Skip to main content

Authenticator types

This guide describes various authenticator types and provides examples and considerations for their use. It does not prescribe the use of any specific authenticator.

Help us create the best guidance possible

If you would like anything added to or clarified in this guidance, email the Identification Management team identity@dia.govt.nz.

Introduction

Find definitions for key terms used in this guidance — Identification terminology.

This guidance will evolve and expand over time to meet the needs of users and is part of the wider Identification Standards.

Authentication and authenticators

Authentication is a process by which an entity, who has already enrolled with a service or organisation, is subsequently recognised on their return without having to fully repeat the enrolment process.

Authenticators are mechanisms used within an authentication process. They are things known and/or possessed and controlled by an entity that they use to be recognised when they return to a service or organisation.

Authentication factors

Authenticators are classified using 3 different authentication factors. Generally described as:

  • something you know
  • something you have
  • something you are.

During an authentication process an authenticator holder is challenged to respond to the authentication factor the authenticator uses.

Multi-factor authentication (MFA) is when 2 or more factors are used together to form an authenticator.

Something you know

‘Something you know’-type authenticators are challenges based on information or patterns that you know or need to remember.

Common examples are memorised secrets (such as a personal identification number (PIN) and passwords) but also include swipe patterns such as those used to unlock mobile phones.

They do not include questions asked in order to associate an entity with entity information where no pre-arranged authenticator exists, such as knowledge-based questions based on information generated by the history of the relationship (for example, last purchase made).

Memorised secrets

Shared secrets

One-time passwords (OTPs)

Something you have

‘Something you have’-type authenticators are challenges that test possession of a unique physical object, such as a bank or access card or mobile phone. The test can be on the physical presence of the object itself, or a code or identifier that is linked to the object, such as a code sent by short message service (SMS) to a mobile device, or a code displayed on a hardware token.

Document or card

Recognisable device

Look-up codes

One-time code generators

One-time code receivers

Cryptographic keys

Location

Something you are

‘Something you are’-type authenticators are challenges based on characteristics intrinsically linked to a person and can be either biological (as with fingerprints) or behavioural (as with typing patterns). Automated authentication based on this factor is commonly called biometric recognition.

Manual comparison

Biometric recognition

Multi-factor authentication (MFA)

Description

MFA is an authentication method that uses challenges and responses from 2 or more of the 3 types of authentication factor:

  • something you know (for example, a password)
  • something you have (for example, a smart phone)
  • something you are (for example, a fingerprint).

Note:

Using 2 types of the same factor is not multi-factor authentication. For example, a password and personal information are both ‘something you know’, so using them together would still be single-factor authentication.

Examples

Accessing a bank account through an automatic teller machine (ATM): the PIN (something you know) and the ATM card (something you have).

Accessing a building where a guard checks a person’s face against a stored image (something you are), the person also swipes an access card (something you have) and enters a 4-digit code (something you know).

Considerations

Multi-factor authentication increases the likelihood of being able to mitigate against a wide number of threats to the authentication process.

However, multi-factor authentication systems increase the cost of authentication both to the organisation and to the authenticator holder who need to use them. This cost may not be financial but could be in the form of convenience and usability.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated