Last updated: 16 May 2016
Why is strong authentication used? How does it work? And why choose one form of authentication over another? If you’re inundated with information, and are trying to drill down to the bare basics, this cheat sheet will help you make sense of it all. For the sake of brevity, the Cheat Sheet will be rolled out over two or more blog entries, so stay tuned.
Why is Strong Authentication Used?
Strong authentication is used because static username and password combinations can be easily compromised by malicious actors seeking to compromise your account or system (be it related to an online social, corporate, or retail platform). While passwords may have been sufficient back in the 60’s, they have been increasingly easy to compromise over the past 20 years with the evolution of the internet and the threat vectors that can be disseminated over it. According to the Verizon Data Breach Investigations Report, the majority of breaches are known to involve the use of compromised credentials.
Common threats that jeopardize the confidentiality of your password include phishing attacks, brute-force attacks, generic malware (aka SSL stealers), credential-database hacking and even password-guessing.
How does Two-Factor Authentication Work?
Two of the most common 2nd factor methods used today are one-time passcodes and PKI certificate-based authentication.
- One-time passcodes are a form of ‘symmetric’ authentication, where a one-time passcode is simultaneously generated in two places: on the authentication server and on the hardware token or software token (OTP app) in the user’s possession. If the OTP generated by your token matches the OTP generated by the authentication server, then authentication is successful and you’re granted access. Both proprietary and open-source protocols are used to generate an OTP. More on that in Part 2 of the Ultimate Strong Authentication Cheat Sheet.
- PKI authentication is a form of ‘asymmetric’ authentication as it relies on a pair of dissimilar encryption keys—namely, a private encryption key and a public encryption key. Hardware PKI certificate-based tokens, such as smart cards and USB tokens are used to store your secret private encryption key securely. When authenticating to your enterprise network server, for example, the server issues a numeric ‘challenge.’ That challenge is signed using your private encryption key. If there’s a mathematical correlation, or ‘match,’ between the signed challenge and your public encryption key (known to your network server), then authentication is successful and you’re granted access to the network. (This is an oversimplification. For more details, watch these Science of Secrecy videos by Simon Singh, PhD.)
What is the best strong authentication method to use?
When it comes to authentication, one size does not fit all.
- Appropriate Level of Security – While OTP apps may provide sufficient protection for most enterprise use cases, verticals that require high-assurance, such as e-government and e-health may be mandated to use PKI security by law. Broadly speaking, OTP authentication is the 2FA method of choice in North America, whereas PKI is far more popular in other regions of the world, especially in highly regulated sectors. (For details on different methods and the threats they counter, read the Survey of Authentication Technologies White Paper.)
- Cost – OTP authentication has traditionally been more affordable, as well as easier and quicker to deploy, as it does not require setting up a PKI infrastructure that involves purchasing PKI digital certificates from a Certificate Authority for each user. Plus, with OTP authentication, OTP apps can be installed on users’ mobile devices and desktops and used as hardware tokens, unlike PKI authentication where a hardware token must be procured for each user to keep their private encryption key safe. However, with advances in technology such as embedded ‘secure elements’ in mobile devices and Bluetooth Smart PKI readers, PKI is becoming increasingly affordable as well as user- and deployment-friendly.
- Regional Security Standards – Depending on regulations relevant to your industry, the hardware or software token you deploy may need to comply with the FIPS standard in the US or Common Criteria in Europe. More on these standards in Part 2.
- Usability – Organizations that require greater mobility for their workers, may seek increasingly transparent authentication methods for their employees. Software and mobile-based tokens, as well as tokenless solutions, provide a more convenient authentication journey that facilitates the implementation of secure mobility initiatives. To learn more, download our Mobile Employee eBook.
Stay tuned for Part 2 of the Ultimate Cheat Sheet on Strong Authentication with more quick facts to help you secure access across your IT ecosystem.