Recently CISA moved the use of a single factor (password for instance) into the category of "bad practices". Listen, its time! You should be adopting multifactor authentication (MFA) for everything. CISA moving 1FA onto the naughty list just made it abundantly clear for everyone.
Now that we agree that MFA is the path forward let’s discuss the "F" or Factors available to you when selecting multiple factors for authentication.
Knowledge might be the most widely used factor in authentication. A simple example of a knowledge factor is the password. Knowledge can also be a passphrase, or a fact like mother’s maiden name or place of birth.
Possession as it sounds, is proving you are in possession of an item. How do you provide this proof? Typically, this is achieved through a random PIN that is displayed either on a token you possess or an app on your smartphone. It’s important to point out the distinction here, while knowledge can be a PIN and possession can be proven by providing a pin FROM a token or app, these are not the same type of factor. In one instance you’re recalling something you know (knowledge) and in the other you’re sharing a PIN that is randomly generated by the device you have (possession).
The definition of inherence (not to be confused with inheritance) gets heady and philosophical quickly. The good news is we don't need to go that deep, just understand that inherence is referring to YOU. This is essentially biometrics, like facial recognition, fingerprints and voice analysis.
Great, we have set the stage for the important part of this discussion. It’s vital to understand that qualities of each of these factors, and even the specific implementation of these factors when deciding how to implement MFA.
In the next blog post in this series, I will begin to explore the various qualities of the Knowledge factors, then move onto Possession and Inherence in subsequent posts.