From the course: Threat Modeling: Spoofing In Depth
Authentication factors
From the course: Threat Modeling: Spoofing In Depth
Authentication factors
- In the good old days, people were authenticated because you knew them from birth and strangers were dangerous. Not really pining for the good old days. There were all sorts of problems, but authentication really was easier. Today, we try to authenticate people and systems over the internet and that turns out to be tricky. When a system determines if I'm the atom show stack that should be allowed to log in, there are lots of abstractions. I log in with a username say atom show stack. I present bits of evidence which the system uses to decide to let me in or not. These factors include what I know like a password, what I have like a physical token. In fact, there are at least five commonly used authentication factors. Knowledge like the combination to a safe. An object you have like the key to a safety deposit box or an ID card. A biometric, physical characteristics measured or assessed in various ways. The communication channel in use whether in person, via phone or internet. Or who you know like your boss or friends from school. These are often expressed as something you have, something you know or something you are. Or as sardonic security people like to say, something you've lost, something you've forgotten and your younger better looking self. My versions are more specific than something because something is vague. These five factors drive multi-factor authentication. A system should rely on more than one type of factor to increase the reliability of an authentication decision. For example, an attacker could get two ID cards from one attack, stealing a wallet. The phrase more than one type of factor is a little clunky, but it's important to understand that more factors, more kinds of authentication are a better source of strength. Each factor can also be judged in terms of strength. The key to a luggage lock is rarely complex and a lock can be upgraded in various ways to resist lock picking, drilling and other attacks. A bouncer at a bar compares your face to an ID less strictly than a border guard. Phones are becoming a focal point for breaking authentication because everyone wants to use them for all the factors. Phones receive text messages. They measure the something you might be with a fingerprint or facial recognition. Phones store cryptographic keys and secure storage which are conveniently unlocked with a passphrase or biometric. However, the phone is really a single factor in the decision to authenticate. Anyone who has my unlocked phone has all of those at once. And using smartphones for authentication assumes everyone has a smart phone and the organization can deal with the need to re-enroll people whose phones are lost or destroyed. There's always a tradeoff. Authentication is annoying. It slows things down. More authentication factors are usually more annoying. These factors are a model and being able to crisply model the factors we're using is a helpful step in analyzing authentication system.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.