Security Encyclopedia

Single-Factor Authentication (SFA)

Single-Factor Authentication (SFA) is a method of logging users into resources by having them present only one way of verifying their identity. Username and password is the dominant form of SFA.

The factors of authenticating users generally take the form of either something you know (knowledge), something you have (possession), and something you are (biometric). Continuous authentication is an emerging means using one factor however even it compiles contextual information derived from knowledge and possession, in addition to device information such as geolocation.

As the number-one SFA method, password authentication relies on mutual secrets between user and the online service. Shared secrets have shown to be vulnerable to credential stuffing attacks since users recycle passwords across different services, and hackers weaponize passwords from prior breaches against unrelated enterprises. In response, enterprises implement two-factor authentication (2FA) or multi-factor authentication (MFA) to add a possession factor often using hardware or software tokens. These methods, however, add friction to the user experience (UX) and result in poor 2FA or MFA adoption, or security workarounds such as sharing tokens.

Everyday mobile devices are helping enterprises overtake the reliance on SFA and the challenges of reliable 2FA and MFA. Smartphones are de-factor MFA and have multiple authenticators, security features such hardware trust zones, and can be leveraged for public-key cryptography (PKC). This makes smartphones crucial to passwordless authentication based on true secrets, and fast, simple MFA.


"Our IT team are pulling out their hair concerning the new policy of letting employees work remotely since we currently use single-factor authentication. They see anyone being able to log into a session and spend hours in our environment before we would know it's an unauthorized person using valid credentials."