N-Factor Authentication

This post is going to talk about N-Factor Authentication. It is commonly represented in the form of Two-Factor Authentication, but more factors can be required, resulting in more security. The main purpose is to stress the importance of out-of-band transmission when using N-Factor Authentication. It does not matter how many factors are used to authenticate the identity of a person if every factor is transmitted over the same channel; if a hacker can compromise the channel, the number of factors matters not.

Authentication is the process of verifying someone is who they say they are. It requires identifying the user and proving that identity. In computer systems, authentication credentials generally consist of a username (who you are) and a password (what you know), with the username being the identifying factor and password being the authenticating factor. Two-Factor Authentication, sometimes abbreviated as 2FA, is the requirement of a second authenticating factor. The second factor could be a fingerprint of your technology stack or a secure token (what you have), or it could be some bio-metric input such as a fingerprint, palm, facial, or iris scan (what you are).

N-Factor Authentication, from here on abbreviated as NFA, tries to ensure a user is who they say they are by asking for things they believe only that user can produce. One common strategy is to send confirmation text messages, because it is assumed that only the correct user will have the user’s phone. Other types use physical tokens such as smart cards because it is again assumed that only the correct user will have the user’s token.

The above two examples are great examples of NFA because the authenticating factors are sent out-of-band. Text messages don’t travel over the same communication channel as your internet connection, and the tokens are generally encrypted and sent over different protocols, as well. A hacker would need to compromise both bands if he intended to forge (or more simply steal and re-transmit) the authenticating factors. Some, not too good examples do exist, though.

It is used to be common practice for banks to ask for a username, a password, and other information (what you know) such as what the user’s favorite sports team is, or favorite animal, or some family name. That is a bad example of NFA. To begin, stealing what a user knows is typically easier than stealing what they have or what they are. But most importantly, all the authenticating factors are sent in-band over the same TCP/IP connection. If that connection is compromised, the NFA is useless, and even worse yet, the NFA still appears to work, providing a false sense of security.

The point is simple: NFA is only good if the authenticating factors are sent out-of-band. They should also include other types of data – not just what the user knows, but what he has or is or can otherwise uniquely produce. NFA systems that ask for only one type of authentication and that transmit all that data in-band are a waste of money at best and present a hazard scenario at worst.