Is the use of digital certificates with passwords considered two-factor authentication?

BROWSE BY TAG Identity Management and Access Control,   Enterprise Identity and Access Management,   User Authentication Services,   Two-Factor and Multifactor Authentication Strategies,   Security Token and Smart Card Technology,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) Kerberos  (SearchSecurity.com) password hardening  (SearchSecurity.com) typeprint analysis  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The answer to that question depends on who you ask. Information security professionals and regulators have different views on this.

The traditional definition of two-factor authentication in information security textbooks revolves around three authentication factors: something you know, something you have and something you are. Something you know is a memorized secret credential, like a user ID and password. Something you have is an tangible object, like a one-time password (OTP) token or smart card that holds authentication credentials. Something you are represents a physical characteristic unique to yourself, like a fingerprint or face pattern, which can only be measured by a biometric device.

Two-factor authentication is a combination of any two of these factors. A digital certificate by itself wouldn't be considered the second factor in a two-factor system because the certificate itself isn't a factor. It isn't something the user knows or has. It's passive because it's sent behind the scenes when a user logs in.

If the certificate sits on a smart card or OTP token, then the token is the second factor in the system. The certificate just validates the device. It's not a true authentication credential by itself.

The definitions get blurry in a guidance issued by the Federal Financial Institutions Examination Council (FFIEC) in 2005. The FFIEC recommended that bank Web sites be protected while conducting transactions with two-factor authentication. The guidance used the traditional definition of two-factor authentication, but mentioned that the use of digital certificates was acceptable in some circumstances. Acceptable circumstances include a digital certificate on a USB token for authentication purposes and digital certificates used for mutual authentication in SSL on Web sites.

Either way, a digital certificate, alone or on a device, doesn't constitute two-factor authentication. It's the device holding the certificate that makes the authentication two-factor.

For more information: