Multi-Factor Authentication

Multi-factor authentication strengthens system security by requiring users to supply at least two of the following types of credentials:

• Something you know (a password or PIN)
• Something you have (a smart card or token card)
• Something you are (a unique biometric identifier, such as a finger print, iris scan, retinal scan, or voice print).

A smart card protected by a PIN is one form of two-factor authentication, but Windows 2000 also supports other forms.

Using third-party software, Windows 2000 and its predecessor Windows NT can support third-party “token cards,” which are small devices with a clock, a processor, and a single-line display. Represented primarily by RSA Security’s SecurID product line, each token card generates a new, temporary log-on string every minute, which the user then types along with a PIN code into the regular password field in the Windows log-on dialog box. Since the users’ passwords are constantly changing, this solution also requires special servers that synchronously generate the same code values as the token cards. Special client-side software sends the log-on information to special SecureID servers that perform the initial user authentication and then pass the results to Windows 2000 Kerberos domain controllers to complete the log-on. These SecureID servers have their own user account databases that must be kept synchronized with each other and with Active Directory.