Security Encyclopedia

Strong Authentication

Strong Authentication is a method of user verification that is considered robust enough to withstand attacks on the system to which the users are authenticating.

There are competing definitions of strong authentication, as layered systems often do not meet the required threshold for being strong. Strong authentication is thought to be true two-factor authentication or multi-factor authentication (2FA, MFA). Such systems, in requiring two or more factors from the “something I have, something I am, and something I know), require those factors to be a combination of different authentication factors. Technologies that enable strong authentication include information derived from the devices in use by people (e.g. mobile or laptop) as well as user biometrics, user email, one-time passwords (OTPs), and time-based one-time passwords (TOTPs).

True strong authentication also takes the form of cryptographic solutions where public-key infrastructure (PKI) is the underlying system. Such systems ensure that the user and the verifying system do not share sensitive information. Rather, the parties exchange non-sensitive mutually agreed upon information to verify that they are the authorized parties to a conversation. Fast Identity Online (FIDO) Alliance authentication standards are examples of such a system.

In addition, in the consumer space, Strong Customer Authentication (SCA) is defined in the recent update to the European Union’s Payment Services Directive (PSD, PSD2). SCA serves as an accepted strong authentication definition. Learn more about how Strong Customer Authentication is being implemented.


“Our company is requiring strong authentication for employee access to corporate resources. Our CISO and business unit heads are discussing solutions that won’t require our teams to use additional hardware to verify their identity in different ways, using different factors.”