When it comes to authentication, multi-factor authentication is the name of the game. We’ve spilled a lot of digital ink on the topic previously, and using a combination of some things that you know, are or have can help massively to secure your online accounts. However, mishandling multiple methods of authentication can actually make you more vulnerable than if you were just using the one method—you can end up with ‘below-one’-factor authentication, and nobody wants that.

President of Mnemonic Security Hitoshi Kokumai, writing in SC Magazine, singles out biometric means of authentication—i.e., something you are, such as a fingerprint or iris scan—and identifies multiple concerns. Firstly, biometrics cannot be deployed alone. It must ‘depend on another factor as a fallback means against false rejection’, as someone who suffers a hand injury that alters or removes their fingerprint can’t exactly just get a new one.

Kokumai’s contention is that the most commonly-used fallback for biometric authentication systems is a good, old-fashioned password/PIN setup. If the password and biometric were being utilised together for multi-factor authentication—multi-layer security, in Kokumai’s words—things would be fine, and more secure than the use of either individually. However, as biometrics require the use of a fallback that can work even in the event of the biometric authentication step failing (in this case the password/PIN) this setup actually represents a ‘multi-entrance’ method of authentication.

Kokumai goes on to present some calculations on the insecurity of multi-entrance rather than multi-layer authentication. Given a method x of vulnerability 1/10,000 and a method y of vulnerability 1/1,000, Kokumai demonstrates that a multi-layer setup is 1,000 times more secure than x alone, whilst a multi-entrance setup is around 11 times less secure than x alone.

Following this, Kokumai addresses what he considers to be the impossibility of ever using biometrics in a multi-layer setup, writing that ‘this scenario never comes true. When rejected by biometrics, what can we do? We will only see that we are unable to login even if we can feed our password/PIN.’

This all demonstrates a crucial considering when it comes to multi-factor authentication: whilst two (or more) methods are generally better than one, not all means of authentication are created equal. You must consider this, as well as how the means you choose may interact with one another in unpredictable ways. The attacker will always take the path of least resistance, so having the most complex technical whizz-bang authentication method is no use if they can just brute-force a PIN instead.

In a previous article, Kokumai writes that ‘a false sense of security is often worse than the lack of security itself’ and that ‘biometric solutions should never be recommended to the people who need strong security in cyber-space. They could instead be recommended to those who want increased convenience.’ This is an important distinction, although one wonders who out there would be willing to use multi-factor authentication, yet still take the security hit of using a multi-entrance setup.