Description: Type 2 authentication involves physical devices that a user possesses, which can be used to authenticate their identity. These devices offer an additional layer of security beyond something a user knows (Type 1).
Examples:
- Key: A physical key used to unlock doors or access physical locations.
- Swipe Card/Access Card/Badge: Cards that can be swiped or scanned to grant physical or logical access. Often used in conjunction with a PIN or password for two-factor authentication.
- Tokens: Devices that generate or store authentication data.
Types of Tokens:
- Static Password Token:
- Description: The user authenticates to the token, and the token then authenticates to the information system. This token typically contains a static password or other credentials that are used repeatedly.
- Example: Smart cards that contain a static digital certificate or key.
- Synchronous (Time-Based) Dynamic Tokens:
- Description: These tokens generate a dynamic, one-time password (OTP) that changes at regular intervals, typically based on time synchronization between the token and the authentication server.
- Example: SecureID tokens that display a new OTP every 60 seconds.
- Asynchronous (Not Time-Based) Tokens:
- Description: These tokens generate a dynamic password in response to a challenge from the server. The server sends a nonce (a random value), which the token uses to generate a one-time password. When combined with a PIN, this method provides strong authentication.
- Example: Tokens that use challenge-response authentication, where the user enters a challenge provided by the system into the token, which then generates a response to be entered back into the system.
- Challenge/Response Tokens:
- Description: These tokens generate a response to a challenge provided by a system or workstation. The challenge may be a random number or a specific request, and the token provides a corresponding response.
- Types:
- Synchronous: Relies on timing mechanisms, such as a time-synchronized challenge and response.
- Asynchronous: Based on a non-timed challenge provided by the server, with the token generating a response to that specific challenge.
Key Concepts:
- Time Synchronization: Critical for synchronous tokens, where the token and the server must be in sync for the authentication to be successful.
- Nonce: A random value sent by the server to the token in asynchronous systems, ensuring that each authentication attempt is unique.
- Strong Authentication: Combining Type 1 (something you know) with Type 2 (something you have) creates a strong authentication mechanism, making it more difficult for attackers to compromise.
Type 2 authentication methods enhance security by requiring possession of a physical device, which must be combined with knowledge (e.g., a PIN) to access systems or data.