The differences between single and multi-factor authentication

The differences between single and multi-factor authentication

Single or multi-factor? This is a question that, in our experience, gets asked quite frequently when planning an access control system. One might say that the more factors, the more security, the better... but is this really true? In certain cases, where security takes precedence, the answer is straightforward. In other cases, not so much.

This blogpost will examine these questions, primarily from a biometric standpoint, but we will also look at other solutions. This information is important for anyone who is planning access control for all, but the highest security places, where the highest possible security requirements override any other consideration.

First, we must clarify, that for the purposes of this post, multi-factor authentication means two entirely different factors (e.g. an ID number/PIN code combination is considered as single factor authentication). The reason for this is that if one can obtain e.g. a password, then one will most likely be able to obtain the user ID as well with roughly the same amount of effort - or, as a better example, one, who can obtain a particular fingerprint from a person will be able to obtain all the other prints as well with the same method, due to the nature of the factor. Thus, requiring two fingerprints from the same person does not add to the security level and can not be counted as multiple factors. Also, in single factor authentication, the starting point is biometry here, because neither possession nor knowledge based methods can really compete with it.

Single factor authentication

The biggest advantage of single factor authentication is its simplicity. It is always easier to perform one action for identification rather than many. This also means that this method is easy, does not require too much user cooperation and it is fast. Our experience shows that people tend to move towards the path of least resistance even in the field of security, so if presented with multiple options, they will (with the exception of security-conscious people) choose the easiest and fastest way. The only difference can be observed is when a person is interested in the security (e.g. online banking services) for his/her own sake, tougher security methods might be chosen to better protect the valuables. With convenient solutions, however, comes low security. A single factor - whatever it may be - is always easier to acquire for a malicious person than multiple factors, and the possibility of passing a security measure with an obtained factor is inversely proportional to the number of factors required. Using single factor authentication can be suggested at places, where high security levels are less important than good throughput performance, ease of use or relatively small required user cooperation.

Multi-factor authentication

Multi-factor authentication is, in contrast, when several factors are required to perform a successful identification. The most widespread methods are RFID+Password, RFID/Password+Biometry (which is also called as 1:1 verification) or multiple biometric factors. The number of possible combinations is rather high. Multi-factor authentication can give higher security levels with individually lower quality methods (e.g. a simple password and biometry is always stronger than a very hard to guess password and this is), as people with malicious intents have to take that extra mile to obtain all information and/or samples before attempting to spoof the system. If we consider this further, the level of security is determined by how difficult it is to obtain the hardest-to-obtain factor. This means that if, for example, a system uses a PIN code and a vein pattern, both have to be acquired for a successful identification. Alone, neither is enough to produce a successful identification, so that is why the hardest factor determines the overall security (of course, only from this standpoint - if the IT background or the devices themselves are vulnerable, that will adversely affect the whole system, but that is another question). And, as you might have suspected, there is a tradeoff between security and throughput - the higher the number of the factors that are required, the slower will it be to pass through an access point with the particular configuration. Also, it will require more user cooperation, which means that aside from the cases where the individual voluntarily starts to use multiple factors for his/her own benefit, companies will have to force users into multi-factor authentication. So use multi-factor authentication where security is more important than throughput (or user experience, for that matter).

A special case of multi-factor authentication is when two or more biometric features are used to perform identification. Here, the lines that separate the pros and cons of single- and multi-factor authentication start to get blurred. There are features, that can be checked within the same process, at the same time (e.g. fingerprints and finger veins - or palm veins - depending on the configuration), which gives the process speed akin to single factor authentication while retaining the security level of multi-factor authentication. Extending this idea, if a biometric factor needs cooperation, and during that a different factor can be examined with little to no further cooperation (e.g. palm veins and face recognition together), identification will be almost as convenient as with their single factor counterparts. Note, that this case might be considered a single factor method by some, as the multiple factors are from the same general type (biometric, that is). This is really on the edges of both realms, drawing the positive aspects from both while trying to mitigate the negative ones.