Authentication is one of the biggest challenges in information security. We can have all kinds of technical security measures in our systems. There are various controls we can have at the data level. But we still need to allow people to use the systems and get to the data. I should say... we need to allow the right people to use the systems and get to the data! Authentication is how we decide who the right people are.
Federal regulations like HIPAA, PCI, IRS 1075 and others have major focus on minimum necessary. That is, giving a user the minimum access they need to do their job.
Wikipedia defines authentication as: (from Greek: αὐθεντικός; real or genuine, from αὐθέντης authentes;
author) is the act of confirming the truth of an attribute of a datum
or entity. This might involve confirming the identity of a person or
software program, tracing the origins of an artifact, or ensuring that a
product is what its packaging and labeling claims to be. And Webopedia has: The process of identifying an individual, usually based on a username and password. Interesting that this latter definition directly refers to username and password.
There has been plenty of news in the past couple of years of breaches involving theft of a password file (encrypted or unencrypted) and customer/citizen personal data. Example like: eHarmony, LinkedIn, South Carolina Dept. of Revenue, and Utah. Many of these attacks involved exploiting authentication.
We've also read about the poor choices people make for their passwords. I've discussed passwords in the past here and here. But is the problem that people choose poor passwords or are passwords just a poor choice as an authentication mechanism?
Most of you have heard of the 3 factors of authentication: something you know; something you have, and; something you are (or do).
Something you know typically means a password or passphrase, but also includes anything you need to remember such as a PIN.
Something you have is often referred to as 2-factor authentication. It typically means having a hardware token or smart-card that displays a time- or sequence-based PIN or string that is entered in addition to the password. There are also other mechanisms to deliver the information such as a soft-token, an SMS text or voice.
Something you are or do typically refers to biometrics. This includes fingerprint and other readers, as well as things like typing cadence.
The issue is that each of these methods have problems and vulnerabilities. And simply combining factors doesn't necessarily solve the problems. What we really have is:
The 3 Factors of Fail:
1. Something you Forgot;
2. Something you Lost, and;
3. Something you Were (or Did)!
Over the next few posts I will dive into each of these areas to discuss why they used to work and why they no longer do. And, since I'm all about solutions rather than just admiring the problem, I'll sum up with some thoughts about what can work.
Please chime in with your thoughts, stories and experiences!