Use of second, different, factor type immediately after applying the first one, or when needed.
Factors
- Knowledge (password)
- Possession (ID card, security token, smartphone or other device).
- inherent (biometric, behavior)
- Location
- Time
Applications/scenarios
More secure authentication
Permission escalation
Remote vetting
Elements
- Physical devices and tokens, other client devices (sensors or mere USB port)
- Infrastructure and software
- Vetting, issuance, management, revocation
- Actual authentication
- Applications, services, authorisation (sometimes also in infrastructure)
Our scope
1st - Password
2nd - Possession or inherence (what about knowledge from device-based out-of-band communication, software tokens, etc?)
scenario?
with whom?
vetting fo a NREN? local users (and existing iDs intended for local use) or international ones (passports, are there others?) what about NREN/group remotely vetting a foreigner - is this a marginal or key case?