Wednesday, August 24, 2016

Speaks About: Multi-Factor Authentication

In the previous entry, I wrote about passwords and our digital lives. Today we’re talking about passwords that aren’t words.

First, let’s define a some security terms about access:



-Identification: The concept of you as “you.”

The you that has an email account. The you that has an Amazon account that orders posters of puppies. The you that has an account on some internet something. You. Often a user name is a form of identification and it *can* be semi-anonymous. Your bank login name is “powersnake” and that leads to your account info. Your household internet login is “psmith28” and tells the service which account to access. But how does the system know you’re allowed?

-Verification: The concept of determining that a user is “you.”

That is, that the you (the user) logging in is the you (the Identification) that is allowed to log in. Verification can be something as simple as a password, or as complex as an interlocking system of diverse methods of proof. Your face can verify. Passwords verify.

-Authentication: The process of comparing supplied credentials against another known (verified) list.

-Authorization: This entire system. The user wants to access specific information. To access a given identity, present information that is verified. Proper verification yields authentication. The user has been authorized to access information.

Barebones story time!

Think about a building on a street. The building says “Steve’s Shoes.” As a public business, no identification or verification is required. Anyone can enter. You have authorization by default.

Now picture the building is an exclusive nightclub. Scary bouncer at the door, hip music coming from inside. Man, is that place popular! And exclusive. Luckily, you’re on the list. So when you speak to the bouncer, you give your name (your identity) and he compares to the VIP list (the verification). You’re on the list (authenticated), so you get to go in. You are authorized.

But what if the building is a secret installation? When you speak to the guard at the door, you need to tell them who you are. You need to show that badge. The guard approves your badge with a cursory glance and asks for today’s password. You don’t know the password! You have ID, you have some approved verification, but not enough. You get kicked out. You are not authenticated and therefore not authorized.

The last example is multi-factor authentication. Multiple types of independently-verifiable information is given. Only the presence of each and every piece, verified, allows access.

The different Factors are described by the type of information involved:


  • Something you know

This is information that is stored in your head. It doesn’t necessarily need to be something that’s only in your head (you could write it down), although information in the head is incredibly secure. It’s also incredibly fragile, because anything that exists in only one place is fragile.
In the US, you cannot be compelled to give up something you know. The courts have decided that the authorities cannot coerce anyone into divulging a password; doing so violates Fifth Amendment rights. If you’ve written it down, that can be seized and used as evidence.


  • Something you have.

Some device you posses. It can be a smart card, a smartphone, an authentication USB token, a concert ticket, or even a house key.
In the US, you can be compelled by the authorities to surrender anything you have.


  • Something you are.

Some measurement of who you are. Also referred to as biometric information. Fingerprints and retinal scans are the most common kinds of biometrics. Others include voice, signature analysis, and even DNA.
In the US, you can be compelled by the authorities to surrender your biometric information.

You can see why Something You Know is the most widespread form of verification. Passwords are secure, portable, and easy. Follow the advice from last time to make them good!

But even good passwords aren’t perfect. They can be guessed, given enough time, access, and computing power. So we need to combine them with something else. Combining them with ANOTHER password is an option, but then you’ve amplified the stress on a particular human. Two passwords to remember, and the odds they both get written on the same piece of paper attached to a monitor is increasing!

So let’s add a second Factor.

The next one I added was Something I Have: my smartphone. Specifically, an app on my smartphone that generates a code every 20 seconds or so. The codes are based on a complex mathematical equation and the time I set it up. That equation is only known by the app and the server, and once the accounts are linked, they never connect to each other again. So, each code is different with no apparent pattern, and every individual’s codes are different.

When I log in to my email, I first put in my account name. It’s something I know, and is definitely the most public information about it (it’s even my email address), but it still acts as a security level. Then I put in my password. The computer matches the password to the stored password. Assuming I enter it correctly, a second box pops up, asking for the current code.

To get the code, the phone already has to be secured by some security measure, so the Second Factor codes are themselves protected by another password. Using the current code completes the authorization on my email and I’m authorized to log in.

Now, in order for someone to access my email they need to have both my password AND my phone (unlocked) for the code. Even if they posses a previous code, that code became invalid seconds after it was made available, with no way to determine the next code in the sequence.

That’s much more secure than a password alone. It's also why I am not compromised by showing you one of my codes in the picture above. It's useless without the password and it's also useless without logging in within 20 seconds of me.

Next time, we’ll talk about biometrics -- specifically fingerprint scanners on phones -- and whether they’re good for security or not. Spoilers: the answer is “not always.”

No comments:

Post a Comment