Recently we discussed how to successfully fight off phishing attacks by using a security key as part of your security plan. We thought we would take a moment and take a deeper dive into the differences between the three factors of authentication; something you know, something you have and something you are. These factors can be used in any combination and depending on your organization’s security requirements can be either 1FA, 2FA or MFA (1 element, 2 factor or multifactor authentication). The more steps you require to grant user access, the more secure your systems and data will be.
Something You Know: This is the most commonly used factor, and the one most of us are familiar with. Something you know can be a password or a personal identification number (PIN). Cracking passwords is also the most common method used by hackers to gain access to your data. While there are best practices, such as mixing upper/lower case letters, adding numbers and special characters to make cracking passwords more difficult, it requires a formalized credential policy in place to enforce it. Moreover, human nature is such that more often than not people will make passwords which are easy to remember. The irony is such a password will also be the easiest to crack.
The secret to a successful password policy is to encourage your team to create complex, but user-friendly passwords. Fortunately, there are techniques to create complex yet memorable passwords. These techniques include swapping out letters for numbers and characters, as well as character length. So for example; the password ‘I love cats!’ Becomes 3yeLuvKat$!. This password is more complex but should be easier for the user to remember because it is relatable to an interest they have.
There are some downsides (despite the increased security) to requiring the user to remember a complex password without context. A password which is a string of random numbers and letters will most likely not be retained, increasing the chance the user will write it down somewhere, defeating the purpose of having a secure password.
The solution to this issue is having a credentials policy, which provides your team with the information needed to create a secure password, without creating an environment in which they feel they need to take shortcuts to be productive.
Something You Are: This biometric factor verifies that you are physically who you claim to be, as opposed to the virtual authentication of what you know. Common biometric methods include fingerprints, handprints, and retinal scans. Fingerprint scanners are the most common in consumer-grade authentication, being used on smartphones, laptops, keyboards, USB and other devices.
As biometrics are unique to each person, it makes it one of the most robust methods of one-factor authentication, particularly when it comes to securing physical devices, such as laptops and smartphones. If you included biometrics as part of a multi-factor authentication solution, you would create an incredibly effective security solution.
Something You Have: This refers to a piece of technology which you physically have possession of when you wish to be authenticated. Known as a security key, this device is usually used as a part of two-factor (2FA) authentication: what you know (a password) and what you have (the key). As such, the user will need to have the key and a password to be granted access.
Also called a security or authentication token, a security key can be one of several device types, a USB, Bluetooth or NFC key, a smart card or in the case of a BYOD office, your smartphone. The security key is surprisingly simple to use. When you log into a site that requires 2FA, you insert your security key and if it has a button, tap it: this verifies you are a real person and not a bot.
A security key is effective because even if a hacker manages to crack your username and password, without the key in their possession, they will not be able to access your account. This is the reason why true 2FA requires two unique and unrelated methods of authentication.
Two factor or multi-factor authentication requires at least two different methods of authentication be used. In 2SV , the user is usually requested to provide a password and a pin which are from the same factor (something you know).
An everyday example of this difference would be how you use your debit/credit card to make a purchase. If you go to the store, the retailer will ask you to present your card; you can’t just recite the numbers to them. You need to be in physical possession of the card and know your pin for them to process the transaction. This is a two-step authentication. Something you know (pin), something you have (debit/credit card).
Contrast this to ordering online which all you need is access to the card numbers, but not necessarily the card itself. This type of transaction falls under the umbrella of two-step verification. Something you know, your security code (the three digit code on the back of the card) and something you know, the credit card number itself, billing address, phone number..etc.. The assumption being if you know specific information, you must physically be in possession of the card. However, as we are all painfully aware, credit card fraud is rampant, and it isn’t difficult to scan credit card information and the accompanying personal information as well.
Depending on what authentication your organization requires for security, one or all three factors may be necessary to prove your identity. One thing to remember is that providing authentication is a two-step process. The user ‘claims’ to have the correct identity when they submit their username, but authentication and access can only occur when the user proves it.
The more distance you can put between the two steps will increase your level of security. When you use true 2FA or MFA, you are increasing the distance required to allow access to a span in which a hacker would have a harder time closing and will most likely look for easier opportunities to cause mischief.