How do I know you are who you say you are? That, in a nutshell, is what authentication is all about. As you may recall from a recent blog post, authentication is a component of access control. Access control is a part of one of the pillars of the security triad – confidentiality. So, what exactly is authentication? Simply stated, authentication is the act of verifying the claim of an identity.
How does authentication work? The most familiar example is logging in to your bank account online. Providing your username is a claim of your identity. Entering the associated password is used to authenticate that claim. Be careful not to confuse authentication with authorization. Authorization is the process that occurs once authentication has successfully completed. Continuing with the bank account example, once you’ve successfully logged in (authenticated) you’re authorized to perform some – not necessarily all – functions (such as balance inquiries, fund transfers, or pay bills).
All the rage right now is MFA (multifactor authentication). NIST (National Institute of Standards and Technology) defines strong authentication as “A method used to secure computer systems and/or networks by verifying a user’s identity by requiring two-factors in order to authenticate.” So, if our bank requires a username, password, and a PIN we comply with the NIST recommendation, right? Well, no, that example includes only a single factor of authentication.
So, that raises the question, what are factors of authentication? A factor describes a type of authentication. There are five different factors of authentication:
Something you know
These include factors that rely solely on your memory such as passwords and PIN numbers.
Something you have
Examples here include a proximity card or a security token. These are items that you will need to have in your possession. A proximity card generally contains an RFID activated security certificate. A security token is a device that generates a temporary time-based one-time password (TOTP).
Something you are
Something you are is all about biometrics. This includes authentication methods such as a fingerprint, retinal scan, or voice recognition.
Something you do
This authentication factor relies on actions you perform. These can be overt such as drawing a specific pattern in order to unlock a smart phone. They can also be something less obvious such as recognizing your gait as you walk.
Somewhere you are
This authentication factor uses your location. This is generally derived from a GPS receiver such as the one in your smartphone.
So, let’s go back to our example of logging in to a bank account with a username, password, and PIN. Despite these two distinct elements attempting to authenticate the username, we can see that they each fall squarely into the ‘something we know’ category. As a result, that is a single factor of authentication.
What’s all the rage about MFA?
No system is infallible. Passwords are subject to compromise through brute force attacks (such as using a dictionary or rainbow table) or social engineering and phishing attacks. Security devices such as a proximity card can be lost or stolen. Biometrics are imperfect and often can result in a false positive or false negative. When security measures simply rely on a single factor, they are easier to overcome.
Using more than one factor of authentication makes it more difficult for a malicious actor to impersonate someone else. As an example, using a proximity card in conjunction with a PIN code is a common method to access a secure facility. Should the proximity card be stolen, it’s useless without also knowing the associated PIN code. Both factors are needed in order for it to work.