One of the words we toss around a lot when talking about information security is authentication.
What is Authentication?
In security, authentication is the process of verifying whether someone (or something) is, in fact, who (or what) it is declared to be.
Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.Definition from CSRC NIST
Whether you are logging into your computer system at the office, checking your account balance on your bank website, or visiting your favorite social media feeds, the process of authentication helps these sites determine that you are the correct person trying to gain access.
The Value of Authentication
Growing up in a small town, a person might have walked into their local bank, and the teller would have recognized them. This is one of the methods tellers used to know the person who was able to deposit and withdraw funds from their account was the right person.
Today, we log into our national bank’s website, and there is no teller greeting us by name. Other methods of authentication are required. When you authenticate your account, you are establishing your identity and telling the site you are trying to access that you are in fact the person that you say you are.
This process for establishing your identity to gain access to a system is typically two-steps: you must first identify yourself (i.e. user ID, account number or email address), and then you have to prove that you are who you say you are (authenticate yourself).
Ultimately, this decreases the chances of an impersonator being granted access to sensitive information that doesn’t belong to them.
Ways to Authenticate
There are three methods of authentication: something you know (i.e. passwords), something you have (i.e. token keys), or something you are (scanned body part, i.e. fingerprint):
Something You Are
This tends to be the strongest and hardest to crack—it’s not easy to replicate an iris scan or duplicate a fingerprint. However, the technology to deploy this type of authentication is expensive and does not translate easily to all the ways we access resources. We are starting to see more adoption of this authentication method (think Face ID in iPhones), but we are years away from this making serious headway.
Something You Have
This has become increasingly popular given our general unwillingness to detach from our mobile phones. This type of access control typically takes the form of a one-time token key that you get from an external source (a key, your email, a text message, or an authentication app). Traditionally, providing users with the device that delivers the token key has been the biggest deterrent to wider deployment, but today with most users having smart devices always available, the something you have method of authentication is gaining ground.
Something You Know
The most common example of this is our passwords—no special hardware needed for bio-scans, no additional tools needed to provide secret codes. This is why it is so important that you create passwords that are hard to guess. In most situations, your password is the only piece of information that other people do not know, and the only way for you to keep your information secure.
Keeping Your Authentication Information Private and Strong
Revisiting the scenario of a local small-town bank, if a friend of yours were to go up to the teller and try to present a withdrawal slip for your account, the teller would be able to tell that they were not you and deny the transaction.
But if that same friend were to attempt to log in to your current banking account with my username and password, the site would not stop them from doing so. “Did you mean to log into your own site, instead of your friend’s?”
The platform can’t tell the difference. Having the right combination, it would accept the username and password no matter if it’s the right person or not.
Therefore, it’s imperative that you keep any potentially identifying information or authenticating devices to yourself.
What About Two-Factor Authentication?
Multifactor authentication (MFA) is a really good thing. MFA combines two different methods of authentication (i.e. a password and a token) to provide greater security when proving your identity.
Continuing with our online bank account example, if a friend were to have guessed the password to your account but you had MFA authentication turned on, they would be denied access unless she also had my cell phone, knew the PIN to access the phone, and was able to pull the one-time code needed as a second verification method.
The same is true for attackers. If they’re able to crack your user credentials and MFA is enabled, they’re more than likely to be stopped just shy of access.
Many organizations now require MFA to establish a connection to their network and programs—a smart move to protect you in case your credentials get compromised.
If any of your secure systems offer MFA, I encourage you to turn this service on to provide greater security to your personal information.
Authentication has become a useful practice in protecting information for both companies and people alike. Strong passwords, good sharing habits, and MFA tools are all ways to help keep your accounts and networks safer from compromise.
For more tips and tricks on preventing attacks to your network, or to work with a security provider to improve your business’s security practices, visit frsecure.com.