Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > Is the use of digital certificates with passwords considered two-factor authentication?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Is the use of digital certificates with passwords considered two-factor authentication?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 30 April 2007
Is the use of digital certificates with passwords considered two-factor authentication? If so, does the certificate need to reside on a token or smart card to be considered two-factor (i.e. something you physically have and something you know)?

>
EXPERT RESPONSE
The answer to that question depends on who you ask. Information security professionals and regulators have different views on this.

The traditional definition of two-factor authentication in information security textbooks revolves around three authentication factors: something you know, something you have and something you are. Something you know is a memorized secret credential, like a user ID and password. Something you have is an tangible object, like a one-time password (OTP) token or smart card that holds authentication credentials. Something you are represents a physical characteristic unique to yourself, like a fingerprint or face pattern, which can only be measured by a biometric device.

Two-factor authentication is a combination of any two of these factors. A digital certificate by itself wouldn't be considered the second factor in a two-factor system because the certificate itself isn't a factor. It isn't something the user knows or has. It's passive because it's sent behind the scenes when a user logs in.

If the certificate sits on a smart card or OTP token, then the token is the second factor in the system. The certificate just validates the device. It's not a true authentication credential by itself.

The definitions get blurry in a guidance issued by the Federal Financial Institutions Examination Council (FFIEC) in 2005. The FFIEC recommended that bank Web sites be protected while conducting transactions with two-factor authentication. The guidance used the traditional definition of two-factor authentication, but mentioned that the use of digital certificates was acceptable in some circumstances. Acceptable circumstances include a digital certificate on a USB token for authentication purposes and digital certificates used for mutual authentication in SSL on Web sites.

Either way, a digital certificate, alone or on a device, doesn't constitute two-factor authentication. It's the device holding the certificate that makes the authentication two-factor.

For more information:

  • Learn more about what constitutes as two-factor authentication.
  • In this SearchSecurity.com learning guide, discover all of your authentication options.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Identity Management and Access Control
    What are the pre-requisites for implementing single sign-on (SSO) in an organization?
    To what exactly would a request for biometric data from an insurance provider pertain?
    Is it possible to support users to have their own IDs with root privilege so they aren't sharing a root password?
    What is the purpose of RFID identification?
    CardSpace vs. user IDs and passwords
    Biometrics vs. biostatistics
    What are the dangers of using radio frequency identification (RFID) tags?
    What are the risks of connecting a Web service to an external system via SSL?
    What should an internal support model for identity management look like?
    How are biometric signatures more than a fingerprint scanner?

    Two-Factor and Multifactor Authentication Strategy
    Quiz: The new school of enterprise authentication
    The steps of privileged account management implementation
    The New School of Enterprise Authentication
    Trends in enterprise identity and access management
    Address Authentication and Transaction Validation Protocols to Stem Identity Theft
    Understanding multifactor authentication features in IAM suites
    SaaS Offering Handles SSO
    Identity Management Suites Enable Integration, Interoperability
    Product review: Secure Computing SafeWord 2008
    Keystroke recognition aids online authentication at credit union

    Tokens and Smart Cards
    Product review: Secure Computing SafeWord 2008
    Video: Changes ahead for MIT Kerberos Consortium
    Kerberos: Authentication with some drawbacks
    What are the dangers of using radio frequency identification (RFID) tags?
    How to prevent hack attacks against smart card systems.
    Smart card deployment: How to know if it's smart for your enterprise
    Can tokenization of credit card numbers satisfy PCI requirements?
    Is there a way to bridge physical and logical security without using smart cards or biometrics?
    Preparing for integrated physical and logical access control: The common authenticator
    Are one-time password tokens susceptible to man-in-the-middle attacks?

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    AAA server  (SearchSecurity.com)
    authentication  (SearchSecurity.com)
    authentication, authorization, and accounting  (SearchSecurity.com)
    federated identity management  (SearchSecurity.com)
    Kerberos  (SearchSecurity.com)
    password hardening  (SearchSecurity.com)
    typeprint analysis  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts