To gain access to many computer systems, you need to authenticate yourself. Authentication is the process of proving your identity. In computing, this is typically done in two parts. The first is alleging your identity; the second is providing some evidence. The classic example is using a username to allege your identity and then providing a password to prove it. Another form of authentication could be a challenge-response interaction.
Contents
Usefulness in the Modern World
Authentication is critical to the function of the modern digital world. The first form of authentication is to your device. While you may not necessarily have a password on your computer, you likely have some form of authentication to access your smartphone. Without this step, anyone could access any device they had physical access to.
Authentication is doubly important when signing into an online service. The most obvious instance is you proving your identity to the website. This allows you to sign into your account and prevents other people from accessing it. Authentication is also essential in verifying that you’re connecting to the website you think you are.
HTTPS and other encrypted connections utilize a certificate system to authenticate the website to the user. As part of a strong cryptographic system, the certificate system allows the user to authenticate that they have a secure connection directly to the specified web server and that no intermediary parties can “listen” to the secure communications.
Tip: It is important to note that HTTPS certificates do not indicate that the website is legitimate or even the site that the user wanted to connect to. It only verifies that the connection to the typed website is secure from snooping. Malware, phishing, and spam can all be served with legitimate certificates.
Something You Know, Something You Have, and Something You Are
The most basic form of authentication is the username and password. This relies on the secrecy of something you know, your password. This comes with the ability to deliberately give your password away, perhaps to let a family member access your device or password. It also leaves you open to being tricked into giving it away. A common method for this to happen is phishing. Depending on your chosen password, it may also be possible to guess.
Another form of authentication involves the use of a physical token. This type of authentication relies on something you have. This has the advantage that you can be limited to a single copy, making it impossible to share access. However, it has big consequences if your physical token is lost or stolen. Not only can you not access the system reliant on it, but the thief can, assuming they know what system uses it. This is why many RFID access badges are unbranded and plain. It means a thief can’t immediately know which building they can access.
The final field of authentication is biometrics. This involves verifying something about your person. The most common example is your fingerprint, but face scans, iris scans, and voice prints can be used, amongst other techniques. Biometric authentication techniques are excellent ways to verify identities but have some problems. For one thing, many of these features are somewhat public.
For example, you typically leave fingerprints on many surfaces, and with high-quality photos, even that isn’t necessary. Another particular issue is that you can’t change biometric features if they are compromised. Once your fingerprints are public, anyone can use them. Conversely, an accident could change a range of biometric features, locking you out of your account.
The Best of Both Worlds
While each form of authentication comes with its own issues, they can be highly effective combined. Two-Factor Authentication of 2FA uses the above techniques to authenticate your identity. MFA or Multi-Factor Authentication is the same but may extend to more than two factors.
This concept relies on the fact that most attackers with the ability to perform one type of attack can’t typically also perform the other types of attacks too. For example, a hacker with your password usually won’t have access to your smartphone’s authenticator app. Conversely, a thief with your smartphone might have your authenticator app but doesn’t have your password.
Biometric attacks generally cause you to be specifically targeted. The other types of attacks are typically opportunistic. An attacker dedicated enough to target you and your biometric details is likely capable of performing different attacks too. Such an attacker is also a lot less common and not a risk to most people, who won’t be interesting enough to be chosen as a target.
Conclusion
Authentication is the process of verifying identity. This is typically done through something you know, something you have, something you are, or some combination of the three. Secret passwords are a standard form of authentication, though certificates and challenge-response processes also work based on knowledge.
Physical security tokens, including smartphone 2FA apps, allow you to prove your identity through ownership of a specific item. Biometrics will enable you to be identified by your features. Combining these forms of authentication significantly increases confidence in the authentication process and makes it much harder for hackers to access your accounts.
