Each of the 3 factors of authentication have serious issues when used individually. The challenge is that we need to log a person into a system or application in a way that reasonably assures the person is who they say they are and has rights to the system. And, perhaps most importantly, any method we use has to work well for people!
So, how do we find a solution?
The key is to think about the user and the use.
For example, is the user a customer or an employee with whom you already have a relationship? Is the user a tech worker or a web newbie? What control, if any, do you have over the hardware and software being used? What is the classification of the data you need to protect? Are there additional regulatory requirements? What are the threats and risks?
If you have decided on an authentication method, here are some additional questions to consider:
- is it susceptible to a replay attack?
- does it need to be available anywhere?
- are there any easy "manual" workarounds? such as a help-desk attack?
- is it single-use? (like one-time passwords)
- is it easy enough for your users?
Here are a few examples of well-applied authentication:
- biometric authentication for entrance to a high-security building or room - badges are typically used, but anyone can be in possession of a badge. If you have an area that needs higher security physical controls, biometrics or perhaps a keywatcher-type system can be used.
- One-time passwords - using tools like Google Authenticator or Yubikey. I like the use of smartphone app or sms for one-time passwords because users are less likely to leave their phone (rather than a hard token) with their computer. This is a great choice for websites.
- long passwords! + vault - Unfortunately, passwords as a stand-alone authentication method will still be with us for a while. Among the problems with passwords is that people make poor choices. Long alphabetic passphrases are easier to remember, but I still recommend the use of long random passwords and a vault.
- userid + password + fob - for local access to critical assets like routers, switches and firewalls.
- remote access with risk-based authentication - we discussed risk-based authentication in part 5. People may attempt to login in a variety of situations. Risk-based authentication can help measure the potential threat and challenge for additional levels or factors.
This is the end of this series of posts. It's been an interesting thought process and I'll be pulling these posts together for a talk for Secure360 in May, 2013 in St. Paul. I hope to see you there!