There are several different methods for authenticating a user context to an online service. Traditionally, online service providers have typically relied on username and passwords for online authentication. Considering, however, the sensitive and personal information that people share on the Web, relying on a single layer of password protection is not enough.
Multi-factor authentication is an approach that has recently become more widespread for use in online authentication systems in order to increase the probability that a user requesting access to an online service is presenting accurate identity authentication information. Multi-factor online authentication typically requires a user to enter a username and password, as well as pass an additional identification test specified by the online service provider.
The authentication factors generally fall within three categories: something you know, something you have, or something you are. Typically a password is given as something you know. Each authentication factor may be required to authenticate or verify a person's identity before, for example, granting access, approving a transaction request, signing a document or other work product, granting authority to others, or establishing a chain of authority.
One of three general authentication categories (approaches) may include ownership factors, e.g. something the user has (e.g., wrist band, ID card, security token, software token, phone, or cell phone). Another authentication category may include knowledge factors, which may be something the user knows (e.g., a password, pass phrase, or personal identification number (PIN), challenge response (the user must correctly answer a question)). Another authentication category may include inherence factors, which may be something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence, signature, face, voice, unique bio-electric signals, or other biometric identifier).
There has been a recent trend in online authentication to rely on SMS as a second factor to username and password for online authentication. While online banks have been using SMS-enhanced authentication for transaction verification for sometime, more recently online businesses, which are not in regulated banking industries, have recognized the need for stronger online authentication protocols and have been employing SMS as a second factor for authentication. Google and Facebook, for example, have recently made two-factor SMS authentication available to their users.
Another authentication approach is for a service provider to equip the user with a One Time Password (OTP) device. The device generates a string of numbers that change regularly and, when combined with the user's username and password, can be used to more securely identify the individual requesting access to the service provider.
Another authentication approach uses a picture the user has selected. The user points to a sequence of locations on the picture which only he or she knows. This pattern cannot be as easily written down, and yet can be more memorable than a password, thus making it potentially more reliable and user friendly than passwords.