LOGBOOK

HELP

Quiz Entry - updated: 2026.06.01

What definitions of "strong authentication" exist, and what does ENISA recommend?

Definitions vary — Fermilab requires no password on the wire, Handbook of Applied Cryptography requires challenge-response, BSI requires 2 different methods, ENISA requires 2 different factors. Banks often demand 2 factors on 2 devices.

Multiple definitions in circulation:

  • Fermilab: "No transmission of password over network." (Password-in-the-clear disqualifies you.)
  • Handbook of Applied Cryptography: "Challenge-response identification."
  • BSI: "2 different authentication methods."
  • ENISA: "At least 2 factors" — explicitly:
    • Something the user knows (e.g. password, PIN)
    • Something the user has (e.g. ATM card, smart card)
    • Something the user is (e.g. fingerprint)

Banking goes a step further: authentication must use 2 different devices (not just 2 factors). A password and a TOTP code generated on the same laptop don't count — malware on the laptop sees both. The TOTP needs to live on a phone or a separate token.

Why "2 devices" matters:

  • A man-in-the-browser malware sees everything in the browser, including TOTP codes pasted in.
  • Splitting across devices means the attacker has to compromise both — much harder.

From Quiz: ISF / Access Control | Updated: Jun 01, 2026