Secure Authentication: Which Method is Best?
Choosing the best method of secure authentication for your system can be a determining factor in your ability to withstand cyberattacks.
What is secure authentication? Secure authentication verifies authorized users who are trying to log onto your company’s system. This authentication protects the company from unapproved users gaining access to private information or data.
What is User Authentication and Why is It Important?
User authentication is, simply put, the practice of using different processes, technologies and safeguards to guarantee that a user is who they say they are. As IT and cloud systems become more complex, more complicated and more vulnerable to attack, secure authentication must protect resources from unauthorized access.
That being said, there are several kinds of user authentication available in both consumer, commercial and industrial environments:
- Passwords: The most common form of authentication involves users remembering and providing passwords of variable length and composition along with a corresponding username. The system can then compare that username and password combination against the database or credential vault.
- Knowledge-Based Questions: These involve the user or company selecting one or more questions, the answers to which only the user should know. These include common items like a pet’s name, a mother’s maiden name, or questions about schooling and travel.
- Biometrics: The use of biometric features, including fingerprints, facial recognition or voice recognition. Biometrics are very difficult to forge and thus serve as a reliable form of user identity management.
- SMS Texts and Mobile Push Notifications: An user access system can send secret codes or confirmation prompts through SMS texts or push notifications from special apps that will confirm their identity, assuming that only the user will have access to their phone.
There is a similar method for email, where secure links sent to private email addresses can, once clicked, show that the user is who they say they are.
- Authentication Apps: Likewise, custom or third-party apps can also generate authentication codes that users can use to show that they have access to proper credentials.
- Physical Media: These methods can include a USB key, a scanning badge, or a QR code that the user can take a picture of to ensure that the user is physically located at the place of authentication.
Note that authentication is not the same as authorization. Authentication is only the method of forcing users to demonstrate they can access resources. Authorization emphasizes the ability of a given user to actually access specific system resources. Authentication does play a significant role in authorization, however, a user must authenticate their credentials to show that they are authorized to access the system and specific resources.
Why Is Password-Only Authentication Risky?
With all these methods in place, you’d think that cybersecurity would have the process under control. However, almost all authentication schemes rely on passwords as a primary, or even only, method of authenticating users.
This is a major problem for many reasons:
User Error: Passwords can be lost, forgotten and stolen quite easily. Secure passwords, particularly those that are of sufficient complexity and length, are easily forgotten by users. They may write them down (if they use passwords for secure authentication) or, failing that, make them insecure (something simple, like a name or a series of sequential numbers).
Phishing and Hacking: Passwords are, all in all, easy to steal. Phishing attacks, where the hacker tricks a user to give them their password, is one of the most common attacks around. Likewise, some of the most impactful security breaches in the last decade are from hackers stealing databases of user information–including passwords.
Even with encryption, passwords are easily stolen during a breach. And with users being faked out by phishing attacks, they don’t do much in the way of providing additional security. Once they are compromised, they are a liability.
Ease of Use: Users don’t keep a Rolodex of complex passwords. A study shows that up to 45% of users use the same password across at least 2 or more accounts, with 20% claiming that “most” of their accounts use the same password and 6% claiming that they use the same password for all accounts.
This is a huge liability, especially when someone in your organization uses the same password for an online consumer brand (that, unfortunately, has just been hacked) as for their user account to sensitive data in your cloud network.
Secure user verification, therefore, doesn’t simply rely on just passwords. Multi-Factor Authentication (MFA) combines two or more forms of authentication, typically a password and either a biometric, mobile or app-based verification method. Increasingly, many companies are even eliminating the password component and using some combination of physical and digital media to bring stronger security to their access systems.
What Cyber Attacks Target Authentication?
As passwords become more insecure and companies turn to more advanced technologies and MFA, hackers are concurrently turning to more advanced attacks.
There are several ways that hackers are attempting to circumvent secure access controls, including:
- Hacking Credential Vaults or Databases:
- When they can’t get to the user, they go for the source. Any location where passwords are stored can be a target. And, while database encryption or hashing is standard, it’s more likely than not that a compromised database will be broken, and those passwords will end up for sale somewhere.
- Phishing: The weakest link is, unfortunately, the limits of user knowledge, and hackers know this. Sophisticated phishing/spear-phishing/whaling tactics can convince users to give up passwords.
- Network Sniffing: If a hacker can get malware onto a system, or if users use their business devices and accounts on a public network, they can “sniff” packets on the network and grab information. This includes passwords, secret questions and more.
- MFA Targeting: Hackers are increasingly attacking systems to circumvent stronger MFA. This can include extensive social engineering to get access to user accounts, have phone providers switch SIM cards, and channel-jacking web traffic.
1Kosmos Passwordless Enterprise
You mustn’t take secure authentication lightly. The 1Kosmos BlockID makes passwordless authentication easily integrated without sacrificing security. Our product includes several features:
- Advanced Biometrics: This includes Touch ID, Face ID, Iris recognition, and others. While biometric data can technically be faked, it is incredibly hard. We make it harder by storing biometric data in encrypted systems and utilizing “Liveness” tests and voice recording.
- Immutable Logs and Data Records with Blockchain Ecosystem: Built on Ethereum, our distributed ledger securely stores user identity information on our blockchain to ensure the immutability of data and identity.
- Passwordless Entry: With BlockID, your employees can use biometric data and mobile devices for frictionless and passwordless entry.
1Kosmos is a provider of Passwordless Enterprise solutions. To learn more about company news, product releases or other events sign up for our newsletter.