Two-Factor Authentication (T-FA)
What is two-factor authentication?
Two-factor authentication is term used to describe any authentication mechanism where more than one thing is required to authentate a user.
The two components of two-factor authentication are:
- Something you know.
- Something you have.
Traditional authentication schemes used username and password pairs to authenticate users. This provides minimal security, because many user passwords are very easy to guess.
In two-factor authentication, the password still provides the something you know component.
In the most common implementations of two-factor authentication, the something you have component is provided by a small token card. The token card is a compact electronic device which displays a number on a small screen. By entering this number into the system when you attempt to authenticate (login), you prove that you are in possession of the card.
The number displayed by the card changes frequently, usually every 30 or 60 seconds. The system which you are authenticating to knows the number which should be on your screen. If the numbers match and your password is correct, you are authenticated.
See Wikipedia T-FA for another definition.
Cornell Specific
We implement two-factor authentication using SecurID key fobs from a company called RSA. Our key fobs have 6-digit displays which change on 60-second intervals. The 6-digit number may only be used once per authentication attempt (to avoid sniffing and replay attacks). In addition to the number displayed, the SecurID user must also use a 4-8 digit Pin, which is pre-pended to the number displayed. The PIN is set the first time the key fob is used, and is known only to the owner of the fob.