This is a Guest Post by David Balaban, a computer security researcher
Thwarting unauthorized access to an online system is the rule of thumb for its authors, be it a private e-banking dashboard, a premium email interface or an administrative console for an ambitious startup. This is a matter of reputation in the first place, therefore, a company that neglects basic anti-breach guidelines runs the risk of losing customers. A single data leakage incident is enough to keep a business tainted for months or even years. The plain password-based technique is barely efficient in the present-day world of computation power that makes brute-force attacks easy.
Under the circumstances, multi-factor authentication comes to the fore as a dependable technique that turns an online service into a moving target for scoundrels. It helps protect your login data and would require the presence of two or more autonomous authentication factors:
- A knowledge factor;
- A possession factor;
- An inherence factor.
The most popular form of multi-factor authentication is two-factor authentication used by Gmail or services like online banking. The applicable factors are pretty clearly defined.
These include: PIN codes, passwords or passphrases, personal questions like mother’s maiden name, phone numbers, one-time transaction authentication numbers (TAN), swipe, tap or knock patterns like those on phone lock screens, etc.
These are physical items like an identification card that you would swipe to access secure areas of a building, or a USB drive with an encryption key on it that decrypts a protected folder on a computer. It may be a driver’s license or public key infrastructure (PKI) certificate. These types of possession factors, however, are being gradually superseded by smartphone features and apps making your gadget your possession factor.
These factors refer to biometric identifiers. They are a relatively new form of authentication that embraces things like face recognition, fingerprint scan, voice print, retinal scan, deoxyribonucleic acid (DNA) sequence checkup, bio-electric signals and signature patterns.
There is no doubt that biometric authentication factors are super cool, and while they are being rapidly pushed into the mainstream, they are also meeting a fair bit of resistance, for a good reason.
- One issue is that biometric information can be easily repeated once compromised.
- The second problem is that many individuals object to having their biometric information trapped and stored in a database somewhere, which seems like a fairly valid concern given the amount of “secure data” that gets compromised on a daily basis. As opposed to a password, you can’t be changing fingerprints or retinas every other minute. At least not yet.
Why we need multi-factor authentication
That’s what multi-factor authentication is, but what is it for? Well, better security would be the answer. Password cracking technologies are developing very rapidly.
“GPGPU cracking, for example, can produce more than 500,000,000 passwords per second, even on lower end gaming hardware.” (source: TechTarget)
So, logging in by combining a knowledge factor like your password with a possession factor like a physical token or a code sent to your phone turns your account into a much tougher-to-hit target.
“Multi-factor authentication can increase overall security while reducing password complexity requirements.” (source: CIO)
Let’s take Gmail’s two-factor authentication as an example. Even if a cyber criminal obtains your password with a keylogger or another exploit, Google will additionally require a six-digit code they send to you, which must be entered within a couple of minutes. Thankfully, that’s something that hijackers can’t get without your smartphone at their disposal. And on top of that, once someone tries to log in with the correct password, that notification will go straight to you and you will instantly know that someone is attempting to log into your account without your permission and also that it’s probably time to re-evaluate your extremely secure password of “jsh8vesd88is8&uhdhgsvTsV.”
Why few people use multi-factor authentication
Now, there are a few reasons why people don’t use multi-factor authentication:
- Some services don’t support it.
- Some people share accounts with a spouse, close friend or business partner, so they can’t both have the same phone at the same time to use it.
- Some people just plain can’t be persuaded to add an additional step to their login process.
If you are reasonably paranoid about keeping your personal data private from prying eyes, multi-factor authentication is definitely worth the effort. If a service doesn’t support it, try finding the one that does. If you share your password with your business partner, friend or relative, just get a separate e-mail account. And if you just don’t care, well, then you might be underestimating what someone with access to your accounts can do to you.
An online system that has a single point of failure (SPOF) is a goldmine to cybercriminals. Obviously, this is an issue for big businesses and small enterprises alike. The possible consequences may range from the leakage of private messages or a customer database – all the way to things like banking fraud or industrial espionage. If you run a promising startup, cybercrooks can render it null and void with a few lines of code unless you have strong authentication mechanisms in place.
When building a business architecture, designers should look at it from a penetration testing perspective and adopt countermeasures for unauthorized access. When it comes to authentication, a little bit of redundancy won’t hurt.
Disclaimer: This is a guest post. The statements, opinions and data contained in these publications are solely those of the individual authors and contributors and not of iamWire and the editor(s).