Identity protection — Multi Factor Authentication

“Touch me, look at me, talk to me”

multi factor authentification

It is very important to protect our accounts and data. Not so long ago a simple username and password were sufficient. But they’re not anymore. To effectively protect our identity, we must start using multi factor authentication. In this article I’d like to introduce key security concepts, authentication methods and different types of authentication factors.

CIA Triad

When we think about security we should think about preventing IT losses. There are three main areas, known as a CIA Triad, the security can be compromised — Confidentiality, Integrity, and Availability.

To prevent unauthorized access to systems and data that could result in the loss of confidentiality, integrity and availability, systems use different types of identification and authorization. Not so long ago, a simple username and password was sufficient to protect the system. With the increase of computer power, different attack vectors and the move to remote work, this is not sufficient anymore. The concept of dividing networks into secure and not secure is no longer valid. People work from their office, home or even any other location like airport, coffee shop or restaurant. To secure such access, it is necessary to change the way we think about safety. The most prevailing paradigm is a Zero Trust Concept where you can’t trust a certain network or where people are connecting from. You must always authorize users whenever they are accessing their systems and data.

One of the key concepts of Zero Trust is multi factor authentication. Before we go any further let’s explain what identification and authentication are. Identification is a process of providing the identity of a user. It can be a username, smart card or positioning your face in front of a camera. The key principle is that all users (subjects) must have a unique identity. This of course is not enough. Anyone could type anyone’s username. That’s why we need another factor that will authenticate the user or in other words that this is the user that it is claiming to be. It is important to remember that identification and authorization is a two step process that always occurs together. Identification being the first step and authorization the second one. The most common form of user authentication up until recently was a username and a password.

There are also two additional security elements that are tightly connected to the identification and authentication process — authorization and accountability.

Looking at these two additional aspects, the way we identify and authenticate users becomes even more important, since without a proven, easy and secure method we can’t be sure who accesses our resources.

Three+ factors of authentication

That’s why we need multi factor authentication. It is important to clarify and explain what the factors of authentication are:

In addition to the three above characteristics we can also recognize the Somewhere You Are characteristic — it specifies a user based on a specific computer or location of that user. There are even more advanced techniques used, especially in the Mobile Device Management systems where it uses Context Aware Authentication based on the time of day, location and the mobile device.

When we think about multi factor authentication, we always consider two or more different factors of authentication. For example, the use of two passwords doesn’t count as two factor authentication. On the other hand, the use of a password and a token, does.

Two step authentication

The new trend many applications are using is two step authentication. The most common, although now believed to be not very secure due to the SIM Swap attack (simply put — a method of taking over someone else’s SIM) is a process of logging to a banking system. After we provide a username and password, the bank sends to our telephone number an SMS message containing a code that we must enter in order to log into the system. The codes are generated using one of the two standards:

Today we can use software authenticators like Google Authenticator or Microsoft Authenticator to provide two step or two factor authentication to our services. In this method, we connect a device to an application, for example Google Mail, and whenever we enter a username and a password, we also use a TOTP number that is generated by the software authenticator installed on our smart phone.

Biometrics

Biometrics authentication has become even more important and popular in recent years, but it also provides some dangers that you have to be aware of. First of all, if you want to implement it in your organization, you have to know that it is personal information and it falls under the GDPR or other privacy regulations. But even if protected, some of the methods are not widely used or prohibited to what they can reveal about the user’s health. Below are the most popular biometrics methods used today:

Summary

The one single thing that we should remember is that using only a password for authentication will not protect our systems and accounts. Wherever possible, we should employ a multi factor authentication.

We will be more than happy to show you and help you in implementing different methods of multi factor authentication. Just drop us a line!

Author: Jacek Bochenek, Cloud and Security Team Leader — CISSP, CISM, CCSP

jacek.bochenek@iteo.com

human-centric software design & development. check out our website: www.iteo.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store