Multi-factor Authentication | Are Passwords Enough?
If you have logged in anywhere on the internet, you probably have done so using an “Username” and “Password”.
Passwords have been around for longer than computers or internet, in the form of a phrase that “grants one access to otherwise undisclosed locations”.
Now, talking in computer terminology, Passwords are a String
which authenticate a user to access a certain part of the web.
For example: your social media account.
Technically speaking, a password is still a “String” and can be compromised.
A Password can be observed behind one’s shoulder, a password can be logged from one’s keyboard, a password can be hijacked in transit.
And very recent attacks on social media accounts, raises a very important question, “Are passwords Enough?”
“Are passwords Enough?”
No. Passwords can be cracked. There are several ways we could crack passwords, but more on that later.
We are not only dealing with password cracking here. We are dealing with a plethora of other methods of either breaking the rock or finding a way around.
If you remember the movie 300, where the Persians fail to break through the Spartan defenses and then happen to be led by an insider to an alternate pathway that ends up right behind the Spartan lines.
Modern hacking is very much the same.
When hackers cannot crack your password, they would eventually resort to finding ways around the authentication mechanism.
Hackers can try to reset the password with their own email as the account recovery email.
Hackers can also resort to key logging to track passwords and easily use the password later.
The use of Social Engineering is another popular method used by hackers to gain access to a user’s account.
Hackers can also use complicated methods like XSRF [Cross Site Request Forgery].
This requires the genuine user to click on a link that leads them to a webpage but in hindsight, it runs another script that may track or reset their password for the hacker.
[Beware of such links from spammers.]
Since passwords seem to be quite under-prepared to meet such challenges, the requirement of another reinforcement factor is necessary.
Here comes Multi Factor Authentication. The principle of MFA divides the mechanisms for Authentication to 3 types/factors:
1. Something you know
2. Something you have
3. Something you are
Passwords are of the Type 1 category, “Something you know.”
Another mechanism is the Questions we set for account recovery. These are also a form of “Something you know”.
Type 2 is also a category of Authentication that many of us have used even if unaware.
When we withdraw money from an ATM, we insert our ATM Card into the machine. The machine validates the card’s magnetic signature and enables us to use the ATM. Here, the card is something you have (Type 2).
A similar use is with One Time Passwords. One Time Passwords are sent to our mobile numbers. The assumption here is that we “have” our SIM card and it is installed in a mobile phone. Thus, by proving our ownership of the SIM, we prove our ownership of the account.
Another method is via E-Tokens. An E-Token is a hardware-based OTP used mainly for office personnel.
The personnel are provided a small device whose primary use is to generate a 4- or 8-digit token and display it to the user and send the copy to the authentication server.
When the user logs in, they use their password and the token which is then verified by the authentication server.
The Type 3 refers to bio-metrics which are normally used in high security locations like restricted sections of offices, Citizenship proof cards, government records, etc.
Yes, the fingerprint sensor of your mobile phone as well.
Through fingerprint scanners, retina scans, etc. we can prove our identity and thus our ownership of the account or service whatsoever.
Let us remind the key term “Reinforcement”.
The other types of authentications are not a replacement for Passwords.
They need to be used with passwords as a reinforcement measure to “make the authentication stronger.”
The next article would deal with how to setup Type 2 authentication for yourself. So, stay tuned.