Authentication
Before we get started on Crypto, it makes sense that we talk a bit about authentication.
Authentication is our first step in access control. It allows us to confirm that a user is who they say they are.
Obviously, this is an important part of security. We have designed our application to have different levels of access, and to lock data down so only those who should be able to access it can. Just letting anyone log into the system as a user based on trust "Yeah, you say you are Dan off you go", is a bad thing.
So Lets discuss the Three factors of authentication:
Factor 1: Something you Know
This is the simplest (to implement), and the most commonly used factor. Its also probably the easiest to exploit.
Something you know is information that is stored in *your memory * (in theory) only you should know. Examples of this include
- Passwords
- PIN's
Note
True, we use email addresses (or usernames) as part of the authentication process,
they let us know which user is trying to use the system.
However, they don't really pass the only known by you test. Most organisations have a list of users and email addresses somewhere on the home page, so its usually trivial to obtain this information.
One problem with these methods is the human memory aspect.
-
We all know that good passwords are long, but they then become much harder to remember.
-
We all know that reusing passwords is a bad idea. But trying to remember 10 or more strong passwords is nearly impossible.
-
Also company rules on passwords (Letters, Numbers and Symbols) all contribute to making the passwords hard to remember.
Choosing a strong password isn't that difficult. (Personally I use a password manager)
Warning
Don't use CorrectHorseBatteryStaple for a password. Its in the password lists already.
However, this factor of authentication isn't going to go away.
We will still need some way of authenticating if any of the other methods fail.
Factor 2: Something you Own
The second way of authentication is using something you own. Usually this will be something you can carry with you (like a ubikey, or mobile phone)
This can then be used to authenticate. For example, an organisation may send you a text with a code that can be used for the "Something you know" element of authentication.
Example
My Bank has given me a card based authentication device. When I try to make a transaction, it will prompt me to generate a code using the device. If the codes match, then I can finish the transaction.
Other examples of things you own could be the NFC cards we use to get access to the labs.
One issue with something you own as a method of authentication is that you have to carry it with you. If the device used to generate the tokens is lost, damaged, or forgotten, you cannot get access to your accounts.
Factor 3: Something you Are
Basically Biometrics, so things like finger prints or facial recognition.
While this is probably the strongest method of authentication, it also comes with a lot of problems. Some types of biometric authentication can be broken (in awesome ways)
Additionally we have the problem of False positives and negatives. Like all technology biometrics are not bombproof, and at times it will fail to authenticate correctly.
Factor 4: Where you are
So we have looked at the 3 most common forms of authentication. Using geolocation is a reasonably rare. However, it can be used to help detect anomalous activity, which could be used as part of the authentication program.
One example of this could be in detecting bank fraud. The bank knows you live in the UK, and has a pattern of behaviour that show you use UK based cash points.
If you start making transactions in France, then one of two things have happened:
- You are on holiday
- Someone else is using your details
Like biometrics this has the potential for false positives. If you are on holiday, and blocking your account would ruin it. However, the location information can give some insight into when normal behaviour has changed.
Two Factor Authentication
You can see that each of these elements has a set of strengths and weaknesses. We can offset these somewhat using two factor authentication.
With 2-factor we can improve security by using multiple ways of authentication. Usually, this is in the form of Something you Know, and Something you Own.
For example, When you try to login to Google using your password (Factor 1) They will ask you to enter a pin number that gets sent to your phone (Factor 2)
The benefits of this are obvious. Even if someone gets your Password, they need the phone to complete the login. However again we have the downsides of needing to carry the device around with us to access data.
Summary
In this article we looked at the various methods of authentication. We also discussed two factor authentication, and how it can make our systems more secure.
Password Managers #passwordManagers
This should be an interesting one...
Password managers are a hot topic. On one hand they make it easy to have a strong password for every site.
On the other, they must be a tempting target for a hacker.
If they can break into the password manager, then they have access to everything.
Using Aula Feed discuss your views #passwordManagers
- Do you think they are a good thing?
- What weaknesses do they have?
- Is there any information you wouldn't store in a password manager.
Further Reading (or Watching?)
Found the following video on password security. Good to see I am not the only University Lecturer who likes sitting around talking about this stuff