Applications of all sorts—whether you use them as part of your job or in other day-to-day activities—give users access to a service through authentication. Depending on the sensitivity of the information filtering through the app, different types of authentication methods are required, each corresponding to different risk levels.
In an era of ever-increasing data breaches, username and password credentials are no longer sufficient for authenticating access. Instead, organisations should stack multiple authentication factors together, while understanding that each factor has its own unique strengths and weaknesses.
Types of Authentication Factors
Each kind of authentication is called a factor. They’re used to verify a user’s identity and block access to anyone who isn’t who they claim they are. These factors are divided into three groups, ranging from those with the lowest assurance level to those with the greatest assurance level.
Knowledge factors: These are things the user knows, such as passwords or answers to security questions.
Possession factors: These are things the user has in their possession or can act on. This includes SMS codes sent to mobile devices, one-time passwords (OTPs) sent via email, and push notifications.
Biometric factors: These are things the user is. Biometrics include fingerprint scanning or facial authentication.
While these factors may feel like they’re secure enough on their own, there are security considerations that must be understood before deciding which to use to secure your organisation’s resources and data.
Secure Authentication Across Factors
When implementing a tool for verifying user identity, it’s important to understand that some authentication factors are stronger than others—and the ones you think are the most secure may actually be easy to compromise. Security questions, for instance, are used in applications ranging from email to online government portals. A large study on account recovery at Google showed that answers to security questions are both easy for attackers to guess and difficult for users to remember.
Sending an SMS code is another factor that isn’t as secure as it appears. In fact, the National Institution of Standards and Technology no longer endorses SMS codes as an authentication tool because attackers can very easily intercept a message meant for someone else’s phone. Physical USB keys or mobile devices with an authenticator app can be lost or stolen, and once an attacker has access to a possession factor, the resource’s identity verification is compromised. Though they’re considered to be the strongest, even biometric factors like fingerprints and facial verification also have weaknesses. We’ve all seen the trick to lift fingerprints using a piece of tape, and other biometrics can also be replicated in order to trick applications to verify a user’s identity.
Adaptive Multi-Factor Authentication (MFA)
Part of deploying a secure authentication method means understanding the risks posed by each factor, and combining them effectively to mitigate those risks. An adaptive approach that evaluates varying circumstances like network, geography, IP zone, and others can help align potential authentication factors to the risk level.
For instance, if your organisation’s internal database receives an authentication request from a user that is on your network and located within your organisation’s city and zip code, a password and medium-to-high assurance authentication factor like a physical key or biometric factor is probably all you need to verify that user’s identity. However, if the request comes from an unknown network, or from a city that’s new for that user, you might consider adding a mobile push request to help prove their identity.
Even though they may sit at different points of the assurance scale, all authentication factors have weaknesses. Organisations looking to better secure their data—and that of their workforce and customers—need to implement an Adaptive MFA approach that assesses the risk of each unique login request, and selects authentication factors accordingly.
An OTP and its sibling, time-based one-time passwords (TOTP), are unique temporary passwords. Using an OTP means that hackers won’t be able to use your stolen credentials since only your username will be valid. This is a way to significantly protect sensitive data, such as banking credentials.
An OTP can be created in various ways. The traditional way is to use grid cards, but a hacker can easily replicate these. A solid alternative is a security token, a hardware device designed to generate OTPs. Unfortunately, it’s expensive, so the best – and cheapest – way to protect yourself is to use an authenticator app that you easily carry around on your phone.
30% Discount for First-Time RoboForm Users (Ad)
Use our special promotional code below and if you haven’t used RoboForm before you can enjoy RoboForm Everywhere or Family for as low as $1.16 per month, saving 30% on the subscription fees.
Use this coupon while placing your order: BR60
Click to Reveal Coupon
Biometrics Authentication
If there’s one thing that you always have with you, it’s your body. Biometric scans are a common authentication method in large companies. Your fingerprint, face pattern, hand geometry, and eyes are all unique to you and stealing them is almost impossible. You don’t even need those ominous machines you see in old sci-fi films – with the right calibration, a smartphone will do the job. Biometric authentication is bullet-proof since stealing your physical traits is much harder than hacking a password, text message, or smartphone.
Unfortunately, biometric scanners are unpredictable. A cut on a finger and red eyes are problematic, but biometrics scanners can even be fooled by forged images such as a Facebook profile picture. While developers are working hard to rectify this, it seems unlikely that biometrics will replace passwords in the near future.
Continuous Authentication
Continuous authentication means what its name suggests: it regularly identifies you during a session. This is likely familiar to those who often use online banking services, as most require you to enter your authentication code when signing in and then again to validate a transfer. When used with other online accounts, this form of authentication monitors your behavior and regularly verifies your identification by asking for your password, generating a unique password again, or requesting a biometric scan. While it offers increased security due to the repetitive nature of its authentication, it also faces the same problems as the methods previously mentioned.
The Three Factors of Authentication
There are three authentication factors to talk about when you use any of these methods: knowledge, possession, and inherence. The knowledge factor is the most self-explanatory, as it involves authentication based on information you already know. This can be anything: usernames, passwords, the name of your favorite childhood action hero, the ultimate question of life, etc. The more information you provide – that is, answering numerous personalized questions – the harder this factor is to crack, making it a great first line of defense. The possession factor refers to a physical item, such as the device you use for work, your personal smartphone, or a security key. The inherence factor is closely connected to biometric authentication, as it’s something specific to you. It can involve any physical trait, such as your fingerprint, retina, face, or even voice.
So, which one is the best then? Neither and all, you might say, since these three factors work best when combined. Come up with a complex password, use an authenticator to generate a one-time code, add a retina scan on top, et voila, your account will be impenetrable. Admittedly, this all sounds very complex and seems like a lot of effort when you have multiple accounts. Luckily, password managers like 1Password can help since they generate extremely complex passwords and support OTP. Combining a password manager with a security key, for instance, makes authentication as safe as it can possibly get.
Best Password Managers of 2022
RankProviderInfoVisit1
Editor's Choice 2022- Fantastic security
- Flexible platform
- Reasonably priced
- Easy-to-use
Review:
Visit KeeperUp To 30% Off
2
- Simple and straightforward client
- Categorization of stored credentials
- Biometric authentication
- Versatile customer service
Review:
Visit
3
- End-to-end encryption
- Secure authentication method
- Data breach alarms
- User-friendly interface
Review:
Visit
Get the Best Deals on Password Managers
Subscribe to our monthly newsletter to get the best deals, free trials and discounts on password managers.