If you’re serious about security, it would be wise to have a broad understanding of various common authentication methods. From the difference between authentication and authorization to how to make two factor authentication work for you, it’s useful to know the various components involved in accomplishing the overall goal of security.
Authentication vs authorization
Let’s start off by getting our terminology straight.
Authentication is the process of identifying and verifying the identity of a system or person in a secure manner. For example, if you log on to a device with a username and password, you are being authenticated as the device is checking that you are really who you say you are.
Authorization on the other hand, is the process where the system identifies what level of access a user has in relation to the secured resources controlled by the system. For example, you are only allowed read access but not edit access.
While both concepts are independent of each other, they are both very central to security design. Failure to get one or the other correct would compromise the security of the system.
Finding loopholes in the system
If you want to get into a system where you have unauthorized access, you will usually try to find loopholes in either the system’s authentication or authorization methods.
You know that scene in Mission Impossible: Rogue Nation where Tom Cruise changes the security permissions by swapping the disc so that Simon Pegg will be allowed into the room where the data is kept? That is a fictional example of finding a loophole in the authorization method.
In real life, this is really hard to execute as they would have to gain access to the information to where exactly the disc is kept, and surreptitiously swap the disc without anyone noticing. In the movie, Tom Cruise almost drowned attempting this feat as the disc was kept in a pressurized underwater environment.
Consequently, more often than not, hackers will try to find loopholes within the authentication methods in the system as some authentication methods may prove easier to bypass rather than find out how to override authorization controls. If a hacker is able to pretend that they are an authorized user by falsely gaining access to a user’s account, then they immediately have access to whatever that user has access to.
Below are some common authentication methods and what it would take to bypass them.
Most social networks only require an email to verify that the user is who they are. However, since a new email can be created within seconds, it would be incredibly easy to create fake accounts in bulk use for spamming.
A single user is able to create multitudes of free email accounts in a short time period and use these to verify multiple accounts in the application. These fake accounts can then be used for spam or fraud which will result in negative user experience and create distrust amongst the genuine users of the system.
However, it is not only social networks who offer email authentication, a lot of new web or mobile services also only require an email to sign up.
Passwords are a little bit stronger than the email verification, as in theory, it involves the user who created the password to know what it is. So the user can access the account with the password that he or she previously created, or pass on the password to another user or system to act on his or her behalf.
However, passwords can be stolen via phishing, which involves a third party sending a user an email from a fake email address which mimics the service which the user is subscribed to. If the user falls for the email, they will reveal their personal information including their password to the third party. Phishing emails can be countered through user education from the service e.g. the real service warning users that there are phishing emails going around, but it is not guaranteed that the users will not fall for future realistic looking phishing emails.
In the past few years, hacking passwords has become more sophisticated. An automated tool called an ‘account checker’ can check for different username and password combinations on e-commerce sites. If a username/password combination works, then they can steal various user information held on their e-commerce sites.
More importantly, since most people use the same password for different services, the hackers can gain access to a variety of other services. Therefore, users are advised to create a strong password, change their password regularly, and not use the same passwords for all their services.
Social network authentication
Social network authentication requires the user to sign in to a specific social network to sign into the system. It’s probably just a little bit more of an effort further than email and password verification because most social networks use a combination of email and password authentication.
So if a hacker can get past the email and password authentication stage, it’s just another step to use the falsely authenticated social media account to authenticate whatever system or service they are trying to get into.
Biometric authentication relies on measurable physical characteristics that can be automatically checked. Some examples include face recognition, fingerprinting, signature and retinal scanning with fingerprinting being the most accurate at the moment.
It’s definitely harder to steal a fingerprint than a password but implementation of biometrics can prove quite costly.
Two factor authentication
To combat the loopholes of the common authentication methods mentioned above, two factor authentication (2FA) has proved to be a popular solution. 2FA is the process of requiring that there is something that the user knows (first factor) and something that the user has (second factor) before successfully authenticating the user’s identity.
Therefore, if a hacker only gains access to one factor, it will not be enough to gain authentication, making the system more secure.
An everyday example of this is when you withdraw cash from an ATM. The ATM requires that you have your bank card (something in your possession) as well as your PIN (something you know).
However, the drawback of this method is that the token used, which is the bank card, can be lost, forgotten or stolen making access impossible for the genuine user.
To get around this inconvenience, mobile phone 2FA was developed where the mobile phone functions as something that the user has. A one-time password (OTP) is sent by the system to the mobile, verifying that the user is indeed in possession of the mobile (something in the user’s possession). Consequently, the user then has to input that password (something the user knows) into the system.
Previously, this process was very costly and unreliable to implement, but with certain APIs available to use on a per authentication cost basis, it is much more realistic and cost-effective to implement these days.
In selecting a method, you must remember that no authentication method is 100 percent foolproof. The security of a method is determined by how hard it is to bypass, and how many layers of authentication are required before successful authentication.
In addition, you must also bear in mind the user experience and cost of method of implementation. This is why mobile phone 2FA is quite palatable as it is relatively hard to bypass yet cost-effective.
This post is part of our contributor series. The views expressed are the author's own and not necessarily shared by TNW.