One of the words we toss around a lot when talking about information security is authentication.
So lets clear what is authentication?
In security, authentication is the process of determining whether someone (or something) is, in fact, who (or what) it is declared to be (definition from WhatIs.com).
Whether you are logging into your computer network at the office, checking your account balance on your bank website or visiting your favorite social media page, the process of authentication helps these sites determine that you are the correct person trying to gain access.
The Value of Authentication
When I was growing up in small town Minnesota, I used to walk into my local bank and the teller recognized me and knew that I was Michelle. This was one of the methods tellers used to know that I was the person who was able to deposit and withdraw funds from my account.
But today, when I log into my national bank’s website, there is no teller greeting me by name and confirming that I am Michelle. That’s where authentication comes in. When you authenticate your account, you are establishing your identity and telling the site you are trying to access that you are in fact the person that you say you are.
This process for establishing your identity to gain access to a system is typically two-steps: you must first identify yourself (i.e. username, account number or email address) and then you have to prove that you are who you say you are (authenticate yourself).
Ways to Authenticate
There are three methods of authentication: something you know (i.e. passwords), something you have (i.e. token keys), or something you are (scanned body part, i.e. fingerprint):
- Something you are tends to be the strongest and hardest to crack – it’s not easy to replicate an iris scan or duplicate a fingerprint. However, the technology to deploy this type of authentication is expensive and does not translate easily to all the ways we access resources. We are starting to see more adoption of this authentication (think iPhone 6 with the thumb scanner), but we are years away from this making serious headway.
- Something you have also struggles with wide-spread adoption because of the need for a secondary “something” in order to work properly. This typically takes the form of a one-time token key that you get from external source (from a token key, a USB thumb drive or an app on your mobile phone). Traditionally, providing users with the device that delivers the token key has been the biggest deterrent to wider deployment, but today with most users having smart devices always available, the something you have method of authentication is gaining ground.
- Which leaves something you know… aka the ubiquitous password. No special hardware needed to scan any body parts. No additional tools needed to provide secret codes. This is why it is so important that you create passwords that are hard to guess (link to: password post). In most situations, your password is the only piece of information that other people do not know and the only way for you to keep your information secure.
Keeping Your Authentication Information Private and Strong
Revisiting the scenario of my local bank as a youth, if my friend were to go up to the teller and try to present a withdrawal slip for my account, the teller would be able to tell that she was not me and deny the transaction. But if that same friend were to attempt to login to my current banking account with my username and password, the site would not stop and say “Hey, you aren’t Michelle. Did you mean to log into your own site?” It would accept the username and password she provided and the bank would do business as usual as if it was me.
What About Two-Factor Authentication?
Two-factor authentication is a really good thing. Two factor combines two different methods of authentication (i.e. a password and a token) to provide greater security when proving your identity.
Continuing with my online bank account example, if my friend were to have guessed the password to my account but I had two-factor authentication turned on, she would be denied access unless she also had my cell phone and knew the PIN to access it to open up the application that provides the one-time code needed as a second verification method.
Many organizations now require two-factor authentication to establish a connection to their network from outside the office, and this is a smart move and can help protect you in case your credentials get compromised.
If any of your online accounts offer two-factor authentication, I encourage you to turn this service on to provide greater security to your personal information.