三种认证方式以及增强认证的方法

老外论坛上的，写的很好。
There are 3 types of authentication possibilities for a system like that:

Something you know (password, passphrase)

Someting you have (card, token, phone... etc)

Somebody you are (biometrics in general)

Strong authentication needs for sure to implement two of those.

So let's analyze some of your options:

1) Something you know + something you have:

- user/pass + token and one time PIN => already used, pretty secure

- user/pass + private key on the computer (not neccesarily PKI system) => I would not really advise, as by stealing your laptop the chance so also take your password is pretty high, so I wouldn't go for it.

- user/pass + challenge response token => I find this the best way. You need a system where you login with a user/pass + a PIN on the token.

Afterwards, there could be a challenge by the system which you introduce into the token and a response. This of course is based on an algorithm. It works quite well for online banking at the moment.

- certificate/private key (not neccesarily PKI) /passphrase + PIN + token + challenge/response => probably the best combination for this type (know+have). However the usability is quite low as you will always need to have at all times your key with you and also the laptop and so on.. it gets too complicated in my opinion.

What if you could have this certificate on an external device (card / bluetooth container / wireless container)?

Then you have quite a nice system to authenticate.

another nice option might be:

- user/pass + mobile phone as a pin (SMS or an SSL connection allowed only from your SIM). I find this quite a nice as you do not have to carry another device with you (token) but you can use the mobile phone.

Of course that the mobile phone needs to be properly secured by all means neccesary (additional risk)

The risks need to be carefully analyzed and managed.



a bit more complicated option

2) something you know + something you have + somebody you are

- user/pass + smarcard and PIN + biometrics

one example is http://www.cardwerk.com/smart-card-readers/fingerprintscanner.aspx, and it's not the only one.

another is http://www.smartcardbiometric.com/ ... you can find a lot of them in the industry.

this is quite nice as it can be easily implemented.

on the smartcard you can have a private key (not neccesarily in a PKI system) + biometrics information. The reader is quite nice and you've got three factors on a simple card.