1.5 Factor authentication


Some of us were discussing SSL over the internet access to a web resource.  We discussed complex passwords for auth worst case and RSA best case.  One of the guys brought up 1.5 factor authentication.  I assumed this meant password plus something (maybe a cert) ?  I had never heard of this term.  Googled it and even binged it, and neither one had any results.  Does anyone have experience with this term ?

Who is Participating?
Dave HoweSoftware and Hardware EngineerCommented:
Sure. it exists for solutions where the secondary factor can be derived from the traffic - One example would be this:


With this method, the user selects digits from the image based on a known secret (a pin, effectively) and enters them, along with their regular username/password pair.

Assuming an attacker could intercept and decode the traffic (difficult; this is ssl encrypted; a screenshot and keylogger combo would work though) they could derive the secret used to select digits from the choice of digits made; however, just a straight keylogger or straight screenshot would not do, as you would need both the image and the entered (selected) digits.

Hence, this is *almost* two factor; not quite a one-shot password, but more secure than a static password that a keylogger could capture.
Elemental12Author Commented:
Perfect answer and example, thank you so much.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.