Secure User Authentication: Might Makes Right
Oct 13, 2012 5:00 AM PT
While the benefits of adopting Bring Your Own Device as your mobile policy are appealing -- from increased productivity to lower costs -- a BYOD policy can also leave your corporate network more vulnerable than ever. The breaches regularly featured in the news remind us that all networks, no matter how large or small, risk being exposed to unauthorized users every day. Whether it's one device or multiple devices, companies must put a security policy in place to help prevent these breaches and take action once they do occur.
While security plans need to be customized for a company's needs with multiple layers of security, user authentication is always the front line of protection.
Lock The Door
User authentication is the most basic form of security. The logic behind it is pretty simple -- user authentication gives you the ability to prove your identity and allows you to access the information and resources you are entitled to use. If your authentication is weak, it doesn't matter how strong your encryption is, or how sophisticated your security protocols are, or how impenetrable the hardware is that protects the encryption key, there may as well be no encryption at all.
When it comes to user authentication, stronger is always better (although it comes at a cost of convenience). Proving your identity involves using one or more of three possible factors:
- something you know (passwords, PINs, etc.)
- something you are (biometric: face, finger, voice, retina, etc.)
- something you own (driver's license, token, corporate badge, etc.)
The first two factors are fairly straightforward and commonly used, but ownership is a trickier concept in authentication. In the digital world, it sometimes means owning a piece of data such as a cryptographic key, rather than something physical.
If you ask a group of professionals which authentication factor is best, you will likely come across conflicting opinions. For example, some consider passwords better than biometrics, while others will argue the opposite, but who is correct? Is there one factor that is better than all of the others? The answer is -- it depends.
It depends on what criteria you are using to measure the authentication mechanism against, and there are many dimensions to consider. For example you could compare biometrics and passwords with respect to accuracy, convenience, ability to share, presence of a live person, usability, susceptibility to replay attacks, and so on. Your decision on what is important will determine which single factor is best.
When looking at authentication factors independently, you will see that there are advantages and disadvantages of each option, but when they are combined, they can be quite complementary. A weakness in one factor can actually be compensated by a strength of another, so when combined, something much stronger is created than either factor on its own could possibly attain. Every organization should identify what attacks are most likely, which they are most vulnerable to, and then identify what factors protect against those threats best.
For example, with software-based authentication, passwords would secure an encryption key, but don't protect adequately against threats such as key loggers, replay attacks, sharing, dictionary attacks, or even guessing. Most security schemes can't effectively deal with password sharing and guessing, but people intuitively create easy to remember passwords, use the same password for multiple accounts and share them with co-workers, family and friends, which leaves a large void in a secure network.
Often, unauthorized users don't have to do much more than guess to obtain access to secure networks. On the flip side, with fingerprint authentication, you run the risk of an attacker finding a latent print and creating a mock finger or the system producing a false positive. However, when the factors are combined, the resulting two-factor authentication is much more resistant to threats. For example, sharing, guessing and key logging attacks are not effective against the biometric, while the accuracy of password authentication (which is 100 percent) compensates for the inherent matching errors that accompany biometric technology.
Although it may not be the most convenient option, you can always count on multi-factor authentication to be stronger and more secure than single-factor authentication.