What Is Strong Authentication?

Strong authentication is generally considered to be a multi-factored method of confirming the identity of a person seeking access to information or entry into a restricted area. The factors for verifying the identity of an individual are something the person knows, something the person has and something physically particular to that person. A system requiring two of the three factors is a two-factor authentication system. This is the minimal level of verification necessary to be considered strong authentication.

The first of these identifying factors, something the person knows, is a presumably secret item of information. This might be a password or a personal identification number (PIN). The second factor, something the person has, is a unique item such as an identity document (ID), passport or hardware token. The third factor is a physically identifying characteristic such as a fingerprint or retinal scan. A common implementation of strong authentication using two of these factors is the use of a PIN number with a bankcard.

Multiple challenges to the same factor do nothing to enhance verification and are not considered to be strong authentication. Requiring the entry of a username, password and any number of other items of information that an individual might know is a challenge to only one factor. The same would be true for evaluating multiple biometric identifiers for an individual. The security of a system is made more difficult to compromise only by challenges to two or all three of the types of identity verification factors.

Computer access control often involves the use of strong authentication methods. Authenticating the identity of the user seeking access and then granting privileges previously assigned to that user is the common procedure. Access to corporate or even personal computers might involve an assigned password coupled with a smart card or use of a biometric device. After identity has been verified to satisfaction, the user might still be subject to restrictions put in place by the system administrator. Authentication does not necessarily imply authorization.

It generally is considered impossible to verify a user's identity with complete certainty. The reliability of an authentication system is often a tradeoff between security and ease of use or economic constraints. Successful use of strong authentication is directly tied to the reliability of the identifying factors involved. Companies who follow lax password management risk compromising one leg of authentication. The same is true for an individual if he or she uses the same password in all interactions.