Vera writes...

The Art Of Authenticating

Photo by Patrick Szalewicz on Unsplash

The Art Of Authenticating

Veronica Peters's photo
Veronica Peters
·

6 min read

Authentication is a form of access control technology used to validate a user's identity and ensure that only the right and authenticated users can have access to a resource. Mainly, authentication comprises two steps;

  1. Identification: This is where the person on the other end(user/client) professes his/her identity.

  2. Authentication: Here, the user's identity is validated. The machine does this by checking the credential provided by the user with the one in the system's database, if it matches then user access is granted and if it doesn't match, user access is denied.

We authenticate ourselves every day, in one way or the other;

  • When we unlock our cars or doors with keys.
  • When we unlock our phones with passwords, fingerprints, etc.
  • When we provide a badge before entering an office or building.
  • When we take the ReCaptcha test before being allowed access to a site.

All these are acts of authentication.

IT ALL STARTED WITH PASSWORDS

The earliest and still the most commonly used form of authentication in the history of computers is password authentication. However, over the years there have been lots of cases of password attacks and breaches, most of which are caused by human errors and negligence. Passwords can be easily compromised and the effects are usually very costly and catastrophic. Human errors that cause password attacks;

  • The use of weak passwords.
  • The use of unencrypted protocols.
  • Writing passwords down on paper and leaving them at random places.
  • Reusing passwords across multiple accounts.
  • Not changing default passwords on devices.
  • Sharing passwords with friends, colleagues, and family.

TIPS FOR MAINTAINING GOOD PASSWORD HYGIENE

  • A strong password must contain a minimum of a lowercase letter, an uppercase letter, a digit, a special character(e.g !,/%) and must be at least eight characters long.

  • Do not reuse passwords across multiple accounts.

  • Do not use a family name, pet's name, hobby, or any dictionary word as your password.

  • Change default passwords

  • Do not write passwords down, instead make use of a password manager to manage all your logins and passwords.

  • Set accounts to lock after too many password failures.

  • Make use of secured protocols like HTTPS, SSL, etc.

  • Do not share passwords.

  • Implement MFA to add an extra layer of security.

AUTHENTICATION FACTORS

An authentication factor is a form of credential used to confirm the identity of a user. There are three main authentication factors:

  1. Something you know(Knowledge factor): This is the most common authentication factor. It has to do with what the user knows e.g passwords, PIN, security questions, etc.
  2. Something you have(Possession factor): This refers to something the user possesses physically e.g a hardware token, an Automated Teller Machine(ATM) card, etc.
  3. Something you are(Being factor): This refers to the physical properties of the individual e.g fingerprints, iris or retina patterns, etc.

Each of these authentication factors has its own set of challenges, For instance, passwords can be guessed, stolen, or broken/cracked. Biometrics identifiers like fingerprints can be stolen or duplicated, and a possession factor like an ATM card can be stolen. Due to this, it is not advisable to rely on just one type of authentication factor for strong security. We should never take chances when it comes to securing our network and critical data.

To protect our critical data and assets from attacks, it is beneficial to adopt a stronger authentication mechanism and Multi-Factor Authentication(MFA) is the way out. Multi-factor authentication involves the use of two or more authentication factors for an authentication process. It adds an additional layer of security to the network thereby reducing the risks of security breaches. An example of MFA implementation would be when trying to access your bank account, you're asked to provide a username and password(first authentication step) and then you're asked to also provide a One-Time password(OTP) or code(Second authentication step) sent to your phone or authenticator app.

One-time password(OTP) is a unique set of characters(numeric or alphanumeric) that is automatically generated and used for logging into/accessing a service for a single login session. It changes after each login attempt.

Another example of MFA implementation would be when you try to withdraw cash from an Automated Teller Machine, you're asked to input your card(something you have) as the first authentication step and then you're asked to provide your PIN-Personal Identification Number(Something you know) as the second authentication step.

WHERE WE ARE HEADED(THE FUTURE OF AUTHENTICATION)

Slowly but surely, we are moving towards a PASSWORDLESS FUTURE. The future of authentication would bring about trends that would aim at balancing cybersecurity with user convenience. Unlike in the past when users struggled to create, remember, store and secure passwords, it is going to be a lot easier and stress-free for users, making security beautiful!

There would be a wider adoption of MFA but this time around the MFA process would take a more hardened approach to security by replacing the knowledge factor(eg passwords) with more secured options like being factor(Biometrics) and the possession factor(Eg token, mobile phones, etc).

More technological trends like Artificial intelligence(AI) and Machine Learning(ML) algorithms have also started to take over and are already being implemented in authentication processes. How do they work? They monitor, collect, and stores data about the user's behavior, and with this data, they are able to detect any abnormal behavior(behaviors different from what the user does) block any suspicious attempt to access, and implement more actions to validate the user's identity. Some examples of authentication methods implemented with artificial intelligence and machine learning are:

  • Location: If a user normally logs in from a particular location, a login attempt from a different location triggers AI to become suspicious and take actions to validate user identity.
  • Device: If a user normally logs in from a specific device, the AI takes into record the IP address of that device, a login attempt from a different device would make the AI want to verify user identity.
  • Keystrokes: Machine learning takes into record the time delay or rhythm at which the user types a password or passphrase on a keyboard.

What about IoT? The cyber risks surrounding the Internet Of Things(IoT) is so great and with more devices getting connected each day, the security risks continue to increase. According to Cisco, 500 billion devices are expected to be connected to the internet by 2030. The more connected we become, the larger the attack surface, consequently, this leads to an increase in security risks. Attackers are leveraging on this to carry out their malicious intentions but there's a way out - Zero Trust Security model. The zero trust security model aims at boosting IoT security by treating every attempt of access as suspicious and thoroughly verifying to confirm user identity.

#passwords #IoT #MFA #Authenticate #Security #cybersecurity