentication
Location-based factor is a newer type of authentication factor. Also labeled as “Somewhere You Are,” this works by taking into consideration the physical location of the user. Login or access attempts performed from a different location would either prompt an alert or would result in access restriction.
Another factor is based on gestures, touches, or other types of input responses. Called as “Something You Do,” it is based on the observed action of a user to verify his or her identity. Specific examples include hand gestures or pattern-based touch input.