Authentication may sound like a very complicated concept, but it’s quite simple: a way of showing that you are who you say you are. In the offline world this process is simple and universal. Most countries have well-documented procedures by which you can get a passport that demonstrates your identity wherever you go in the world. In the world of computers, there is no single document you can use to prove your identity wherever you go. As a result, most websites and services use slightly different techniques.
In my previous post about the four “A”s of Account Management, we discussed Authentication as it relates to Authorization, Access Control and Audit Logging. Establishing good authentication is an essential first step before you can perform the other three functions of account management; if you don’t know who someone is, you cannot know what resources or services they are entitled to access, or identify what actions they have taken.
Proving yourself online
When you want to show that someone is the person they claim to be, you need to find something unique and unchanging about them. In order to accomplish that, there are a few things you can do. In movies or in television shows, if there is some question about a person’s identity, the usual trope goes something like this:
- Ask the person to verify a piece of information that only that one person would know, or
- Ask him or her to display some trinket that only that one person would carry, or
- Check the person for the presence of some notable feature that is unique to him or her
Similar options are available for verifying users, online. Those three basic methods are collectively called “authentication factors”. Individually, these factors are known as:
- Knowledge factor – What you know
This is a piece of information that is (ideally) known only by the person whose identity is being verified and the person or process that is verifying it.
- Possession or Ownership factor – What you have
This is something that you have been given by a person or organization who has vetted you, which can be used to verify your identity.
- Inherence or Existence factor – What you are
These are things that are part of who you are, and typically things that will never change.
The first three factors
There are a few things that are commonly used as “knowledge factors”, such as passwords, passphrases, passcodes or PINs (which is an acronym for Personal Identification Numbers). Many people may not realize that “secret questions”, which some websites have you set up in addition to your password, are also knowledge factors.
Most of us have at least one “ownership factor” in our wallets, possibly several. While your driver’s license or government ID is certainly one such item, your payment card is another, which is why you are sometimes allowed to use it as a very basic form of identification.
That credit or debit card in your wallet is not just a sign that you have been deemed able to repay your debts; it is also meant to indicate that your bank has verified your identity.
But ID and payment cards are not the only form of “ownership factor”. Anything that can be tied uniquely to you can be useful; for example, an email address, mobile device, or phone number. Temporary key-codes can be generated by online sites and sent to you via SMS, voice call or email, to enter as a login credential.
And lastly, there’s the “inherence factor”. Once the stuff of spy capers, nowadays many of you may have this factor of authentication available on your smartphone or laptop. Fingerprint scanners, which are the most common example, are meant to verify the unique pattern on the tips of your fingers. Some smartphones now come with iris scanners, which look for the unique flecks and colorations of your eyes. The US Customs and Border Patrol is now testing facial recognition scanners, as a way to automate verification of photo IDs.
When one is not enough
“Using more than one factor to verify account owners is an increasingly popular option.”
At this point, most of us know someone whose online account has been hacked. Authentication that uses only username and password is a security headache for so many people that researchers are always looking for new ways to authenticate users quickly and securely. Using more than one factor to verify account owners is an increasingly popular option.
Logging in with two factors of authentication is called “two-factor authentication” or “two-step verification”; 2FA or TFA, for short. If a login process has 2FA enabled, even if users give out their credentials (either accidentally or intentionally), their accounts may still be protected if the attacker does not also have access to the second factor.
Further factors for the future
Another method for improving authentication security is to find new factors. There are a couple of others that you may already be using without knowing it:
- Location factor – Where you are
- Behavior factor – What you do
These might seem a little odd, because people travel and their behavior changes over time. And you may also wonder how these things can be unique. But as it turns out, they can be pretty helpful, especially in conjunction with other factors.
How the “location factor” works is that most of the time, you can be expected to be in certain locations (i.e. at home or at work) or using certain, specific machines. Obviously that will not always be the case, so it’s only marginally useful information by itself. If you are in a known locale or using a known IP or MAC address, it can be used as your second factor of authentication in addition to entering a username and password. But if you’re not in that known place or on that known machine, you will be prompted to use a different factor of authentication such as a key-code.
For the “behavior factor”, it turns out that certain behaviors can be as unique as fingerprints; for example, our web surfing habits, our voices, our mouse or touchscreen movements, or our handwriting. Some smartphones may already use this factor. If you set up a numerical or gestural passcode, they may record not just the passcode itself, but also the way that you typed or swiped that code.
Next steps: Setting limits
Once a person’s identity has been authenticated, many administrators simply throw open the metaphorical gates to users, allowing them unfettered access to their networks. In our next article, we’ll talk about the next steps in account management: Authorization and Access Control. These techniques allow you to put appropriate controls in place that allow users to access resources or services that they need, and blocking availability of those things that they don’t, in ways that allows you to limit accidental or intentional damage and theft.
by Lysa Myers, ESET