Quiz Entry - updated: 2026.06.01
What definitions of "strong authentication" exist, and what does ENISA recommend?
Definitions vary — Fermilab requires no password on the wire, Handbook of Applied Cryptography requires challenge-response, BSI requires 2 different methods, ENISA requires 2 different factors. Banks often demand 2 factors on 2 devices.
Multiple definitions in circulation:
- Fermilab: "No transmission of password over network." (Password-in-the-clear disqualifies you.)
- Handbook of Applied Cryptography: "Challenge-response identification."
- BSI: "2 different authentication methods."
- ENISA: "At least 2 factors" — explicitly:
- Something the user knows (e.g. password, PIN)
- Something the user has (e.g. ATM card, smart card)
- Something the user is (e.g. fingerprint)
Banking goes a step further: authentication must use 2 different devices (not just 2 factors). A password and a TOTP code generated on the same laptop don't count — malware on the laptop sees both. The TOTP needs to live on a phone or a separate token.
Why "2 devices" matters:
- A man-in-the-browser malware sees everything in the browser, including TOTP codes pasted in.
- Splitting across devices means the attacker has to compromise both — much harder.