Four-factor authentication (4FA) is the use of four types of identity-confirming credentials, typically categorized as knowledge, possession, inherence and location factors.
Four-factor authentication is a newer security paradigm than two-factor or three-factor authentication. Four factor systems are sometimes used in businesses and government agencies that require extremely high security. Higher levels of multifactor authentication categories make it increasingly unlikely that an attacker can fake or steal all elements involved.
- Knowledge factors include all things a user must know in order to log in, such as a user name and password or personal identification number (PIN).
- Possession factors include anything a user must have in their possession to log in, such as a one- time password token (OTP token) or a smartphone with an OTP app.
- Inherence factors include biometric user data that are confirmed for login, such as iris scans, fingerprint scans and voice recognition.
User location is sometimes considered a fourth factor for authentication. The ubiquity of smartphones can help ease the burden: Most smartphones have a GPS device, enabling reasonable surety confirmation of the login location. Lower surety measures might be the MAC address of the login point or physical presence verification through cards, for example.
Sometimes time is considered a fourth or fifth factor. Verification of employee IDs against work schedules, for example, can prevent some kinds of user hijacking attacks. An American bank customer can't physically use his ATM card at home and then in Russia within 15 minutes. Because time could be used as a distinct confirming category, it may eventually be considered a separate factor, which could make five-factor authentication (5FA) a possibility.
The use of at least one element of each of the four factor categories is considered four-factor authentication. The application of four authentication elements out of two or three categories counts as two- or three-factor authentication, respectively.
The reliability of authentication depends not only on the number of factors involved but also on how they are implemented. Options selected for authentication rules greatly affect the security of each factor. Lax rules and implementations result in weaker security.
Care must be taken, on the other hand, not to overburden users with difficult authentication routines, not only out of consideration for users but for security as well. Throughout IT history, users have always found ways of subverting rules for easier logins. Often, these efforts result in lowered security.