Two-Factor vs. Multi-Factor Authentication: A Stark Difference

If there’s one thing you should remember from geometry class in 7th grade, it’s the fact that every square is a rectangle, but not every rectangle is a square. The criteria defining one object doesn’t encompass the criteria for the second object in all situations. This is the same problem we face when talking about two-factor and multi-factor authentication. Because both sound similar, it’s a common fallacy for security providers to advertise that their products have “multi-factor authentication.”

To better explain the dichotomy between two-factor and multi-factor authentication, we must have a look at single-factor authentication. The United States National Institute of Standards and Technology (NIST) defines single-factor authentication under the definition for “Level 2” e-authentication within its paper on information security: “For single factor authentication, Memorized Secret Tokens, PreRegistered Knowledge Tokens, Look-up Secret Tokens, Out of Band Tokens, and Single Factor One-Time Password Devices are allowed at Level 2.”

To simplify that definition, let’s just think of single-factor authentication as anything that requires a simple username and password (something you know). The authentication process is performed through a piece of knowledge that’s unique to the user logging in. So, let’s recapitulate: Single-factor equals password.

Now that we have that out of the way, let’s have a look at two-factor authentication. Besides “something you know,” two-factor authentication includes “something you have.” This could come in the form of a smart card, USB stick, or an SMS message sent to the user’s phone with a code. The code is then entered in an extra field. Two-factor authentication adds these factors to the original username/password pair. So now you have the username, the password, and (for example) a smart card that you insert into the system. The simplest and most common two-factor authentication example in real life is the bank machine where you withdraw money using your bankcard. You must insert the bankcard (“something you have”) and type a PIN number (“something you know”) before completing a transaction or withdrawing money.

Multi-factor authentication is not much more complicated than its two-factor counterpart. Within this article, we will refer to multi-factor authentication as having more than two factors. It’s a common misconception to believe that one is somehow safer using a service that offers “multi-factor authentication” when what they really mean is “two-factor authentication.” The reality is that, while you use “something you know” and “something you have” to authenticate into these platforms, you are missing one element: “something you are.”

Multi-factor authentication achieves the “something you are” component by requiring biometric authentication. Such authentication often includes fingerprinting, retinal scanning, voice recognition, or facial recognition. In some laptops, for example, you are asked to type a password and show your face on their webcams. Laptops sometimes do this so that someone cannot access the machine without actually being you. Systems like these rely on your biological attributes to ensure your identity, virtually eliminating any possibility of identity theft. A thief can steal a USB stick or smart card, and a hacker can get his hands on your password, but you seldom hear of someone replicating a fingerprint. Stealing a biometric attribute is not as easy as Hollywood movies make it look. It’s also not likely that you have an evil twin in Russia.

While companies advertise their services, be wary of those who advertise “multi-factor authentication.” They might not be trying to mislead, but you should not fall victim to the ambiguous nature of the term. Put on your thinking cap and find out exactly what factors it includes in its authentication process. Call their support line to get more information if you can’t find anything on their site. A little bit of investigation can save you a bit of trouble in determining whether the services offered to you are secure enough for you and worth the money you pay for them!