Identity protection — Multi Factor Authentication
“Touch me, look at me, talk to me”
It is very important to protect our accounts and data. Not so long ago a simple username and password were sufficient. But they’re not anymore. To effectively protect our identity, we must start using multi factor authentication. In this article I’d like to introduce key security concepts, authentication methods and different types of authentication factors.
When we think about security we should think about preventing IT losses. There are three main areas, known as a CIA Triad, the security can be compromised — Confidentiality, Integrity, and Availability.
- Confidentiality — only authorized objects (people, other systems) can access our information or data. When an unauthorized person accesses our system, we have a loss of confidentiality. Example — unauthorized access resulting in an open path to personal information by unauthorized personnel.
- Integrity — it ensures that data or system is not modified without authorization. If unwanted or unauthorized changes are made, we deal with the loss of integrity. Example — an unauthorized person makes changes to bank transactions, resulting in loss of integrity.
- Availability — system and data must be available within a reasonable time and when they need it. If the system is unavailable or the data is not accessible, the result is loss of availability. Example — recent OVH Fire resulting in a total loss of data and prolonged unavailability of systems.
To prevent unauthorized access to systems and data that could result in the loss of confidentiality, integrity and availability, systems use different types of identification and authorization. Not so long ago, a simple username and password was sufficient to protect the system. With the increase of computer power, different attack vectors and the move to remote work, this is not sufficient anymore. The concept of dividing networks into secure and not secure is no longer valid. People work from their office, home or even any other location like airport, coffee shop or restaurant. To secure such access, it is necessary to change the way we think about safety. The most prevailing paradigm is a Zero Trust Concept where you can’t trust a certain network or where people are connecting from. You must always authorize users whenever they are accessing their systems and data.
One of the key concepts of Zero Trust is multi factor authentication. Before we go any further let’s explain what identification and authentication are. Identification is a process of providing the identity of a user. It can be a username, smart card or positioning your face in front of a camera. The key principle is that all users (subjects) must have a unique identity. This of course is not enough. Anyone could type anyone’s username. That’s why we need another factor that will authenticate the user or in other words that this is the user that it is claiming to be. It is important to remember that identification and authorization is a two step process that always occurs together. Identification being the first step and authorization the second one. The most common form of user authentication up until recently was a username and a password.
There are also two additional security elements that are tightly connected to the identification and authentication process — authorization and accountability.
- Authorization — Users are granted access to resources based on their proven identities.
- Accountability — Users can be held accountable for their actions when auditing is enabled.
Looking at these two additional aspects, the way we identify and authenticate users becomes even more important, since without a proven, easy and secure method we can’t be sure who accesses our resources.
Three+ factors of authentication
That’s why we need multi factor authentication. It is important to clarify and explain what the factors of authentication are:
- Type 1 — Something you know. Examples include password, PIN — personal identification number or passphrase.
- Type 2 — Something you have. Physical devices that users possess can help them provide authentication. Examples include smart cards, hardware token, USB drive.
- Type 3 — Something you are or something you do. It is a physical characteristic of a person identified with different types of biometrics. Examples include fingerprints, voice prints, retina patterns, iris patterns, face shapes, palm topology and palm geometry. Examples in the “something you do” include signature and keystroke dynamics.
In addition to the three above characteristics we can also recognize the Somewhere You Are characteristic — it specifies a user based on a specific computer or location of that user. There are even more advanced techniques used, especially in the Mobile Device Management systems where it uses Context Aware Authentication based on the time of day, location and the mobile device.
When we think about multi factor authentication, we always consider two or more different factors of authentication. For example, the use of two passwords doesn’t count as two factor authentication. On the other hand, the use of a password and a token, does.
Two step authentication
The new trend many applications are using is two step authentication. The most common, although now believed to be not very secure due to the SIM Swap attack (simply put — a method of taking over someone else’s SIM) is a process of logging to a banking system. After we provide a username and password, the bank sends to our telephone number an SMS message containing a code that we must enter in order to log into the system. The codes are generated using one of the two standards:
- HOTP — HMAC based One Time Password standard to create one time password
- TOTP — Time based One Time Password similar to HOTP, but it uses a timestamp and it remains valid for a certain number of seconds, for example 30.
Today we can use software authenticators like Google Authenticator or Microsoft Authenticator to provide two step or two factor authentication to our services. In this method, we connect a device to an application, for example Google Mail, and whenever we enter a username and a password, we also use a TOTP number that is generated by the software authenticator installed on our smart phone.
Biometrics authentication has become even more important and popular in recent years, but it also provides some dangers that you have to be aware of. First of all, if you want to implement it in your organization, you have to know that it is personal information and it falls under the GDPR or other privacy regulations. But even if protected, some of the methods are not widely used or prohibited to what they can reveal about the user’s health. Below are the most popular biometrics methods used today:
- Fingerprints — these are visible patterns on people’s fingers or thumbs.
- Face scans — they use geometric patterns of faces for detection and recognition. For example, Facebook uses face recognition software to add tag suggestions.
- Retina scans — they focus on the pattern of blood vessels at the back of an eye. This is the most accurate form of biometric authentication, and it can even differentiate between identical twins. But there are some ethical aspects of using this method as it can reveal medical conditions such as high blood pressure or pregnancy.
- Iris scans — they focus on the coloured area around the pupil. It is the second most accurate method of biometric authentication.
- Palm scans — palm scanners scan the palm of a hand for identification. They use near-infrared light to measure vein patterns in the palm, which are as unique as fingerprints.
- Hand geometry — it recognizes the physical dimensions of a hand. It is rarely used as it is hard to identify a person using this method.
- Voice pattern recognition — this type of biometric authentication relies on the characteristics of a speaking person’s voice, known as voice print. It is often used as a second biometric method but rarely as a sole method of authentication.
- Signature dynamics — it recognizes how a person writes a string of characters. The success of signature dynamics relies on pen pressure, stroke pattern, stroke length and the points in time the pen is lifted from the writing surface.
- Keystroke pattern — it measures how a person uses a keyboard measuring flight time (how long it takes between key presses) and dwell time (how long a key is pressed).
The one single thing that we should remember is that using only a password for authentication will not protect our systems and accounts. Wherever possible, we should employ a multi factor authentication.
We will be more than happy to show you and help you in implementing different methods of multi factor authentication. Just drop us a line!
Author: Jacek Bochenek, Cloud and Security Team Leader — CISSP, CISM, CCSP