Who are you?
Resources within an IT infrastructure are secured through a combination of authentication (who is trying to access the resource) and authorization (are they allowed to use the resource, and how are they allowed to use it). Many people confuse authentication with authorization. Authentication is just establishing who wants access (with a set of set of credentials). Authorization is deciding – once the “who” is known – what (if any) access is appropriate. Clearly, correct authentication is a serious security concern, and that can be addressed by several different methods.
The simplest form of authentication is a username/password combination, but this is now widely seen as inadequate. Usernames are typically well known in an environment, and simple passwords may be guessed (and because people tend to use them in many places, they are only as secure as the least secure of these). One may enforce complex passwords, or place different passwords on different types of resources, but this tends to lead to poor password hygiene (like writing down passwords to remember them).
Stronger methods are required, and there are three fundamental ways for a resource can verify a user:
- Something the user knows (like an ID/password, PIN, security questions, etc.)
- Something the user has (ID card, security token, cell phone, etc.)
- Something the user is (signature, fingerprint, retinal pattern, DNA, face, voice, or other biometric features).
Some common ways to improve on simple ID/Password are:
- Multi factor authentication: This uses two of more of the above, perhaps ID/Password or PIN, and something the user has (token generator, ID Card, their cell phone, etc.). With this method if a malicious attacker does obtain the user’s ID and password, they also need the second factor of the authentication. This limits the attack surface and makes it very difficult for someone to misrepresent themselves as the authenticated user.
- Certificate authentication: A user will initially authenticate to a secure environment that is capable of generating and delivering certificates. Subsequently when a user attempts to access a resource using their stored certificate, the resource can verify the certificate, and trust this user. This can also be used in a multi factor scenario, where the ID/Password can be encrypted using the certificate and thus be delivered to the resource more securely.
- Fingerprint / Windows “Hello” (Category 3). Once a user has initially authenticated (for example with a user name and password,and/or other factors) , your device can generate a biometric indicator that represents the user. This could be a fingerprint, although Windows Hello extends beyond a simple fingerprint, utilizing facial expressions (and using 3D imaging to verify that it is not just looking at a 2d picture of the user).
Need some help with authentication in your organization? Our technical consultants have years of experience in this, so call us today to find out how we can help, or email us.