A Method of Risk Assessment for Multi-Factor Authentication

  • 투고 : 2010.08.11
  • 심사 : 2010.09.09
  • 발행 : 2011.03.31


User authentication refers to user identification based on something a user knows, something a user has, something a user is or something the user does; it can also take place based on a combination of two or more of such factors. With the increasingly diverse risks in online environments, user authentication methods are also becoming more diversified. This research analyzes user authentication methods being used in various online environments, such as web portals, electronic transactions, financial services and e-government, to identify the characteristics and issues of such authentication methods in order to present a user authentication level system model suitable for different online services. The results of our method are confirmed through a risk assessment and we verify its safety using the testing method presented in OWASP and NIST SP800-63.



  1. Dale Vile, Freeform Dynamic, “User convenience versus system security”, 2006.
  2. Roger Elrod, “Two-factor Authentication”, East Carolina University, 2005, July.
  3. [Definition] Wikipedia, Definition of Two Factor Authentication.
  4. Smart Card Alliance (Randy Vanderhoof), “Smart Card Technology Roadmap for secure ID applications”, 2003.
  5. Tim Hastings, Multi-factor Authentication and the Cloud, 2010.
  6. Korea Internet Security Agency, Introduction of i-PIN (, 2010.
  7. Accredited Certificate:
  8. Public Procurement Service:
  9. Public Procurement Service(PPS), Bidder Identification and Fingerprint Registration Process, 2010, April.
  10. OMB M-04-04, E-Authentication Guidance for Federal agencies, 2003, December, 16.
  11. NIST, Special Publication 800-63, Electronic Authentication Guideline, 2006, April.
  12. Ministry of Citizens’ Services, Electronic Credential and Authentication Standard, 2010, April.
  13. Bret Hartman, “From Identity Management to Authentication: Technology Evolution to Meet Cyber Threats”, ITAA IdentEvent 2008.
  14. Fidelity National Information Services, Multi -Factor Authentication Risk Assessment, 2006.
  15. OWASP foundation, OWASP Testing Guide, 2008 v3.0, pp.140-143.
  16. IETF RFC 4683, Internet X.509 Public Key Infrastructure Subject Identification Method (SIM), 2006.10.

피인용 문헌

  1. Multi-factor authentication model based on multipurpose speech watermarking and online speaker recognition vol.76, pp.5, 2017,
  2. Go anywhere: user-verifiable authentication over distance-free channel for mobile devices vol.17, pp.5, 2013,
  3. UFLE: a user-friendly location-free encryption system for mobile users 2012,
  4. Game-based image semantic CAPTCHA on handset devices vol.74, pp.14, 2015,
  5. Unified threat model for analyzing and evaluating software threats 2012,