67

I'm sure you've all heard of two-factor/multi-factor authentication. Basically it comes down to these factors:

  • Knowledge - something you know (e.g. password, PIN, pattern)
  • Possession - something you have (e.g. mobile phone, credit card, key)
  • Existence - something you are (e.g. fingerprint)

My question is: Does a fourth factor of authentication exist?

A quick search on Google did not bring any interesting results other than a patent document that I didn't bother reading through. Could somewhere you are be considered a fourth factor?

rink.attendant.6
  • 2,227
  • 4
  • 22
  • 33
  • 6
    Technically "existence" is a subset of "possession". Sure, it's "embedded in your body", but still it's "something you have". Fingerprint? They can cut your finger: now _they_ have it. – o0'. Sep 25 '14 at 14:57
  • 1
    @Lohoris The terms are rather fuzzy to begin with - same goes for password, it is possession like anything else that can be copied - c.f. [Rubber-hose cryptanalysis](http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis). – peterph Sep 25 '14 at 21:27
  • 4
    @Lohoris well, I'd argue one of the important characteristics of the "something you have" category is that you can leave it at home (or in a safe deposit box, with a trusted friend, etc.) when you don't need it. In that sense I wouldn't think of existence as a subset. – David Z Sep 25 '14 at 21:32
  • 1
    possible duplicate of [How many authentication factors are there?](http://security.stackexchange.com/questions/10434/how-many-authentication-factors-are-there) – Thomas Weller Sep 26 '14 at 08:45
  • 1
    @ThomasW. Since this question has far more complete answers, it would be better to close the other way round. – Gilles 'SO- stop being evil' Sep 26 '14 at 10:01
  • Old question, but I realised that a new factor has appeared! Something you are wearing. A notable example being Apple Pay on Apple Watch. If the watch is unlocked and the person continues to wear it, they can tap to pay. But if they take it off, the watch locks and they have to re-enter the PIN. – paj28 Oct 19 '19 at 16:09

6 Answers6

91

As you noted, the main three are:

  • Something you know
  • Something you have
  • Something you are

I'd argue that there are others:

  • Something you can do, e.g. accurately reproducing a signature.
  • Something you exhibit, e.g. a particular personality trait, or even neurological behaviour that could be read by an fMRI. These are not strictly "are" features, as they're more fluid.
  • Someone you know, e.g. authentication by chain of trust.
  • Somewhere you are (or have access to), e.g. locking a session to an IP, or sending a confirmation pin to your address. This one is a bit tenuous in terms of being called an authentication factor, but it's still useful to note.
Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 18
    I was going to add the **somewhere** you are, but not just digital -physical. Similar to traits you exhibit, if you try authenticating twice, from two separate locations, an algorithm can quickly determine the *feasibility* of you being in both places -combined with others, this is a powerful authentication. – Matthew Peters Sep 23 '14 at 17:11
  • 7
    All of these are part of the first 3: *can do* is pretty much *know* or *have*, maybe *are*; *exhibit* is *have*; *someone* (relationship) is *know* or *have*, *somewhere* is *have*, maaaaybe *know*. – trysis Sep 23 '14 at 20:46
  • 11
    You seem to be confusing "authentication" with "authorization", and a few others. chain of trust is not a form of authentication, it is the mechanism to propagate identity by vouching for each other. The first two, as @trysis said, are part of the other factors. – AviD Sep 23 '14 at 20:57
  • 3
    I like 'Somewhere you are' in terms of physical point of sale such as gasoline pump and your propensity to visit that filling station. One might even add a temporal piece as in your timing pattern on visits a variation of the credit card alarm trigger for gas pump stolen card test followed by sneakers purchase. That suggests your activity relative to time and place might work too. +1 for out of the (boring and limited use) box thinking. – zedman9991 Sep 23 '14 at 21:10
  • 2
    @trysis: What you *know* could be leaked, what you *have* could be stolen, what you *can do* isn't imitated as easily. If you take one step further you could argue that there is only *have*, because on the Internet it doesn't matter if you entered what you *know* manually or got it by a device you *have*. – Christian Strempfer Sep 23 '14 at 22:13
  • Good point. Even what you *have* and what you *are* is muddled because what you *can prove you have* (which is what authentication is anyway) is limited by *the device you have*, and this device (or rather software on it) essentially *is* you on the Internet. Then, this is further limited by choices you made, money you have used, who your parents are, etc., so, in other words, *who you are* as a person. – trysis Sep 24 '14 at 03:02
  • 6
    Great example of "something you can do": http://www.funnyjunk.com/funny_pictures/688935/Korean/ – Almo Sep 24 '14 at 21:10
  • 1
    @AviD If a user logs in to my service by their associated Google account, wouldn't that be an example of the idea of authentication by chain of trust? I get that originally that would be a username/password, "Something you know", but for my site I wouldn't see that, I would just have Google's assertion that this person is who they say they are. – Blackhawk Sep 24 '14 at 21:29
  • 1
    If you're going to add who (trust), what (lots of them), how (something you can do) and where, you should probably complete the list with when (you can only do this during ___ time) and find a way to squeeze why in there (perhaps exercised by personality traits?) – corsiKa Sep 25 '14 at 21:44
  • 1
    @Blackhawk yes and no - Google is authenticating the user (e.g. via password, or whatever). *You* are not authenticating the user *at all* - you are only relying on Google's assertion. This is a perfect example of why I said that "chain of trust" is a method of sharing the assertion, and not an authentication factor. – AviD Sep 27 '14 at 23:21
36

Absolutely!

Somewhere you are is quite widely used in corporate IT. In many environments, if you are on an office network, you can login using only a password, but if you are out of the office you must use an additional factor, usually a token.

The current time is arguably another authentication factor, a classic example being a time delay safe. Office door passes are often valid only within particular times of day.

Contactability is sometimes viewed as another factor, e.g. receiving a letter at a known address (or an email, phone call) proves identity. Although usually this comes down to one of the factors you already mentioned, e.g. receiving a letter shows that you have the key to that address.

As you think more about this, you realise the distinction between factors is quite blurred - particularly between "something you know" and "something you have". If you write down a password, does that piece of paper become "something you have"? You mention a key is "something you have" - but if a locksmith knows the pattern, they can make a new key. So arguably a key is truly "something you know".

paj28
  • 32,736
  • 8
  • 92
  • 130
  • 7
    The time is not an authentication factor. It's still a security control, but it has nothing to do with authentication itself, as it doesn't provide evidence that something or someone is *authentic*. – Polynomial Sep 23 '14 at 15:57
  • @Polynomial, it depends in a office the time is an authentication factor, as in normal office hours it can often been assume that a none member of staff will not be able to sit at a computer. But all bets are office outside of normal hours. – Ian Ringrose Sep 23 '14 at 18:38
  • 1
    To be fair to both of you, paj28 is correct in that the lines start to blur. YubiKey, for examble, generates unique OTP's for 2nd-factor auth., part of which includes a date/time value and an incremental counter to prevent replay attacks. – IT Bear Sep 23 '14 at 23:58
  • @IanRingrose, I'd argue that your "somewhere you are" and "contactability" are linked, in that they both involve you being able to access a certain location (the office, or the address where the mail is delivered). From there, the "contactability" devolves to whatever factor that other location uses (for a letter posted to you, it's back to *possession* of your house key). In your example of corporate networks, that comes under Polynomial's chain of trust, in that someone else trusted you enough to allow you into the building, so again, it devolves back to whatever factor is used for that. – anaximander Sep 24 '14 at 11:50
  • @Polynomial if someone claimed to be George Washington, (today's) time would invalidate such a claim. – user2813274 Sep 25 '14 at 15:16
  • @user2813274 Except George Washington's account would be long closed and locked, and your example has nothing to do with time locks in this context. – Polynomial Sep 25 '14 at 15:35
28

Nope. There are three. All others mentioned here either:

  • can be reduced to one of canonical three (e.g. "something you can do" is a personal feature, so classified as "something you are"; "someone you know" means you can present a proof of connection to someone - that's "something you have"!)
  • are not part of authentication, but authorization (time, network or physical location do not prove your identity, but can be used to allow you access or not). Classic example with office access only during office hours - during the night most of us don't lose our identity, we just are not allowed to access office (there are still some power users, who can access office 24/7 with the same auth as during the day, right?)
bartekmo
  • 381
  • 2
  • 2
  • 2
    But can't the canonical three be reduced to 1. Your fingerprint is something you are, but I can cut off your finger and it becomes something I have. Your password is something you know but if you write it down and I steal it, it is something I have. – emory Sep 27 '14 at 14:11
6

While we assign authenticators into three common categories, it is important to keep in mind that these categories are somewhat loosely defined. Passwords are normally considered ‘what you know’ authenticators, but if you write it down and refer to the paper instead of memory does it become a ‘what you have’ factor? If a system authenticates using keyboard dynamics to monitor the rhythm and speed of your typing is that relying on ‘what you are’ or ‘what you know’? There can be some reasonable disagreement when deciding how to classify specific authenticators.

Location initially seems like it could be a fourth factor, but is it really? How does a system know your location? It likely relies on coordinates or address (either physical or IP) data provided by a device. Is that data then ‘what you know’ since someone else with that same data can duplicate that factor on their own device? Is it ‘what you have’ since the system relies on the trustworthiness of a device to provide legitimate data? We have to decide whether location is distinct enough to be considered its own independent factor category.

I do think it is important to make a distinction about what constitutes a factor since we use terms like “multi-factor authentication” to indicate the benefits of certain systems. Is it multi-factor if you log into a system with a password from an IP address that is associated with past logins? If we consider location a fourth factor then the answer is yes. However, I haven’t seen many people characterize this as a multi-factor authentication system.

In the paper CASA: Context-Aware Scalable Authentication the authors agree that location data can serve as a factor in the authentication process, but specifically define it as a “passive” factor. They distinguish between “passive” factors and “active” factors that require user interaction (e.g. passwords, fingerprint scans, etc.). This seems like a good way to separate out what are true authentication factors from other data that can be used to help make authentication decisions.

In my opinion location data shouldn’t be considered a fourth factor, but that doesn't prevent it from being useful during the authentication process.

PwdRsch
  • 8,341
  • 1
  • 28
  • 35
  • I would consider location as a distinct attribute if the mechanisms for verifying location are considered to be under the control of the agent responsible for authentication. If the door to a room is closed during a time when weight and motion sensors can confirm that there is only one person inside, and someone in the room does two actions, the fact that both actions were done within the room implies that anything which is known about the identity of the person doing the first is also true about the identity of the person doing the second, and vice versa. – supercat Sep 24 '14 at 17:39
  • Even if a random person off the street were asked to go into the room and perform both actions, the identity of the person doing the second action would be known to matched that of the person who did the first. The person wouldn't really "know" anything or "have" anything. I suppose the fact that the person would appear to the sensors as one individual rather than two might constitute a "something he is", but it would seem a very weak one relative to the strength of assurances regarding the identity of the second actor. – supercat Sep 24 '14 at 17:44
1

Like everything else related to security, determining where you are requires trust. If you have to enter your PIN on the 10 key pad mounted on the door to the secure facility, how do you know the network connection from the data center to the door hasn't been diverted to a phony PIN pad mounted elsewhere? How do you know there isn't a proxy in place, manipulating the keys on behalf of someone else?

Or for a widely used example, consider that there are (many) apps available for iPhones that allow the user to specify a location of their choosing to Location Services. A simple use case could be for someone to pretend to be at work while they're actually on the golf course. However, you could falsify your location to qualify for otherwise restricted benefits: imagine an e-book with a geofence that allows it to be read only when inside a public library. And if you were relying on the phone to self-report location in order to remove the need for using a secure token, an attacker could use this to degrade the security to something more easily broken.

You can certainly add location to a security system, but you also have to consider measures to ensure it isn't being defeated.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • While this answer may be true, I don't really see how it answers the question of whether there exists a fourth class of authentication factors. Care to [edit] to elaborate on that part? – user Sep 26 '14 at 07:50
  • I was addressing his last question of "can I use *where* someone is as a fourth factor?" – John Deters Sep 29 '14 at 04:44
1

The fourth factor would be something the individual does, (dynamic biometrics). Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm.

Adam
  • 11
  • 1