The Rise and Fall of the humble Password – Authentication!
Ah, simpler times, a decade ago if you had your username and a password you could log in! Things started to get a little trickier when we saw the start of “remote users” who could “dial in” to access their accounts. From this point things really changed, and that threat landscape grew.
Connectivity expanded exponentially, access to more and more account, personal accounts such as banking, email, social media along with business applications.
The username and password approach simply doesn’t hack it! (excuse the pun)
Authentication certainly has evolved although not all organisations have kept up, we see many of the old patterns of “yesterday” still being applied to today’s threats.
Types of Factors
You’re more likely to have heard the term “factor” in the context of the authentication process, I have outlined the
- API authentication – This allows users to authenticate their access via an Application Programming Interface. The most common methods are HTTP basic authentication; API keys and OAuth.
- Two-factor authentication – this involves requesting another “factor” from a user, in addition to the password. One of the most common types is a verification code sent to a phone.
- Multi-factor authentication – this involves asking for multiple types of “factors” from users, normally includes a possession and a biometric factor.
- Three-factor authentication – this involves the use of three “factors”, typically a knowledge card, a possession card and an inherence card.
- One-time password – this is an automatically generated numeric or alphanumeric string of characters that authenticates a user. It is only valid for one session or transaction and is normally used by first-time users or those who have forgotten their password.
- Biometrics – this involves the use of fingerprint, facial or retina scans or voice recognition. Whilst Biometrics can be used as a standalone authentication method, it can be used in conjunction with other factors.
- Mobile authentication – this process involves verifying users via devices or the devices themselves. It allows users to access secure locations and resources from anywhere. One-time passwords, biometric authentication or QR code validation can all be used.
- Continuous authentication – this involves a company’s application continually computing an “authentication score” which is a measure of how sure it is that the account owner is the person who’s using the device.
Types of Authentication
Authentication are factors or pieces of data which can be matched to stored information which proves that an individual is who they claim to be. The most common factors are still your User ID and password. However, modern, good practice dictates there are a range of other factors that should be incorporated into your access control regime. Here are the key types:
- Something known – user name, password, PIN, answer to secret question, an answer to a common maths problem or a response to something you see on the screen like a Captcha
- Something owned – this involves using something the person owns to validate their request, e.g. sending a pin to a phone
- Where you are authenticating from – this involves rejecting login requests based on the location they came from and is not usually a standalone factor. If you have ever received an email asking if you logged in from a strange location, you’ve had experience of this factor at work.
- Something inherent in you – this is basically biometric data (e.g. fingerprint, retina scan or facial recognition)
- When you are authenticating – this, like the location factor, would normally not be used alone and can be used in conjunction with the location data. If you are signing into your e-commerce account at 1pm in Cork, it would be very strange for there to be another login from Lichtenstein at 1.05pm.
If you want to improve your Authentication processes and ensure you remain protected from unauthorised access, then we can help.
For further information please feel free to contact us on +353 1 2809410