Nowadays, the most common authentication system is the one that combines a username and password. It is based on a shared knowledge of linked data by both parties (information the rest of the network is not meant to know). Even though the requirements for password creation are becoming more complex every day, for example multiple characters and numbers, upper and lower case letters, long passwords, periodic renewal…, there is always the possibility of someone obtaining this information by means of a successful hacking strategy or due to human error (let’s face it, we all know someone who has written this information down on a post-it and stuck it to the screen…).
Security & two-factor authentication
A security breach can easily result from the use of keyloggers, by accessing the file containing passwords that is saved in the browser or, simply, by noting discretely the password used by a user while said party was entering it. As a result, multi-factor authentication has appeared. Here, users only gain access to the system after successfully completing two or more tests. We are currently going to focus on two-factor authentication, which requires users to combine two of the elements detailed in the list below to verify themselves:
• Information known to the user: Normally a password or PIN
• An element kept by the user: There are many options available, i.e., coordinate cards, physical cards, credit cards, mobile applications, or keychain token generators.
• A biometric element: Facial or voice recognition, eye or fingerprint scanning.
Different security methods are available and can be selected based on their cost and the criticality of the data that needs to be protected. The advantages of using physical tokens are greater safety and difficulty for unauthorized users to gain access, since tokens change every few seconds using an algorithm created in coordination with a central database.
Disadvantages are that users must hold to them at all times and, since they are small to avoid inconveniences, are easily lost and expensive to replace.
The coordinates card is a cheaper option, can be readily carried around and is easily replaced, but can also be replicated and codes are static. Moreover, said codes cannot be cancelled until the card is reported missing or stolen.
Mobile App validation solution
A middle way solution is relying on mobile app validation. Nowadays, almost everyone has a smartphone. It is easy to carry, you are less likely to forget it than you are a keychain token, and it’s dynamic enough for the codes it provides not to be static. Many companies have started using this method to verify access to their accounts. For instance, organizations such as Google and Microsoft have developed their own apps based on this methodology.
To increase safety and flexibility, some companies offer the chance to combine several options. For example, some on-line banks allow users that have already inserted their username to authenticate by scanning their fingerprint with their phone, using a coordinates card, or a second password where only some digits known to both parties need to be inserted, thus preventing a third-party from replicating the whole key.
What is clear, is that security is increasing in importance within our networks.