Authentication, at its core, is the act of verifying credentials. In the case of human beings, it’s as simple as answering the question, “Who are you, and how do I know for sure it’s you?”
Authentication is something we’re constantly engaging with in everyday life. It’s what’s happening when medical providers ask about your birthday, when bouncers at the club ask to see your ID, or when you’re looking out from your door’s peephole to see who’s knocking. Any of those possibilities may call for a different response. In order to pick the right one, you need to know who the offending doorknocker is.
The same principle applies to data or other business assets: If someone from the public internet is trying to connect to your private server, knowing who they are with high confidence is a critical step toward knowing whether you should give them full access, limited access, or just deny the request altogether.
Knowing what to do with a given user falls under the auspices of authorization, which is distinct but also tightly coupled to authentication.
Authentication Factors in Detail
Many websites ask you to create an account with a username and a password. Your username is an assertion of identity, but that alone is not enough to give someone access to your account. Anyone can claim to have the name “Alan Dracula,” but it’s the gatekeeper’s job to verify that claim. Passwords are one way of doing so. Ideally, you and only you know your password, so anyone who tries to login to a website as “Alan Dracula” without Alan Dracula’s password should be disallowed access. In other words, passwords are an authentication factor.
However, there’s plenty of evidence on why passwords alone are insufficient for secure authentication. That’s why MFA adoption has grown in recent years. Multiple factors instead of a single factor provide a greater degree of confidence that any given identity assertion (“I am Alan Dracula”) is actually true (“And my password along with my driver’s license proves it”).
There are three broad categories of authentication methods:
- Something you know.
- Something you have.
- Something you are.
Some add in a fourth or even fifth factor based on user behavior or location. In a business context, those are typically passive rather than something a user actively provides. For example, an analysis of your clicking patterns might provide a form of background validation but is rarely part of a gating decision at the time access is requested.
Passwords fall into the “something you know” category. It also covers security questions like “What is your first dog’s name?” Knowledge factors are almost certainly the most common authentication factor in use on the internet.
For this factor to work, very few people aside from the individual in question should know the knowledge in use for authentication. The more people that can provide a correct reply to a knowledge factor check, the more people can potentially compromise an account. Since knowledge of a childhood dog’s name is probably limited to a parent and the retired veterinarian that cared for them, that can be a reasonable knowledge factor for authentication purposes.
Do you swipe a badge before you start your workday? That’s a possession factor. These factors are objects that provide evidence that you are allowed access to your workplace. Your house keys perform a similar function for your residence.
Possession factors figure prominently in physical security, but there are plenty of applications in electronic security too. For example, hardware tokens, small devices that typically plug into a USB port, have risen in popularity for authentication purposes. By having a unique secret provisioned to that token, anyone who doesn’t have your specific token literally plugged into the device making the request is denied access. It’s like a physical house key but for the online world. Such devices also have buttons you need to press when using it to make sure the token is there and not being faked with software alone.
Time-based one-time-password (TOTP) schemas can be seen as a way of transmuting a knowledge factor into a possession factor through reasoning similar to that behind the hardware token. TOTPs require you to be in possession of a cryptographic secret that is used with the current date and time to generate a string of numbers that function as a limited-window password. Since most of us have those numbers generated by software on our smartphones and then input it into a separate device, it functionally becomes a possession factor.
“Something you are” is pretty nebulous as a definition. In practice, this factor usually means biometric information, such as a fingerprint or a voice pattern. This factor is one of the most convenient factors for users since you don’t need to remember a secret or carry something else in your possession. This ease of use has caused widespread adoption in the consumer market—with fingerprint readers becoming a normal part of many devices.
Such convenience comes at a cost. While it’s much harder to fake biometric information, it’s also not possible to change this data if stolen. Adversaries can make copies of fingerprints lifted from the physical world, and since you’re not literally keeping a copy of your finger inside your smartphone, a digital scan of your fingerprint can be stolen. When (not if) we have a data breach full of biometric data, the convenience of biometrics means users will need to replace the stolen factor with something completely new.
Combining Factors to Authenticate
As we defined it, MFA is an authentication schema that requires two or more factors to pass. Two authentication methods based on the same factor, such as passwords and personal questions, are not sufficient to qualify as MFA. The motivation behind authentication factors and MFA is less about piling on more hoops to jump through before you can start your next streaming binge, and more about ensuring that the hoops you have are meaningfully different enough from each other that someone compromising a single factor will have a hard time leveraging that success into compromising methods from other factors.
Authentication and MFA may seem basic on the face of it, but deep understanding of the concepts combined with thoughtful execution is critical for maximizing security at minimal cost.
When done correctly, MFA is one of the simplest and least expensive forms of security a company can implement.
More info on Devo’s MFA capabilities is available here.