Passwords are the most common way users confirm their identities so they can be granted access to a given system. However, passwords are also considered a weak form of authentication, so alternative or complementary methods are being used to verify the identity of the user. In this post, I will describe the factors that are most commonly used along with their strengths and weaknesses in order to provide the foundation for a discussion of a multi-factor authentication strategy.

What is authentication?

Authentication is basically the process to confirm that a person (or user) is who they say they are. There are three classic “factors” that can be used to confirm a users’ identity:

  • Using something only the user knows
  • Using something unique the user has
  • Using something that only the user is

Other factors that can sometimes be used are based on time and location. For example, you could limit valid logon hours to a particular user given their work schedule or limit the locations from where a user can attempt to log in, using geo-location information. These factors tend to be used only in very specific scenarios so they are mostly relegated to complement the classic authentication factors. Let’s take a closer look at each of the classic authentication factors.

Something you know

Authentication through something only the user knows (most commonly a password) is the most widely used of all the classic factors. Passwords provide a simple and mostly inexpensive way to perform authentication. Passwords can range from simple 4-digit PIN numbers to complex alphanumeric passphrases.

Due to their prevalence, the use of passwords has been subject to intense scrutiny and is generally considered to be a weak form of authentication. Their biggest weakness is that users tend to have some bad habits when it comes to choosing their passwords, basing them on information that can be easily guessed or not making them complex enough to withstand a brute force attack. Sometimes however, bad password policy has something to do with it. Some of these weaknesses can be addressed with education and training (for both users and the IT staff).

Something you have

This factor is also in widespread use, most commonly in the form of ATM cards. The basic principle is that the “something you have” is a unique item possessed only by a certain person and the system will accept it as proof of identity of an authorized user.

There are many ways this factor can be implemented in computer systems, using items ranging from smartcards, USB tokens, wireless tokens/cards and more recently, using mobile phones as tokens (via SMS text or downloaded apps). There are several issues to consider when evaluating the use these types of solutions, including deployment costs, hardware/software requirements, usability, user acceptance, item durability, etc.

Stealing the item is the first way an attacker could attempt to compromise this type of system. In this scenario, the attacker has a limited window of opportunity before the owner reports the loss and the stolen item rendered invalid. Copying the item may be more effective, though some items include copy-protection mechanisms to prevent the success of such an attack. Man-in-the-middle attacks may be more complex to execute in some cases, but they can be far stealthier and effective. Take for example the recent compromise of RSA tokens. Another example is the rise of mobile malware, where the compromise of the mobile phone also leads to the compromise of the authentication factor.

Something you are

Using something you are as an authentication factor is essentially using a biometric reading from the user (via a fingerprint, voiceprint or iris scan) and comparing it to an archived recording for that user.

Biometric readings are usually stored as a hash resulting from a mathematical algorithm applied to the reading. The comparison is then made between two hashes and if they have enough similarities, it will be accepted as good enough and the user granted access. Biometric devices therefore can result in a false reading being accepted as true (false positive) or a valid reading being rejected (false negative). Manufacturers measure these errors using the False Acceptance Rate (FAR) for the percentage of false positives and the False Rejection Rate (FRR) for the percentage of false negatives. To better compare the accuracy between two readers however, the Equal Error Rate (EER, the rate at which both types of errors are equal) should be used. A device with a lower EER is usually more accurate. This type of authentication also presents other challenges in its implementation, including higher costs, user resistance and hardware requirements. Also of consideration is the process of capturing the initial reading of the user (“enrollment”) into the biometric system.

Some biometric readers are also vulnerable to man-in-the-middle attacks, where an attacker can capture the reading, record it as it is being sent and replayed at will. Also, biometric readings can be copied or faked (duplicating a fingerprint with a gelatin fake or capturing a voice recording for instance) and are more difficult to change. A user can change a compromised password or receive a new smartcard, but a user cannot easily change their voiceprint for instance.

Another aspect that has sometimes been linked to biometrics category is “how you behave”. This aspect is usually used as a way to corroborate an already established identity, rather than provide the initial verification. The best-known example is when a credit card transaction breaks known usage patterns and casts doubt on its validity. Currently, DARPA is looking for new ways to authenticate users through their behavior without interrupting their normal activities.

Here, we examined the different authentication factors available and some of their individual strengths and weaknesses. Next time, we will take a look at what true multi-factor authentication is and what to look for when considering the use of a multi-factor strategy.