There are three factors in the world of authentication: something you know, something you have and something you are. Something you know is a user ID and password. Something you have is something you might carry, such as smart cards and one-time password (OTP) tokens. Something you are is a physical characteristic , such as a fingerprint, a picture of a face or the tone of a voice. These are biometrics systems. Using any two of these together creates a two-factor authentication system. A user ID and password with an OTP token is a two-factor system. Another example would be a smart card and a PIN number, or a user ID and password with a fingerprint scanner.
Layered systems are a bit trickier. They often work behind the scenes, are invisible to the user, and gather a footprint of the user's habits, such as PC settings and network configurations, to build a unique profile of the user. PassMark, for example, uses a unique digital stamp chosen by the user when they first log on. Once the stamp is chosen, it is displayed back to them during subsequent logins. The idea behind this is if their unique stamp, or PassMark, isn't displayed, they might be logging on to a phishing or other malicious site.
Cyota also uses the layered approach, but as more of an anti-fraud detection system than a true authentication system. Like PassMark, it fingerprints a user's habits, but also checks for malicious and phishing sites and performs additional user verification tests if they find irregularities. For example, someone who normally logs on at the same time every day from the same PC in Cincinnati, but then logs on in the middle of the night from Kiev, gets a red flag for that extra check. These systems can be effective and do provide an extra level of protection, like two-factor authentication, but they aren't two-factor systems. In reality, they don't authenticate the user, but rather their PC. They function like two-factor systems, but are fraud fighters more than authenticators.
This issue became hot last October when the Federal Financial Institutions Examination Council (FFIEC) released its guidance recommending two-factor authentication for all Internet banking. The FFIEC lumped two-factor and layered systems together and claimed that both could adequately comply with their directive. However, it's important to remember that they aren't the same. They may provide the same protection, but they're deployed differently. Study them carefully to determine which meshes better with your systems before choosing an implementation to meet the FFIEC guidance.
This was first published in June 2010