Secret and Authenticator
Effective digital authentication may entail several factors, or better known as authentication factors. The “secret” authenticates the subject (or claimant) to the verifier. An “authenticator” is the device, possessed or controlled by the subject, that contains or carries the secret.
Authentication factors are typically distinguished in terms of how the authenticators are presented. For example,
- The password memorized in your brain.
- A private key stored in a device (e.g., ID badge, token, smart card, mobile phone, etc.)
- Biometric characteristics inherited in your body (e.g., fingerprints, signature dynamics, iris patterns, etc.)
In a narrow sense, the password is a secret, and the brain is the authenticator. However, as we cannot present our “brain,” we offer the password only. So, it’s not uncommon for people to treat the password as the authenticator itself. The private key is the secret; because its length is too long for you to memorize, you store it in a smart card as the authenticator.
According to the above definitions, we can conclude the following well-known authentication factors:
- Something you know: the secrets memorized in your brain
- Something you have: the secrets stored in the authenticator
- Something you are: the secrets (biometric characteristics) you inherit in your body
Multi-Factor Authentication (MFA)
Multi-factor authentication is an authentication method in which a subject is authenticated through two or more authentication factors. A bank card protected by a PIN code is a well-known MFA example. You have to possess the bank card and know the PIN code to withdraw money from the ATM.
Two-step authentication is a specialized form of MFA, which incorporates two factors: something you know and something you have.
- The first step is typically a traditional login (something you know).
- The second step is sending the authentication code or one-time password (OTP) to a device possessed by the user (something you have) through an out-of-band mechanism (e.g., SMS, APP notification, or email).
Is OTP a Something-you-know Factor?
A friend asked me this question today. My answer is NO. Instead, it is the factor, something-you-have.
A one-time-password (OTP) is typically generated randomly by a software or hardware token. It can be generated at the client-side or server-side. Users don’t have to memorize it, but they have to possess or control something to receive it.
Moreover, OTP itself is a secret, not the authenticator. An authentication factor takes both the secret and authenticator into consideration.