Authentication may sound like a very complicated
concept, but it’s quite simple: a way of showing that you are who you say
you are. In the offline world this process is simple and universal. Most
countries have well-documented procedures by which you can get a passport that
demonstrates your identity wherever you go in the world. In the world of
computers, there is no single document you can use to prove your identity
wherever you go. As a result, most websites and services use slightly different
techniques.
In my previous post about the four “A”s of Account Management, we discussed Authentication
as it relates to Authorization, Access Control and Audit Logging. Establishing
good authentication is an essential first step before you can perform the other
three functions of account management; if you don’t know who someone is, you
cannot know what resources or services they are entitled to access, or identify
what actions they have taken.
Proving yourself online
When you want to show that someone is the person
they claim to be, you need to find something unique and unchanging about them.
In order to accomplish that, there are a few things you can do. In movies or in
television shows, if there is some question about a person’s identity, the
usual trope goes something like this:
1.
Ask the
person to verify a piece of information that only that one person would know,
or
2.
Ask him or
her to display some trinket that only that one person would carry, or
3.
Check the
person for the presence of some notable feature that is unique to him or her
Similar options are available for verifying users,
online. Those three basic methods are collectively called “authentication
factors”. Individually, these factors are known as:
·
Knowledge
factor – What you know
This is a piece of information that is (ideally)
known only by the person whose identity is being verified and the person or
process that is verifying it.
·
Possession or
Ownership factor – What you have
This is something that you have been given by a
person or organization who has vetted you, which can be used to verify your
identity.
·
Inherence or
Existence factor – What you are
These are things that are part of who you are, and
typically things that will never change.
The first three factors
There are a few things that are commonly used as
“knowledge factors”, such as passwords, passphrases, passcodes or PINs (which
is an acronym for Personal Identification Numbers). Many people may not realize
that “secret questions”, which some websites have you set up in addition to
your password, are also knowledge factors.
Most of us have at least one “ownership factor” in
our wallets, possibly several. While your driver’s license or government ID is
certainly one such item, your payment card is another, which is why you are
sometimes allowed to use it as a very basic form of identification.
That credit or debit card in your wallet is not
just a sign that you have been deemed able to repay your debts; it is also meant to indicate that your bank has verified your identity.
But ID and payment cards are not the only form of
“ownership factor”. Anything that can be tied uniquely to you can be useful;
for example, an email address, mobile device, or phone number. Temporary
key-codes can be generated by online sites and sent to you via SMS, voice call
or email, to enter as a login credential.
And lastly, there’s the “inherence factor”. Once
the stuff of spy capers, nowadays many of you may have this factor of
authentication available on your smartphone or laptop. Fingerprint scanners,
which are the most common example, are meant to verify the unique pattern on
the tips of your fingers. Some smartphones now come with iris scanners, which
look for the unique flecks and colorations of your eyes. The US Customs and
Border Patrol is now testing facial recognition scanners, as a way to automate
verification of photo IDs.
When one is not enough
“Using more than one factor
to verify account owners is an increasingly popular option.”
At this point, most of us know someone whose online
account has been hacked. Authentication that uses only username and password is a security headache for so many
people that researchers are always looking for new ways to authenticate users
quickly and securely. Using more than one factor to verify account owners is an
increasingly popular option.
Logging in with two factors of authentication is
called “two-factor authentication” or “two-step verification”; 2FA or TFA, for
short. If a login process has 2FA enabled, even if users give out their
credentials (either accidentally or intentionally), their accounts may still be
protected if the attacker does not also have access to the second factor.
Further factors for the future
Another method for improving authentication
security is to find new factors. There are a couple of others that you may
already be using without knowing it:
·
Location
factor – Where you are
·
Behavior
factor – What you do
These might seem a little odd, because people
travel and their behavior changes over time. And you may also wonder how these
things can be unique. But as it turns out, they can be pretty helpful,
especially in conjunction with other factors.
How the “location factor” works is that most of the
time, you can be expected to be in certain locations (i.e. at home or at work)
or using certain, specific machines. Obviously that will not always be the
case, so it’s only marginally useful information by itself. If you are
in a known locale or using a known IP or MAC address, it can be used as your
second factor of authentication in addition to entering a username and
password. But if you’re not in that known place or on that known machine, you
will be prompted to use a different factor of authentication such as a
key-code.
For the “behavior factor”, it turns out that
certain behaviors can be as unique as fingerprints; for example, our web
surfing habits, our voices, our mouse or touchscreen movements, or our
handwriting. Some smartphones may already use this factor. If you set up a
numerical or gestural passcode, they may record not just the passcode itself,
but also the way that you typed or swiped that code.
Next steps: Setting limits
Once a person’s identity has been authenticated,
many administrators simply throw open the metaphorical gates to users, allowing
them unfettered access to their networks. In our next article, we’ll talk about
the next steps in account management: Authorization and Access Control. These techniques
allow you to put appropriate controls in place that allow users to access
resources or services that they need, and blocking availability of those things
that they don’t, in ways that allows you to limit accidental or intentional
damage and theft.