Authentication 101: Guide to Authentication

Do you know what Adobe, Apple, Sony, Yahoo and Twitter have in common?

Hint: Yes, they are mega-companies making hundreds of millions of dollars annually, but that’s not it.

Answer: They’ve all been hacked by cybercriminals who breached passwords.

That’s right — passwords.

How do they do it? How do hackers guess passwords containing uppercase letters, lowercase letters, numbers and symbols? Do they spend their every waking moment trying out new combinations? Are they psychic?

It’s actually easy for expert hackers to guess passwords, especially if they are weak passwords such as “12345” or “letmein.” To breach stronger passwords, hackers use password “crackers,” or software that repeatedly creates millions of letter/number/symbol combinations until the correct password is found. One type of password attack is the “dictionary” attack. The other is a “brute force” attack. Dictionary attacks use software that scans huge word files until the correct password is detected. Brute force attacks scan lists of virtually every possible password character. Although brute force attacks may take ten times as long as a dictionary attack, it’s inevitable that targeted password authentication processes will be thoroughly breached.

Authentication

The needs of your database are likely to vary based on the type of authentication in question. With new users, you should have a simple yet secure set of authentication factors that will work with mobile devices and cloud run services. To access programs like Adobe products and avoid an authentication error, you must examine the behavior of the authentication services on the market today.

The Power of Multi-Factor Authentication — What It Is and How to Use It

Multi-factor authentication (MFA) should be part of all identity management programs designed to protect networks from devastating security breaches. Any information inputted before entering a computer system that is meant to authenticate, or prove someone is who they are, is considered authentication. Most authentication methods involve one item only — a password. Hackers rejoice when they discover a bank or company account is “protected” with passwords, since either a dictionary or brute force attack will ultimately give them access to sensitive information, cash, identities or, unfortunately, all three. With multi-factor authentication, hackers must crack several layers of security protected by multiple authenticators that include PIN numbers, strong passwords, physical tokens such as debit cards requiring PINs or smartcards and/or unique, biometric identifiers such as retina or fingerprint scans.

Beyond The Password: Identity and Access

Each time you set up an account with a website, you are generally required to choose a password comprised of assorted alphanumeric characters and symbols. While the purpose of each password is to protect your private data and user info on a given website, passwords become less secure as the overall number of passwords in use on the internet expands throughout the web.

Back in the 2000s, most people only had six or seven passwords in total. Today, the majority of internet users are signed up to approximately 27 different websites that each requires a password. However, most people do not wish to create 27 distinct passwords. Instead, most people choose about four or five passwords that can easily be remembered and use those across a range of sites. The trouble is, the more each password is used across the internet, the more accessible it becomes to hackers.

SSO: A Result of Federation

Today, people have the option of single-sign-on (SSO) whereby each user on a given network can gain access to their various web accounts through a single login. The purpose behind SSO is to clear away the confusion and clutter of multiple passwords, which users often lose or forget when opening up accounts on various social media sites. With SSO, you can use Google sign-in to enter your YouTube, Facebook and Twitter accounts, all with the click of a single prompt. While SSO has made the user experience easier for people on the internet, there are also weaknesses behind this type of access.

The main criticism regarding SSO is that it renders sites more vulnerable to hackers. For example, a hacker could gain access to the email address behind a random user’s social media account then use that address to join a different social media site that the user has not yet joined. Once the hacker opens this account, they could then gain access to the victim’s social media accounts using SSO.

Single Sign-On for Identity Management

With the ability to streamline company processes by providing customers and employees with easy yet secure access to systems, single sign-on is a powerful type of identity management that is rapidly making the transition to the cloud. SSO allows businesses to provide one-click access while managing identities and enforcing directory policies. In addition, SSO applications eliminate password sprawl and offer higher LoAs with MFA. Companies secured by SSO can also terminate accounts instantly over all applications and eliminate the need for users to remember several different credentials, which usually results in replicated passwords and a compromised system.

Authentication vs. Authorization

Within the confines of a corporate federation, authorized personnel belong to a circle of trust, whereby each user can log in into a network with their credentials. Once the user is logged into the network, they can access various other sites without having to reenter info or log in separately to each different site. While a user may be asked at times to re-authenticate their identity, each user is trusted within this circle because logins are only granted to authorized personnel, such as employees.

In a circle of trust, authentication is referred to as the login credentials of each individual. As an authorized user of said network, you would log in with your username and password. From there, you could access other sites or programs within the network, all without the need to reenter your info time and time again. Authorization, on the other hand, refers to the sites and programs that you can and cannot access depending on your rank and designation within the company.

Multi-Factor Authentication

Before the 2010s, single-factor authentication was enough for a user to login to most online accounts and private networks. At the time, authentication resided solely on something that only you would know, namely your password. If you needed to retrieve a password, you could simply enter your email address and username and have a new password sent to you. Today, however, authentication relies on more than what you know.

Due to widespread data theft and site breaches, most sites and networks now require multi-factor authentication, where the user has to enter their mobile number and receive a verification code to retrieve a password or sign up for a network. If you need to prove your identity, some networks will require you to furnish a piece of physical property or a physical impression of yourself.

For multi-factor authentication, a piece of property would be something like a key or a fob, which you would carry around and use as a second piece of identity verification and proof of authorization. Another form of secondary authentication would be an impression of your physical self, such as your fingerprint or facial likeness. The fingerprint has become a common identifier in multi-factor authentication.

Buyer’s Guide to Multi-Factor Authentication

Today’s security-conscious organizations generally require multi-factor authentication (MFA) to strengthen the protocols that allow network access to authorized users. Before you settle on an MFA solution, however, there are various factors to consider about the type of authentication in question.

For an MFA solution to enhance security and improve the user experience, it must support the applications that run on your company’s network. Preferably, this should encompass local, cloud, and hybrid applications. The solution should be easy to employ on a network-wide scale. For the end-user, the MFA should be easy to understand and follow, provided the individual is authorized and can furnish their multi-factor authentication.

Before you decide on an MFA solution, also consider the costs involved with implementation and maintenance. If the second factor of authentication consists of a physical item like a key or a fob, how much would it cost to provide one to each authorized individual?

The Benefits of MFA

The benefits of multi-factor authentication can be summarized as follows:

Simplicity: MFA allows you to set different levels of security that range from simple for the average users to more complex for the user who deals with more sensitive data. This way, you have an encompassing security system that accommodates a range of skill sets and tech-savvy.
Productivity: When breaches occur, companies can be set back dozens of hours. With MFA, breaches are virtually impossible, and any infraction that does occur can be rectified instantly with new passwords issued on the double. As such, the risks associated with conventional security systems — stolen info, lost time/income, reputation damage — are non-factors with MFA.
Compliance: Certain branches of the online corporate sector require the highest standards of security imaginable. With MFA, you can fulfill these requirements and also have a network that is accessible to the layperson.
Compatibility: MFA is compatible with a range of working environments, including cloud systems.

MFA combines accessibility and security into an ironclad solution that saves time and money.

Higher Level of Assurance

Multi-factor authentication brings something to the table that primitive password use does not — a quantifiable measurement called higher level of assurance, or LoA. High LoAs mean that hackers must break through several layers of security, not just one.

Google offers further delineation of LoAs in relation to e-government transactions:

Level of Assurance 1: Minimal confidence in the validity of someone’s identity ⁠— hackers breaching passwords, for example.
Level of Assurance 2: Some confidence in the validity of an identity ⁠— may or may not be a hacker.
Level of Assurance 3: High confidence in the validity of an identity ⁠— supported by multi-factor authentication.
Level of Assurance 4: Very high confidence in the validity of an identity ⁠— supported by multi-factor authentication.

Currently, the most popular form of multi-factor authentication used by larger companies and government agencies is token-based MFA due to its affordability, ease of use and higher level of assurance.

Your Environment Determines Your Solution

If you work within a stationary network where everyone logs in from the same location, you might have a relatively simple set of MFA needs. However, if your employees log in from various locations on an assortment of stationary and mobile devices, you will need an MFA solution that can accommodate these options.

These days, most organizations have employees who log into the company network from different locations, both domestic and overseas. Therefore, an MFA must be able to provide remote access for authorized personnel who log in from smartphones and pads. One of the more common second steps in multi-factor authentication is a push notification, where the user receives a popup message with a string of text on their mobile device. With the user’s identity verified, the user then follows the push prompt to enter the network.

The Tactical Approach to MFA

The tactical approach to multi-factor authorization can be broken down into five key points:

Know the needs of your users: For the general rank and file of an organization, a basic set of login protocols will normally suffice. For the higher-ups in the company who deal with sensitive data, a more advanced set of security layers will be necessary. An MFA should accommodate these different levels of security.
Keep things efficient: You could make a sequence of login requirements complicated and lengthy, but this would likely make things difficult and confusing for your employees. The best option is to keep the protocol to a simple two-step process for most people, then require further prompts for select staff in high-security departments.
Provide a comfortable user experience: Make sure that the MFA protocols are convenient for the users on your network. Many of your users will likely be accessing the network on smartphones while commuting by train or traveling by plane. You will need to make the network accessible for these situations, otherwise certain dissatisfied users might look for shortcuts that could undermine security.
Choose a solution with scalability in mind: An MFA should be able to scale up or down depending on the current needs of your business. If your company is growing and expanding, you need a solution that you can easily roll out in newer territories with the utmost ease of use. If you need to scale down for a slow season, your MFA should accommodate that without binding you to a large-scale contract.
Verify the MFA’s security standards: The MFA you choose should have a 99.99% success rate on all fronts. For instances that fall into the other 0.01% category, ask about what steps the service provider takes to rectify matters and whether security or service availability were compromised during the times in question.

Overall, an MFA should be user-friendly and also accommodate the ever-changing needs of your organization.

Typing Biometrics and Other Multi-Factor Authentication Methods

Multi-factor authentication provides each user with a personal identification number that can work with an authentication app. MFA offers a public key infrastructure that allows http basic authentication and also works with cloud run services. MFA even offers an innovate type of authentication known as typing biometrics. Overall the solution prevents brute force attacks.

Synchronous and Asynchronous Tokens

MFA tokens can be ATM cards, smartcards, key fobs, cell phones or software. Synchronous tokens are powered by event triggers or clocks kept in sync with an authentication system. Users generate codes by viewing their tokens at the same time they authenticate themselves or by pressing buttons on certain tokes to generate codes.

Asynchronous tokens are also called Challenge/Response tokens. They do not need event counters or internal clocks to operate. Instead, the authentication process sends a challenge ⁠— short string of letters/numbers ⁠— which the user must enter into the token to generate a response.

By maintaining associations of tokens with each user, authentication systems “know” the unique configurations installed on each token. This ensures token codes generated have some exclusively from a specific token.

Smartcard, Radio Frequency Identification and Biometric Multi-Factor Authentication

Commonly used smartcards include ATM cards, debit cards and credit cards containing computer chips that store identity information on a magnetic strip. Biometrics are advanced forms of MFA that scan fingerprint or retinal symmetries or analyze voice patterns to confirm someone is who they say they are. Radio-frequency identification uses a device to detect the presence of a token in a person’s possession.

Rule-Based Multifactor Authentication

MFA offers rule-based authentication that allows administrators to restrict access to select areas in an organization’s network. For example, if an employee attempts to use the basic login protocol to access your company’s payroll app, they would be blocked since access would require more verification.

Risk-Based Policy ⁠— Adaptive Authentication

With MFA, different conditions are rated for their risk factor and assigned different requirements for authorization. If a condition is deemed low risk, the authorization requirements will consist of only the basic protocols. The higher the grade of the risk factor, the more rules will apply to protect the network and authenticate the user in the conditions at hand. Risk factors are determined by metadata based on analytics, tokens and user information.

Adaptive Authentication

MFA provides a more nuanced approach to authentication by evaluating the context in which an authorized user accesses a network. If the user is attempting to log into the network from a seemingly unsecured device, the MFA program may require an extra layer of authentication or re-authentication to account for the situation. Likewise, if a user logs in from two devices within a short time or uses a new device, they may need to go a few extra steps to verify their identity.

Better Biometrics Through Your Keyboard

One of the most innovate methods that MFA uses to authenticate a user’s identity is to study the pattern of the individual’s typing. Fact is, no two people type in the same manner. Some people type with flow and grace while others hit keys loud and hard. Even when you divide typists into three or four categories of intensity, the speed and consistency will likely differ between each individual.

With MFA, the typing pattern of each user in your network could be automatically recognized for distinct rhythms, intensities and reoccurring typos. A person might type quickly between particular letters but stall between others. Keyboard biometrics is one of the most foolproof technologies because an individual’s typing style is nearly impossible to mimic.

Multi-Factor Authentication — A Best Practice Standard for Stopping Security Breaches

These facts underscore the benefits of MFA and SSO that are critical to any company’s long-term success and integrity:

Identity theft is more profitable today than drug crimes and represents the fastest-growing global crime.
Over 1.5 million records containing ID information and sensitive data were breached by cyberthieves every single day in 2013.
Contrary to common belief, hackers do not exclusively focus on attacking banking and retail industries. Transportation, utility and manufacturing organizations of all sizes are attractive to hackers, especially since many of them fail to implement multi-factor authentication practices within their network.
Once they’ve accessed a network, hackers can steal information, change programs, destroy important data, infect systems with malicious codes and even spread damaging propaganda to customers, employees and contractors.

Best Practices for More Secure Authentication

Some of the best practices for network users include the following:

Require passwords that include upper- and lower-case letters as well as numbers and non-alphanumeric characters.
Select an MFA that supports configuration for a range of different user levels.
Cancel a user’s password upon termination or resignation.
Use risk levels to protect sensitive assets.
Enforce extra levels of authentication for administrative accounts.
Require re-authentication when a user goes inactive for more than a few minutes.
Require new passwords if a breach occurs in the network.

An MFA can only offer maximum safety if you take a proactive role on the administrative end.

Software and Cloud Services From Optimal IdM

For maximum security in today’s online networks, you must have an authentication solution that will keep your data safe. It is also crucial to have a solution provider that you can trust. Optimal IdM offers software and cloud services as well as training and consultation. To experience our solutions for yourself, start our free trial today.

Authentication 101: Your Basic Guide to Authentication