Hi, in this unit, we are going to talk about multi-factor authentication. If you remember, we are using credentials in order to identify yourself on internet. So basically, when we connect to our server for example, then that server asks us for credentials. We can put our username and password for example. But if you remember from the previous unit, username and passwords are not very safe credentials, because they are very easy to crack and are very easy to have a bad management about that. Instead of using username and credential, we have other alternatives. If you remember, we have three different types of credentials. The credential based on something I know, the credentials based on something I have, and the credentials based on something I am. So right now, the proposal is that we can use a combination of the type of credentials. So maybe in order to identify ourselves against our web server for example, we can use something I know, username and password, and something that I have maybe cryptographic token or a smart card, or even we can add us something I am, with our fingerprints. So we can have a combination of different type of credentials in order to make the authentication much stronger that can release. This way, if we have an attacker for example, that can steal over a smartphone, and it's possible to use the credentials of the smartphone. If we use a combination of two or three credentials, it's very difficult for the attacker to obtain one more credential. Maybe he or she can steal a cell phone, the smartphone, but cannot steal our token for example, or cannot guess our password. So the point here is that we are going to use a combination of credential-based on the three types. It's very common that the first type of credential is the type of something I know. So you almost always use the username and password, but we can use a second factor. A second type of credential. Now, we're going to see some examples for credential use as a second factor. The first example we're going to see is the SMS-based authentication. In this case, we'll start with common authentication based in username and password. But after we succeed with this authentication, the server send us an SMS to our phone number. So when we have the first authentication, the server send SMS and asked us for a secret code that is included in the message. So we have to check the SMS, we have to check the the message. Obtain the secret code, and send again to the server in order to successfully authenticate. In order to successfully identify ourselves. So pay attention here, our credential here is based on something I have, because I need to be the owner of the phone number to get SMS. A second example is application-based authentication, they are similar but have a different step. Here, the first step is that I need a pairing between an app that I can install in the phone for example or in a computer and the server. So these are previous step. We need to to have the spring previously working before we started authentication. After that is similar to the previous case. We authenticate based on username and password for example, and the servers send us a request of a token. The token must be obtained from the app. So the app is pairing to the server, so they synchronize and they can obtain a valid token and I copy the token and I send to the server. Here you can see some examples of the application, are very common today in a lot of different servers. For example, you can use these application with some services on Google, on Twitter, on Snapchat and using the token and you put a token in the web server page. Third example of second factor is certificate-based authentication. Here again, we need our previous step, this entity, it's called certification authority, that this has server [inaudible] or the web server we are connecting to, sends us a certificate and sends to the server another certificate. So both user and server have different certificates, what is called digital certificate. This is your credential. This are very well-protected in cryptographic way. So here, we start with the first of authentication for example. After that, the server can request us our certificate. We send the certificate, and both the server and the user can identify each other, you send the certificate. In order to check the validity of the certificate, they check that the certificate has been emitted by the certification authority. For example, second factor is the physical thing based authentication. In this case, we need to have a special hardware for example, a smart car or a hardwired USB. So we need to [inaudible] cell provider, a company that give us a company of governments for example in some countries, that give us these hardware in order to authenticate in our servers. So again, the mechanics is similar. We first obtain our username and password authentication, but after the first authentication, the server tell us too that we interact with the physical object. So for example, the server can tell us "okay, introduced the smart card in the smart card reader, or introduced the USB in your computer in order to authenticate you. So you introduce that and there is some processing here and sends the credential to a server, and you are successfully authenticated. Finally, the last example is the biometry-based authentication. In this case, it's similar to the physical theme. We need to interact locally with something. But here instead of interacts with a physical object, you are using your own body in order to interact. That is very common in mobile phones for example, in your mobile phone, you have the PIN code, sometimes with a pattern, and you also have biometry, your fingerprint, your face identification and so on. This is a very good second factor authentication. So the conclusion is just a recommendation. Use always a second factor if you are capable to use it. If the server you're connecting with can provide you the possibility to use a second factor credential, always activate this option and use it. Because you will be much more safe. See you next units.