Crypto FAQ: What is Multi-Factor Authentication (MFA) and how does it work?
Multi-Factor Authentication (MFA) is information security technology that requires multiple methods of confirmation from independent categories of credentials in order to verify a user's identity for a login or other secure transaction. Multi-Factor Authentication combines two or more independent credentials: what the user knows (e.g., password); what the user possesses (a mobile phone or email account); and what the user is (e.g., biometric verification of fingerprints)
In the context of security in general, and cybersecurity in particular, authentication is the act of confirming of the truth of an attribute of a single piece of data (a datum) claimed true by an entity. There are several levels of security authentication:
In the context of security in general, and cybersecurity in particular, authentication is the act of confirming of the truth of an attribute of a single piece of data (a datum) claimed true by an entity. There are several levels of security authentication:
- Single-Factor Authentication (SFA), where you need to provide at least one kind of credential, typically something that you know (see below), to authenticate;
- Two-Factor Authentication (2FA), where you need to provide two out of three kinds of credentials to authenticate.
- Three-Factor Authentication (3FA), where you need to provide three out of three kinds of credentials to authenticate.
- Something that you know, such as a password, a Personal Identification Number (PIN), or a geometric pattern.
- Something that you have, such as an ATM card, credit card, mobile phone, or fob.
- Something that you are, such as a biometric id (e.g., fingerprint, voiceprint, iris scan).
In the context of distributed computer systems, popularly referred to as Cloud-based computing environments, zero knowledge privacy refers to client-server relationships where a server or service is incapable of viewing a client’s “plain-text data” (i.e., unencrypted data) even in those circumstances where the server persistently stores an encrypted version of the the client’s plain-text data.
Theory vs. Practice: The theoretical basis for the soundness of zero-based privacy algorithms is based on rigorous cryptographic methods for zero-knowledge proofs. The practical applications for zero-based privacy algorithms include secure file synchronization and sharing and secure email systems. In the case of secure file synchronization and sharing systems, the client’s seeks to securely store plain-text data on a server so that the data can be shared and data updates synchronized across multiple distributed devices (e.g., desktop, notebook, tablet, smart phone). As long as the client encrypts its plain-text data before it uploads via a secure communication protocol (e.g., IPS/TLS) it relative straightforward to implement zero-knowledge privacy between the data server. (Note: that even though many file synchronization and sharing vendors claim “end-to-end encryption” of data they fall short of zero-knowledge privacy because they don’t ensure that client data is encrypted before it is uploaded to their servers.)
Note that the difficulty of implementing zero-knowledge privacy is significantly increased when the client seeks to securely share data with a third party. Although it is relatively well understood how to resolve this problem using recursive design techniques, a further discussion of theoretical and practical solutions to the third-party sharing problem is outside the scope of this FAQ. (Contact us if you seek further information about this advanced topic.)
Theory vs. Practice: The theoretical basis for the soundness of zero-based privacy algorithms is based on rigorous cryptographic methods for zero-knowledge proofs. The practical applications for zero-based privacy algorithms include secure file synchronization and sharing and secure email systems. In the case of secure file synchronization and sharing systems, the client’s seeks to securely store plain-text data on a server so that the data can be shared and data updates synchronized across multiple distributed devices (e.g., desktop, notebook, tablet, smart phone). As long as the client encrypts its plain-text data before it uploads via a secure communication protocol (e.g., IPS/TLS) it relative straightforward to implement zero-knowledge privacy between the data server. (Note: that even though many file synchronization and sharing vendors claim “end-to-end encryption” of data they fall short of zero-knowledge privacy because they don’t ensure that client data is encrypted before it is uploaded to their servers.)
Note that the difficulty of implementing zero-knowledge privacy is significantly increased when the client seeks to securely share data with a third party. Although it is relatively well understood how to resolve this problem using recursive design techniques, a further discussion of theoretical and practical solutions to the third-party sharing problem is outside the scope of this FAQ. (Contact us if you seek further information about this advanced topic.)
A secure file server is incapable of viewing plaintext data; therefore, the data may never be compromised through mismanagement, prying eyes, or external bodies looking to gain access. See Zero-Knowledge Proof Standard.
CRYPTOGRAPHY WORKS and Cryptographyworks.com are trademarks of PivotPoint Technology Corporation. All other product and service names mentioned are the trademarks of their respective companies.