Authentication in a nutshell
Authentication is the process that allows an information system to verify the identity of a person or a computer and to authenticate or not access to the requested service, based on its access request and identity.
Authentication is a prerequisite for any access control following an access request to access one's computer session, an online account, to open a door and for many other applications, which will require different proofs and resources in different numbers.
These authentication resources can be categorized into 3 groups:
- what I KNOW (e.g. a password, a pin code...)
- what I AM (e.g. biometric fingerprint, voice, ...)
- what I OWN (e.g. a smart card, a key, etc.)
This authentication can be said to be strong if it meets the requirements specific to certain geographical areas:
- In the US, strong authentication is defined as a multi-layered authentication approach based on 2 or more authentication factors to validate the identity of the recipient or sender of the information. That is to say, it combines at least 2 of the categories given above: a card and a code, or a password and a FIDO key2...
- In the banking and insurance sector in Europe, strong authentication is also on 2 or more authentication factors, but these factors must be independent and at least one of these factors must be unique (non-reusable), non-replicable (except in the case of a user-specific factor (biometric fingerprint for example) and cannot be hacked on the internet.
An interesting thing about this, access via a smartphone is overall strong authentication. Indeed, the smartphone has all the characteristics of a smart card: it is a piece of equipment that you own, whose code is unassailable without physical access (not linked to an AD account for example), and which can be erased after a certain number of bad passwords.
This particular vision — a work terminal that serves as a strong authentication factor — is now recognized around the term "Device Trust". Since the system boot string is secure, the operating system is signed and therefore read-only, the user's access code is local only, the level of trust is strong. All that remains is to confirm the presence of the legitimate user during certain accesses. This vision from mobile devices such as the iPhone or iPad now extends to Macs but also to Windows devices with Hello for Business.
What are the solutions to improve security around authentication?
Follow the rules and be careful: the most important thing, safety is everyone's duty. It is important to note that a vast majority of security breaches are caused by humans and that it only takes one hacked computer to gain access to the rest of the information system. Humans are therefore the first line of defense against these attacks: don't share your password, don't connect on public computers, questionable WiFi, report anomalies, emails that seem fraudulent to you.
Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA): Enable this feature as soon as it's available, because in addition to protecting yourself, you're also quickly alerted.
Password managers: whether it's a full web application or a database stored locally, these password managers allow you to store all your passwords in a secure and encrypted way, with the advantage of having to remember only one, which must be very complex because it is the key to all your access.
Some of these password managers offer you services such as:
- an audit of your passwords, to ensure that they are not used multiple times and that they respect a certain level of security
- Sends you alerts if any of the services you use have been compromised
- monitor databases of breached passwords to warn you
- allow you to share your passwords without ever using them
- Verify by yourself if your email address or one of your accounts has been hacked: Have I Been Pwned will tell you if you need to change your passwords and inform you about the latest known cyberattacks.
You're going to tell me: "Nothing new under the stars, I know all these tips!"
You're right, but have you heard of this new trend: PASSWORDLESS?
Passwordless authentication - passwordless, kesako?
Passwordless authentication is the idea that makes it possible to authenticate the user on an online service (precision is important) and therefore to rely on authentication factors linked to a hardware, itself protected by a local code, such as the PIN code of a phone or a FIDO key2.
Passwords are not completely removed, since there are still passwords to access a trusted terminal, but they no longer exist at all from an online interface. And are therefore not attackable from the Internet without physical access to a trusted endpoint of the company (or without entering a foreign terminal in the list of trusted endpoints).
How does it work?
This system works on a chain of trust where an initially trusted terminal (the one that opened the account, for example) is used to approve access to the service, or to register another. When accessing online, authentication is done via the trusted terminal.
This can be a phone with a service-specific app, a FIDO2-based system, or security certificates distributed on user terminals or via smart cards.
The advantages?
→ Don't be afraid to forget your passwords anymore
→ Stop Spending Time Resetting Your Passwords
→ your password, which does not exist, cannot be hacked
→ you land on a web page with a phishing scheme that asks for your password? No more doubt, you've come to the wrong place.
→ do without a password manager, which costs you and may have a very low adoption rate in your company
→ more password creation process when a new employee arrives or when you decide to use a new service
To sum it up: more security, more fluidity for you and your employees, reduced IT management costs and an even greater ability to scale
Want to know more? Contact us!
