Identity Proof
Picture the following scenario: You are flying to visit a friend in a destination you’ve never visited before. Someone is supposed to meet you at the airport and take you to your friend’s place. The only problem is that you’ve never met this person before and you need a way to confirm they are legit, and not some imposter who doesn’t know your friend at all. How do you verify that person’s identity? How do you make sure they aren’t an imposter, wanting to whisk you away to someplace unknown and unwanted? What proof should you require to ensure that the person is indeed who they say they are?
Enter authentication. Authentication is the process of using evidence to establish the identity of someone or something. In this scenario, you could arrange a secret passphrase ahead of time and be confident that the stranger who approaches you to say “Josh wears a dope hat” is indeed the one you’re supposed to meet. Or your friend could provide a signed note for the contact to show to you to verify their identity. Or perhaps you had the foresight to have your friend send you a picture of the contact, so that you could pick them out from the crowd based on their physical appearance. Although any one of these factors alone could reasonably confirm a person’s identity, a combination of methods will only increase your confidence that the contact is who they say they are. Think of it this way: each additional factor is another witness corroborating the story of who the contact is and the higher the likelihood of proving their identity. More about that later.
There are three main types of authentication factors:
- Something you know (Type 1) – This factor is either created and remembered by the person or stored in a lookup system. The most common example is a password or PIN, but it could also be a personal detail like a national ID number or birthdate.
- Something you have (Type 2) – This factor is an object possessed by the person. Typically this would mean a USB drive you plug into a computer, or an RFID card you scan to enter a restricted area, but it can also mean a technical object like a token, certificate, or virtual ID. The most common Type 2 factor is a smartphone, which just about everyone has their head buried in these days.
- Something you are (Type 3) – This factor relies on the study of physical characteristics, such as facial recognition, retinal scans, or fingerprint patterns. It is also known as biometric authentication. Although biometrics are the most reliable authentication factor, biometric devices require initial calibration and then regular tuning to produce accurate results in the real world. Matching too many points of detail could lock out legitimate users (false negative), while reducing the number of match points may allow the wrong person in (false positive).
Outside of these categories, there are other methods of authentication. A security checkpoint could scan how someone walks (Something you do) using gait analysis. A computer’s IP address could identify a person’s relative or exact geographic coordinates using location services with geocentric satellites (Somewhere you are). Typically, these methods alone do not offer strong evidence of a person’s identity, but used together with one of the three main authentication types, they might identify unusual situations that should fail authentication. For example, a conditional access policy might block an otherwise successful login attempt that combines a mobile authenticator app and a password if GPS data shows the phone is responding from outside the user’s home country.
Further Proof
Back to our airport scenario. Having a secret passphrase for the contact, a signed note from your friend, or photograph of the contact is not nearly as strong as having two or all three together for authentication. When you require two or more methods from different authentication types, security professionals call it multifactor authentication (MFA). If the photograph was of poor quality or the passphrase was leaked on social media, then at least the signed note would provide adequate proof that your contact was who they said they were.
In cyberspace, this is especially true. 8.4 billion passwords were leaked from past data breaches! Considering 50% of users reuse passwords for all of their accounts, the number of compromised user accounts is easily past 12 billion, if not significantly more. Users who rely solely on a password and no other factor of authentication, known as single factor authentication (SFA), put themselves at significant risk of having their account compromised. Even one compromise could result in financial loss and identity theft, and for half of those users, lead to additional accounts being compromised as well. Think about how many accounts are linked or used to sign in to additional services, and it will become apparent that a single account hack could explode into a serious breach into multiple aspects of a user’s online life.
You might be tempted to think that MFA is just having two or more pieces of evidence to prove you are who you say you are. And you would certainly not be alone in that misconception. Some account configurations allow you to set a personal identification number (PIN) in addition to a password. Although this might offer a marginal boost in account security, both the PIN and password are still the same type of factor: something you know. For true multifactor authentication, there needs to be two or more types, not just elements, of authentication.
Here are a few examples of some two-factor combinations, colloquially called two-factor authentication (2FA), that you’ll see in the wild:
- Password with an email or SMS/MMS message containing a multi-digit PIN
- Password with an authentication app that either generates a time-based token or receives a push notification requiring acknowledgment
- Password with a downloaded text token or secure browser cookie
- Password with an external USB key drive
- Password with the user’s current geographic location, typically based on a remote IP address and/or network routing path
- Proximity card with a keypad requiring a static or dynamic PIN
- Smart card with facial recognition scan
- Smart card with a thumbprint or retinal scanner
You’ll notice that most of these combinations start with a password, which is particularly susceptible to compromise. So, even if you use another factor for authentication, you need to ensure that you create a strong password that follows recommended length and complexity requirements. More about that next week, but for now, it’s important to remember that any single factor can break down. Although biometrics is often considered the ultimate authentication method in theory, the practical application leaves plenty room for compromise. Colored contacts can trick iris recognition, while normal moisture on a finger can throw off fingerprint scans. If you’ve ever tried to unlock your phone using the fingerprint reader after washing up or doing something active, you’ve probably confirmed this!
Proof Recommendations
Hopefully, it has become apparent that you should always enable MFA in your user accounts and in systems you manage. If you have options on how MFA is configured, then there are some recommendations on that, too:
- Use an authenticator app with push notifications. Phone numbers are easy for attackers to spoof without having to steal a device, so you shouldn’t rely too heavily on SMS/MMS messaging. The same goes for email spoofing, because an email account could be compromised or spoofed.
- Use the latest browser technology like FIDO. Fast Identity Online (FIDO) is rapidly becoming the gold standard for browser-based authentication. FIDO allows biometric mechanisms like fingerprint scanning and facial recognition and physical device keys to be used in conjunction with regular passwords.
In many cases, these and other MFA options are easily available under account security settings, so although it may take some hunting to find them, enabling them is the surest way to make sure your account won’t be taken over by an attacker.
There’s also passwordless authentication, which takes the weakest authentication type completely out of the equation, but that’s a topic for another article.
In conclusion, remember this takeaway:
- Bare minimum: use 2FA.
- Preferred: use a third-party out-of-band authenticator app or FIDO
- Avoid: SMS/MMS messaging, as this can be easily spoofed.