How two-factor authentication and layered authentication differ

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

BROWSE BY TAG Identity Management and Access Control,   Security Token and Smart Card Technology,   User Authentication Services,   Enterprise Identity and Access Management,   Biometric Technology,   Enterprise Single Sign-On (SSO),   Expert Archive: Identity Management and Access Control,   Infosec-Related Regs,   FFIEC,   Compliance,   FFIEC Regulations and Guidelines,   Security Audit, Compliance and Standards,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Does password sharing in international branches violate SOX? What are best practices for secure password distribution after a data breach? Is it possible to encrypt CDs and DVDs as well as SD cards? Security Token and Smart Card Technology Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Hackers can target embedded smart card chips What should an enterprise look for in a password token and a vendor? Are smart cards insecure if Mifare Classic RFID encryption is cracked? What are good features to look for in access control software? Secure Computing SafeWord 2008 product review Biometric Technology Biometrics project studies ways to combat bank fraud Apple iPhone app could boost two-factor Vein-reading biometrics popping up in health care, financials Exploring authentication methods: How to develop secure systems Pre-boot biometric user authentication tools and strategies To what exactly would a request for biometric data from an insurance provider pertain? Keystroke recognition aids online authentication at credit union What are the possible benefits of microchip implants and RFID tags for employees? Biometrics vs. biostatistics How are biometric signatures more than a fingerprint scanner? Biometric Technology Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Two-factor authentication uses, as the name implies, two factors to authenticate a user. Layered authentication uses multiple systems to authenticate a user -- some of which aren't traditional methods of authentication. Let's look at each and then compare.

There are three factors in the world of authentication: something you know, something you have and something you are. Something you know is a user ID and password. Something you have is something you might carry, such as smart cards and one-time password (OTP) tokens. Something you are is a physical characteristic , such as a fingerprint, a picture of a face or the tone of a voice. These are biometrics systems. Using any two of these together creates a two-factor authentication system. A user ID and password with an OTP token is a two-factor system. Another example would be a smart card and a PIN number, or a user ID and password with a fingerprint scanner.

Layered systems are a bit trickier. They often work behind the scenes, are invisible to the user, and gather a footprint of the user's habits, such as PC settings and network configurations, to build a unique profile of the user. PassMark, for example, uses a unique digital stamp chosen by the user when they first log on. Once the stamp is chosen, it is displayed back to them during subsequent logins. The idea behind this is if their unique stamp, or PassMark, isn't displayed, they might be logging on to a phishing or other malicious site.

Cyota also uses the layered approach, but as more of an anti-fraud detection system than a true authentication system. Like PassMark, it fingerprints a user's habits, but also checks for malicious and phishing sites and performs additional user verification tests if they find irregularities. For example, someone who normally logs on at the same time every day from the same PC in Cincinnati, but then logs on in the middle of the night from Kiev, gets a red flag for that extra check. These systems can be effective and do provide an extra level of protection, like two-factor authentication, but they aren't two-factor systems. In reality, they don't authenticate the user, but rather their PC. They function like two-factor systems, but are fraud fighters more than authenticators.

This issue became hot last October when the Federal Financial Institutions Examination Council (FFIEC) released its guidance recommending two-factor authentication for all Internet banking. The FFIEC lumped two-factor and layered systems together and claimed that both could adequately comply with their directive. However, it's important to remember that they aren't the same. They may provide the same protection, but they're deployed differently. Study them carefully to determine which meshes better with your systems before choosing an implementation to meet the FFIEC guidance.