Ask the Expert

Is the use of digital certificates with passwords considered two-factor authentication?

Is the use of digital certificates with passwords considered two-factor authentication? If so, does the certificate need to reside on a token or smart card to be considered two-factor (i.e. something you physically have and something you know)?

    Requires Free Membership to View

The answer to that question depends on who you ask. Information security professionals and regulators have different views on this.

The traditional definition of two-factor authentication in information security textbooks revolves around three authentication factors: something you know, something you have and something you are. Something you know is a memorized secret credential, like a user ID and password. Something you have is an tangible object, like a one-time password (OTP) token or smart card that holds authentication credentials. Something you are represents a physical characteristic unique to yourself, like a fingerprint or face pattern, which can only be measured by a biometric device.

Two-factor authentication is a combination of any two of these factors. A digital certificate by itself wouldn't be considered the second factor in a two-factor system because the certificate itself isn't a factor. It isn't something the user knows or has. It's passive because it's sent behind the scenes when a user logs in.

If the certificate sits on a smart card or OTP token, then the token is the second factor in the system. The certificate just validates the device. It's not a true authentication credential by itself.

The definitions get blurry in a guidance issued by the Federal Financial Institutions Examination Council (FFIEC) in 2005. The FFIEC recommended that bank Web sites be protected while conducting transactions with two-factor authentication. The guidance used the traditional definition of two-factor authentication, but mentioned that the use of digital certificates was acceptable in some circumstances. Acceptable circumstances include a digital certificate on a USB token for authentication purposes and digital certificates used for mutual authentication in SSL on Web sites.

Either way, a digital certificate, alone or on a device, doesn't constitute two-factor authentication. It's the device holding the certificate that makes the authentication two-factor.

For more information:

  • Learn more about what constitutes as two-factor authentication.
  • In this learning guide, discover all of your authentication options.
  • This was first published in June 2007

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: