Whether it be to comply with regulatory constraints such as the European Payment Services Directive (PSD2) or the French military planning act (LPM), strengthening the security of access to the information system or improving the user experience by removing the use of passwords, strong, 2-factor or multi-factor authentication is an excellent response to these three major issues which lie at the heart of a global IAM strategy.
Strong authentication can be defined as the combination of at least two of the following authentication factors: what I know and I am the only one to know (password, PIN code, etc.); what I possess (chip card, certificate, token, smartphone, etc.); what I am or what I do (fingerprint, face, voice, behaviour, etc.). Ideally, at least one of these factors must be “one-time”, otherwise we refer instead to “strong” authentication. In general, however, it is the terms “MFA” (multi-factor authentication) or “2FA” (2-factor authentication) which are used nowadays to define this strong authentication with several factors.
Authentication can also be adaptive: in this case, the level of authentication and security required to access each application of the information system can be adapted based on the user’s context. It is then dependent on the assessment of a risk, based for example on the detection of an access attempt from a new device, a new location or at an unusual time. Therefore, in order to access the same application or use the same workstation, the user may be asked for different levels of authentication, depending on the evaluation of their current trust level.