How two-factor authentication and layered authentication differ

Learn how two-factor authentication and layered authentication differ and whether there a difference in the deployment and implementation of these two systems.

What is the difference between two-factor authentication and layered authentication? Is there a difference in the deployment and implementation of these two authentication systems?

Two-factor authentication uses, as the name implies, two factors to authenticate a user. Layered authentication uses multiple systems to authenticate a user -- some of which aren't traditional methods of authentication. Let's look at each and then compare.

There are three factors in the world of authentication: something you know, something you have and something you are. Something you know is a user ID and password. Something you have is something you might carry, such as smart cards and one-time password (OTP) tokens. Something you are is a physical characteristic , such as a fingerprint, a picture of a face or the tone of a voice. These are biometrics systems. Using any two of these together creates a two-factor authentication system. A user ID and password with an OTP token is a two-factor system. Another example would be a smart card and a PIN number, or a user ID and password with a fingerprint scanner.

Layered systems are a bit trickier. They often work behind the scenes, are invisible to the user, and gather a footprint of the user's habits, such as PC settings and network configurations, to build a unique profile of the user. PassMark, for example, uses a unique digital stamp chosen by the user when they first log on. Once the stamp is chosen, it is displayed back to them during subsequent logins. The idea behind this is if their unique stamp, or PassMark, isn't displayed, they might be logging on to a phishing or other malicious site.

Cyota also uses the layered approach, but as more of an anti-fraud detection system than a true authentication system. Like PassMark, it fingerprints a user's habits, but also checks for malicious and phishing sites and performs additional user verification tests if they find irregularities. For example, someone who normally logs on at the same time every day from the same PC in Cincinnati, but then logs on in the middle of the night from Kiev, gets a red flag for that extra check. These systems can be effective and do provide an extra level of protection, like two-factor authentication, but they aren't two-factor systems. In reality, they don't authenticate the user, but rather their PC. They function like two-factor systems, but are fraud fighters more than authenticators.

This issue became hot last October when the Federal Financial Institutions Examination Council (FFIEC) released its guidance recommending two-factor authentication for all Internet banking. The FFIEC lumped two-factor and layered systems together and claimed that both could adequately comply with their directive. However, it's important to remember that they aren't the same. They may provide the same protection, but they're deployed differently. Study them carefully to determine which meshes better with your systems before choosing an implementation to meet the FFIEC guidance.

Read more on Identity and access management products