Strong authentication can be the difference between hackers easily slipping into your network and stealing your data or being able to block them from the start.
What is strong authentication? Strong authentication is a way to authenticate a user’s identity that is also able to stand up to attacks and scams that could try to infiltrate your system.
What Is Authentication?
Authentication is the process of confirming user identity in such a way as to reliably determine that a user can access system resources and data. Common forms of authentication involve using identification credentials like username/password combinations, PINs, or documentation to authenticate that a user is who they claim to be within a system.
With the ubiquity of online accounts, shared digital resources and enterprise IT systems, authentication is one of the most important lines of modern cybersecurity we have today. As such, almost all of us have run into some form of identity verification in one way or another.
Some common forms of authentication include the following approaches:
- Passwords: We know them, we don’t love them, and we always forget them. The concept of the password (complex, unguessable, and known only to the user) is as old as multitasking computers, and they are still in place these days. Similar approaches, like PINs in place of passwords, follow a similar logic.
- Tokens: Users have some digital or physical artifact that denotes their identity. Typical tokens include USB sticks, digital tokens for internal authorization, and one-time passwords provided through apps or specialized hardware.
- Biometrics: Using unique and difficult-to-copy physical traits like fingerprints, iris patterns, facial features, and even vocal characteristics can be used to authenticate that the user is who they say they are.
- Transactional: Rather than use something that the user provides, a system may compare behaviors or patterns against existing information. For example, an eCommerce website might compare a user’s current location or order location against their address on file and provide a warning (or outright deny access) based on that information.
- CAPTCHA: In a decentralized digital world, one of the bigger security challenges is to ensure that the user is physically present at the point of authentication—a practice that basic passwords can’t really accomplish. CAPTCHA technologies provide baseline presence testing by requiring users to engage with forms that automated computers can’t, like selecting patterns in images or selecting checkboxes.
Modern systems rarely use a single form of authentication (for example, just a username or password). Instead, they combine two types of authentication in an approach known as two-factor or multi-factor authentication. These approaches will use two or more forms of authentication from the following types:
- Knowledge (Something You Know): These include credentials like username and passwords or PINs.
- Possession (Something You Have): These include credentials like tokens and SMS or email verification codes.
- Inherence (Something You Are): Biometrics, including fingerprints and iris scans.
Enterprise providers will often leverage one or more of these technologies within a centralized, secure system as an all-in-one solution for logging in to multiple sites. Authentication schemas like federated authentication and single sign-on systems allow users to use one set of credentials to access multiple platforms.
What Makes Authentication “Strong”?
However, the mere fact that a user has been authenticated does not guarantee security. Hackers breach identity databases every year, and one of the most prominent and effective forms of attacks (email phishing) bypasses system security to trick individual users into giving up their passwords.
At this juncture, regular authentication is insufficient for security purposes, and enterprises look to strong authentication to ensure safety.
“Strong” authentication isn’t just authentication that is stronger or better. It is a type of authentication that goes beyond passwords and even multiple forms of authentication. However, there is some debate about what constitutes “strong” authentication.
NIST IAL and AAL
The National Institute of Standards and Technology published Special Publications 800-63A and 800-63B, defining Identity Assurance Levels and Authenticator Assurance Levels.
IALs define identity proofing requirements around authentication, with the higher levels (2 and 3) requiring remote and physical presence identity proofing alongside additional credentials and documents.
AALs define specific requirements to ensure that authentication methods are secure. This includes securing authenticator devices (whether hardware- or software-based). Predominantly, AALs define combinations of a more advanced authentication, including multi-factor cryptographic devices, multi-factor OTP devices, and single-factor cryptographic hardware devices.
FIDO Strong Authentication
Fast Identity Online is a set of authentication standards that removes the need for passwords in contexts where strong authentication is required. In this case, “strong” authentication refers to modules, often hardware-based in USB keys or smart cards, that provide cryptographically secured authentication. FIDO provides a comprehensive protocol to support interoperability and reduce the reliance on passwords in enterprise security.
As we can see from these examples, strong authentication can start with MFA. Still, in government or enterprise situations, it often means adding additional layers of security, like hardware- or software-based tokens and passwordless authentication solutions alongside presence-testing methods related to identity proofing and liveness testing.
Payment Services Directive 2 (PSD2)
PSD2 is a new regulation with jurisdiction in the EU covering payment processing and banking–specifically around consumer authentication and third-party financial institutions. PSD2 law is pushing for payment processors and banks to require additional strong authentication to accompany passwords and PINs, including OTPs over mobile devices with biometrics.
Work with 1Kosmos for Strong, Robust, and Simple Authentication
Some of the most common authentication issues are related to managing identity proofing and making it more straightforward for users to authenticate without relying on complicated and unique passwords. A proper strong authentication solution would include a great user experience, passwordless authentication, and meaningful identity proofing to ensure users are who they say they are.
The answer to this challenge? 1Kosmos BlockID. With BlockID, you get the following features:
- Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
- Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and validation.
- Interoperability: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
- Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.
To learn more about strong authentication for your organization, read our whitepaper: Strong Identity-Based Authentication. Also, sign up for the 1Kosmos newsletter to stay abreast of product updates and announcements.