A fundamental understanding of authentication, its factors, and usage is vital for IT specialists, sysadmins, and users. In this article, I’ll explain what authentication is and look at how it’s used.
What is Authentication?
“Authentication is the act of proving an assertion, such as the identity of a computer system user.” (Wikipedia)
For example, let's assume that you are a user who needs access to some kind of computer system. This computer system could be your workstation at work or your email account which you access via your web browser.
To gain access, typically you get credentials, such as a username and a password, from the systems administrator. You type your username and password into some kind of login interface and submit it to the computer system for processing. In other words, you authenticate yourself to the computer system. The system checks whether your credentials are known and valid by looking them up in a local database or checking with a central authentication server. This is how the system tries to verify your identity. If this process is successful, then you are authenticated.
That was a lot of words to explain a simple concept. But it’s important to understand what authentication is and what it’s not. Being authenticated does not necessarily mean that you are able to login and access any resources provided by a computer system. Authentication is simply the process of verifying who you are. The process that defines what you are allowed to do (e.g., login, read, write, or delete files) is a different one, called authorization, which is out of scope of this article.
People like us are not the only entities that need to authenticate to someone or something. Computer systems, processes, websites, etc. are also entities that may need to authenticate to another party.
Several authentication factors can be involved in an authentication process. In this section, I’ll provide a brief description of the most common factors.
This is something the user knows (e.g., a password, passphrase, PIN, the answer to a secret question, etc.). Knowledge is one of the most common factors used for authentication, and its characteristics include:
- This factor could be forgotten.
- It could be shared with colleagues or third parties.
- It could be guessed.
- It could be compromised (e.g., someone could observe your PIN, which you entered at the ATM).
- Usually no external means are needed to carry it around.
- It could be replaced in case of compromise.
Note that your username is not an authentication factor, because it is publicly available knowledge. Email addresses used as usernames are also easy to look up, as are usernames that appear in cleartext in login forms.
Users can also prove their identity by using something that they own/have (e.g., ID card, security token, cell phone with hardware or software token, RFID card, TLS certificate, smartcard, SecureID, physical key, etc.). The characteristics of this factor are:
- Users have to carry it around.
- It could get lost, stolen, or handed over to another person.
- In some cases, it could be copied.
- it could be replaced.
Inference refers to something that users are or do (e.g., fingerprints, retinal pattern, voice, signature, face, etc.). Characteristics include:
- The user carries it around all the time.
- It cannot be used (easily) by other persons.
- It cannot not be replaced.
- It needs special technical equipment for recognition.
All of the authentication factors mentioned above have different advantages and disadvantages. For example, if you lose your key for the office building, many locks have to be replaced, which is expensive for sure. If you use a security token, however, the lost token can be locked, and you get a new token, which is less expensive.
Now that you know what authentication is and what kinds of authentication factors exist, it’s time to talk about authentication levels and possible combinations of different factors.
With single-factor authentication, only one of the three categories of factors described above has to be provided to authenticate an entity. This is the weakest level of authentication and unfortunately still the most common one.
You are using single-factor authentication when you log in to your email account using username and password or buy things online with your credit card information. And, of course, physically unlocking the front door to your house or apartment is single-factor authentication, too.
On this level, only one factor — well, the only one there is — needs to be compromised, for example, by eavesdropping or a (man in the middle attack, to allow misuse or malicious intrusion. So, anyone who knows your password can use your login. Anyone who knows your credit card information can use it to shop online. Anyone who possesses your key can open your door. I think you get the idea.
Two-factor authentication belongs to the level of multi-factor authentication because more than one factor is used. Of course, it’s possible to use all three categories of factors as well.
For example, to write the draft for this article I used Google docs. To login to my Google account I used a password and a YubiKey. So I used two factors. One from the category of knowledge and one from ownership. When you withdraw money at the ATM, you use two-factor authentication. Your credit or debit card (ownership) and your PIN (knowledge).
Multi-factor authentication increases the level of security in the authentication process. For the bad guys it’s not enough to spy on your password or PIN. They may want to steal your security token or your debit card as well in order to misuse it.
Although it’s difficult to be sure that your password has not been guessed or otherwise compromised, you will likely notice the loss of your security token or card.
Using all three factors further increases the security level , but no authentication technique is one hundred percent failsafe. Credit and debit cards can be copied by using skimmers at ATMs. Even fingerprint authentication can be bypassed or faked.
In this article, we explained what authentication is and how it differs from authorization. We described the different authentication factors and their characteristics and showed how combining different/additional factors increases the overall authentication security.
Remember, however, that there is no perfect authentication method because there is no perfect security. Thus, we need to choose authentication factors that serve our specific needs and requirements to provide an appropriate security level for our actual use case.