Principles of Authentication
Shareholder authentication involves testing the identity of a user through the use of one or more “factors,” each of which may be implemented through one or more specific means, or “measures.”
There are three “traditional” factors for testing user identities:
> The first traditional authentication factor, what you know, involves testing the identity of a user on the basis of something the user knows which is unique to that user. Reliance solely on this first authentication factor is generally referred to as Single-Factor Authentication. One very common measure to implement this factor is to require a user to enter a username and password. Sometimes this factor may be implemented through use of additional measures, as well (e.g., asking Knowledge-Based Authentication questions about a user’s personal life). The use of multiple measures (e.g., a username/password and knowledge-based questions) to implement this first factor is often referred to as Enhanced Authentication
> The second traditional authentication factor, what you have, involves testing the identity of a user on the basis of something unique that the user has in his or her possession (often a particular device). Measures used to implement this second factor may include issuing and requiring the use of a hardware identification token or smartphone. Reliance on both what a user has and what a user knows is often referred to as Two-Factor Authentication.
> The third authentication factor, what you are, involves testing the identity of a user using “biometrics” (i.e., a biological characteristic or attribute unique to the user). Measures used to implement this third factor may include establishing the identity of a user based on his or her voice, fingerprint, retinal or iris pattern, artery pattern, or DNA.
All else being equal, authentication systems relying on Multi-Factor Authentication (i.e., the use of a combination of the first factor and one or both of the other two factors) are viewed as offering stronger protection than those relying on a single factor. Systems relying on all three of the factors are viewed as offering stronger protection than those relying on just two factors.
Certain current and/or proposed authentication measures may not always fit neatly within the framework of the three traditional factors. In order to categorize such measures, some experts have articulated additional, non-“traditional” authentication factors. These include: (1) where you are (e.g., assessing where a user is located based on information provided by the user’s computer or mobile device); (2) how you behave (or what you do) (e.g., analyzing patterns of behavior with respect to logging in, navigating the website, or engaging in transactions); and (3) somebody you know (e.g., having your identity verified by one or more financial or other institutions).
Authentication is often viewed as primarily a one-way process, which focuses on testing the identity of a user. But authentication can also be a two-way process (i.e., Mutual Authentication). Mutual Authentication addresses concerns of users who may wish to have greater confidence that they are dealing with their financial institutions, and not with fraudsters. Examples of measures used in Mutual Authentication include the use of digital certificates and/or the use of images while logging into certain financial institution websites, with a caution to users not to proceed unless the images displayed are those that are pre-selected by users.
Authentication measures also may be referred to as “positive” or “negative.” Many authentication measures, including those relating to the three traditional authentication factors discussed above, are “positive” measures, in the sense that they are intended to positively identify a person seeking to effect a transaction as the shareholder (or other authorized person). Other authentication measures may be viewed as “negative,” in the sense that they are chiefly intended to screen out probable impostors. These Negative Authentication measures (or “de-authentication” measures) may be used to establish the identity of the person seeking to effect a transaction as somebody other than the shareholder. For example, a person’s ability to provide a shareholder’s Social Security number or address of record may not positively identify the person as the shareholder, but the inability to provide such basic information suggests that the person is an impostor.
