Strong authentication
Encyclopedia
Strong authentication is a notion with several unofficial definitions; is not standardized in the security literature.
Often, strong authentication is associated with two-factor authentication
or more generally multi-factor authentication. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."
Another commonly found class of definitions relates to a cryptographic process, or more precisely authentication based on a challenge response protocol. This type of definition is found in the Handbook of applied cryptography. This type of definition does not necessarily relate to two-factor authentication, since the secret key used in a challenge-response authentication scheme can be simply derived from a password (one factor).
A third class of definitions says that strong authentication is any form of authentication in which the verification is accomplished without the transmission of a password
. This is the case for example with the definition found in the Fermilab documentation.
Thus, the term strong authentication can be used as long as the notion strong is defined in the context of use.
Often, strong authentication is associated with two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
or more generally multi-factor authentication. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."
Another commonly found class of definitions relates to a cryptographic process, or more precisely authentication based on a challenge response protocol. This type of definition is found in the Handbook of applied cryptography. This type of definition does not necessarily relate to two-factor authentication, since the secret key used in a challenge-response authentication scheme can be simply derived from a password (one factor).
A third class of definitions says that strong authentication is any form of authentication in which the verification is accomplished without the transmission of a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
. This is the case for example with the definition found in the Fermilab documentation.
Thus, the term strong authentication can be used as long as the notion strong is defined in the context of use.