Correct identification of an individual using a computer or service is important because it represents the accountability of the person identified. If you know my username on a computer system, you can check on what I do on that system through an audit trail, and I can therefore be held accountable for those actions. However, if you’re a Bad Guy with enough information to pose as me on a sensitive system, you can do all sorts of damage such as stealing or destroying data, and that might enable you to commit many kinds of fraud.
Much of the time, however, the system won’t let you do anything useful until you prove that you are indeed a person it knows to be authorized to use the system. In fact, you might not be able to use your PC at all until you’ve told it who you are and confirmed your identity by entering a password that’s supposed to be known only to you.
This combination of a username and password is one example of a form of security measure called authentication. People have passwords, or passphrases, or PINs so that they can use them to prove that they are entitled to make use of something to which access is restricted: for example, a restricted area, a computer system, an Internet service such as email or an encrypted document.
Identifiers are often based, for convenience, on the real name of the account holder and therefore easy to guess. Sometimes it isn’t even necessary to guess: anyone with whom I communicate from a particular email account knows my account name on that particular mail service (anonymizing services apart).
So, while I have to identify myself to the system for it to know which mailbox to access, I also have to authenticate myself to the system to prove that I am indeed the person I say I am, entitled to have access to that mailbox. For email services, the most common authenticator (from the Greek αυθεντικός, meaning genuine) is a password, though there are many alternatives used in other scenarios, and I’ll talk a little about that later on.
An authentication factor is a procedure or a chunk of information used to verify an individual’s identity and check that they have access rights to the system. There are three main classes of authentication factors:
For instance, the “chip and pin” bank card used in many parts of the world requires both the possession of the card and the knowledge of the PIN that goes with it, thus it is an example of two-factor authentication.
One type of authentication by hardware is a dedicated device communicating with a server that generates a token which gives you access to a service. Usually the token is a Personal Identification Number – yes, I know that term rather confuses the concepts of identification and authentication, but the terminology wasn’t my idea – or it could be a short but randomized alphanumeric string.
The device itself is usually protected itself by a PIN (one the user already knows) or possibly by biometrics such as fingerprint scanning. That means it can be described as multi-factor: I need to know the PIN or be identifiable biometrically and be in possession of the device. Thus if the device is lost or stolen, there is a measure of protection against someone else accessing the service pretending to be me.
Token generation by hardware is often built into software that can be used on multi-functional devices such as smartphones or tablets. This approach to tokens can offer an extra layer of protection, since the device itself may be (and should be) protected by a password/passphrase or PIN (or other authentication mechanism such as Android pattern un/locking). That is in addition to another passcode used to access the software token app. Where the token is generated in order to enable access to a service such as a website via a different device such as a laptop, the authentication measures on the second device (BIOS and Windows passwords, fingerprint scanner and so on) also offer additional layers of protection.
Any single factor has its strengths and weaknesses. In the case of a passphrase, the main risks are that the phrase will be guessed, intercepted (electronically as by “sniffing” an unencrypted transmission, or by discovering a written copy), or shared inappropriately by a legitimate holder (for instance, when tricked into divulging it by a social engineering attack). And, of course, if the remote site is careless with credentials and other data and then the server is hacked, it really doesn’t matter how good your password is when it turns up on Pastebin* (a website where hackers post proof of their exploits).
The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. These include password ageing (enforced password changes after a period of time specified by the administrator) and restricting the number of failed password attempts allowed. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
*Pastebin cartoon by permission of Small Blue-Green World
Author David Harley, ESET