FSTC BMA Project's Taxonomy of Authentication Techniques
The BMA Project concluded that effective authentication generally requires that multiple authentication techniques be combined to achieve adequate confidence in the authenticity of claims made by subjects. So-called multi-factor authentication is one example of where multiple tests are used to assess authenticity of claims, but other combinations of techniques are also useful. In reality, many systems (including human interactions) already utilize multiple authentication techniques. For example, an end user that wants to authenticate a Web site they are visiting might use the site's certificate and a padlock indicator, plus they may look for a URL and DNS name they recognize, they might check for some sort of pre-shared secret (e.g., an image), and they will certainly expect the site to present information they recognize (e.g., logos, last login, correct settings, welcome message).
The attached Excel workbook was developed by the BMA Project as a tool that a financial institution could use to evaluate use of multiple authentication techniques for various applications. It takes multiple approaches to characterizing various authentication techniques, and it can be used to capture information (in multiple columns) about combinations of authentication techniques to look for adequate coverage, robustness, and effectiveness.
Participants in WSC will probably find section 1 of the taxonomy most relevant as it provides a listing of all of the authentication techniques currently in use today. If anyone has questions about this taxonomy, feel free to contact Chuck Wade.
Download File: BMA_Taxonomy.xls