Authentication factors
by Jonathan Buhacoff

Introduction

There are many authentication factors in use today. When we consider how much security an authentication system provides, we might look at how many factors that system uses. For example, if a website only requires a password, that's single-factor authentication, but if a website requires a password and a temporary code sent by text message or generated by an authenticator app, that's multi-factor authentication. But it's not strong multi-factor authentication, because both passwords and temporary codes share these two things in common: first, they are both something that you know; and second, they are both sent via the same channel (the user types or copies them into the web browser).

Here are five authentication factor categories that are used by LoginShield:

  • What you know
  • What you are
  • What you have
  • What you do
  • Where you are

Let's consider each one.

Categories

What you know

things that can be sensed and repeated

Examples in this category are passwords, passphrases, personal identification numbers (PINs), and temporary codes.

Authentication factors in this category are very common because implementing a password or PIN check seems very simple to developers. However, there are significant pitfalls:

  • how the passwords are processed and stored by the verifier (are they stored in plaintext for direct comparison, or are they salted and hashed for storage using a cryptographically secure and deliberately slow one-way hash function? is it being leaked, for example by careless debug logs?)
  • how the user knows which password to input, and whether it's safe to input that password into the device or application or website that's asking for it (is the device trusted? is the application or website trusted? and which one of possibly hundreds of passwords is required here?)
  • how software between the user's input and the verifier handles that password (is it transmitted in plaintext or using an encrypted channel? is it being leaked, for example by careless debug logs?)

This doesn't mean we should never use passwords. In fact, there are situations where passwords are just the right tool for the job. But passwords are not safe for authenticating users to network applications, and if your website or VPN still asks users for a password or temporary code you should consider offering LoginShield to your users to protect them better.

The LoginShield app includes optional passcode protection to unlock the app itself. When you turn that on, a passcode will be required to use the LoginShield app. This use of a passcode is local, meaning the passcode is strictly between you and the app -- the passcode is never sent over the network. You know which app you're unlocking with the passcode because you recognize your smartphone or tablet and you recognize the LoginShield app on your device.

The other place we use what you know is in the access recovery process. You can set a password, a state identification number, a memorable date, or a combination of these to protect your account. To prevent someone from impersonating you using publicly available information, you can set an access recovery password that nobody else would know.

What you are

things that can be measured about a subject (a person or a device)

Examples in this category include biometrics such as fingerprints, voice recognition, face recognition, gait recognition, height, weight, eye color, iris recognition, DNA samples, handwriting, and even typing patterns.

For devices, this category might involve certificates from the manufacturer or distributor, and a remote attestation process to verify the legitimacy of these certificates and establish a link between the certificates and the device providing them.

It is becoming increasingly common to use fingerprints to unlock mobile devices, but fingerprints can be faked so if you are protecting something sensitive you should not use fingerprints as the only factor. When you use a fingerprint on someone else's device, such as a locker at the amusement park, or leave your wineglass unattended, or even let someone take pictures of you in public, you are risking that someone else might recreate your fingerprint. It's not hypothetical. As government and corporations fingerprint more people for passports, state identification, employment, and notarized documents, the number of people with access to a high-fidelity copy of your fingerprint increases, and only one of these needs to be breached for an attacker to recreate your fingerprint.

A similar issue applies to all other biometrics as well: they can be recorded and recreated. So while biometrics can be used to rule out some people who are not you, they are not suitable as a single authentication factor to assert your identity. Use biometrics as an additional factor to raise the bar for someone trying to impersonate you.

The LoginShield app includes optional fingerprint protection to unlock the app itself. When you turn that on, a fingerprint will be required to use the LoginShield app. The fingerprint is managed by the operating system, and is never sent over the network.

What you have

things that can be obtained and carried

Examples in this category include physical keys, digital key fobs, and devices storing cryptographic keys.

Physical keys and access cards are common mechanisms to unlock buildings and rooms. They are somewhat effective for that purpose because a person can't just look at the item and copy the information on it to gain access -- copying a key or access card requires specialized equipment. However, they are not effective for authenticating to a website or VPN.

Some people use a key fob that plugs in to a computer's USB port, and they press a button on that fob to generate a one-time password or a digital signature. The trouble with these key fobs is there's a disconnect between what the key fob sees (whatever is the current request from the computer) and what you see (the website you think you're logging into) and don't see (any other software on that computer that knows about key fobs and might sneak in a request for itself). How do you know that your key press or fingerprint is authorizing a login to the correct destination? If you are hoodwinked by malicious software that sneaked in a request, it will just appear as if the login to the website didn't work, and you'll try again. You might succeed the second time, but you don't really know what got authorized on that first attempt that looked like it failed.

For authenticating to websites and VPNs, it's better to use a specialized authenticator that 1) knows which site is being visited and can display this to you, and 2) knows which credential to use with that site and can select it automatically, or if you have multiple credentials for that site it should allow you to choose one. When you use LoginShield, the LoginShield app clearly indicates the website to which you're authenticating when you press the "Login" button, so you know exactly where that authentication is going. The LoginShield app includes phishing protection, and automatically routes you around untrusted sites. No other key fob or authenticator can do this.

The LoginShield app uses private keys, a kind of cryptographic key used to generate digital signatures. The keys are used for authentication and you carry them with you wherever you take your device.

Items in this category can be stolen, so for the best security it's important to use an authentication factor that will work for you but not for the thief. If you insist on using a key fob, make sure it's one that requires your fingerprint to use. If you use LoginShield, make sure that your device is configured to lock after a short time, or enable the optional passcode and fingerprint protection in the LoginShield app so that only you can use it even when the device is unlocked.

What you do

assertions that can be extracted from a subject's history

An example in this category is purchase history, which may be used by a bank to determine that you usually use a credit card in a specific geographic area, and apply extra scrutiny to purchases made with that card from another continent, especially if the timing doesn't seem likely for you to have traveled there and back between your other local purchases.

Using authentication factors in this category typically involves a lot of data collection about what you do, and a lot of analysis. False positives are common enough that some people just call up their bank before they travel to avoid issues with declined purchases.

However, there is also a simple way that what you do can be used to protect your account, and that is called rate limiting. When someone attempts to gain access to your account and they guess an authorization secret incorrectly, we make a note of it, and when they exceed a pre-determined threshold then we refuse to consider any more requests from them for some time. This slows down their attack and has two possible side effects: if they are looking for low-hanging fruit, they might move on to attack someone else; and if they are persistently trying to impersonate you, then we can alert you about this activity and work with you to keep your account secure.

LoginShield limits the amount of history we record to just the recent past. This data is only recorded in case you have an inquiry (you can choose to not record history at all). We do not use it for any other purpose, but it's your data -- if you're interested in leveraging authentication history from LoginShield to add another layer of smarts to another behavior-based access control system, please contact us.

Where you are

assertions about the subject's location

Examples in this category are network location such as IP address, and geolocation such as coordinates obtained from GPS. Location may also be inferred from other information such as the Wi-Fi network identifier, or other radio signals received at that location.

When using authentication factors from this category, it's important to be aware of how location can be spoofed. For example, when you connect to a website from your home, the website sees an IP address and can usually infer your approximate location, but you can easily appear to be connecting from anywhere else in the world by routing your traffic through a VPN.

LoginShield uses strong multi-factor authentication to login to websites and other network applications, but if you lose your device you will need to recover the account. When that happens, we use separate set of factors (including where you are) to authenticate you during the account recovery process.

Conclusion

While there are many authentication factors to choose from when building an authentication system, it's important to know the distinction between weak and strong multi-factor systems, because it can be the difference between effective security and vulnerable users.

Does your website rely on passwords alone, or passwords and temporary codes, to authenticate users? Does your website rely purely on publicly available information such as birthdate or state identification number to authenticate users during account recovery? You need to introduce strong multi-factor authentication to protect your users from today's sophisticated threats.

Cryptium

Our mission: empower organizations to eliminate the threat of password and phishing attacks on their users.

PO Box 1401
Hillsboro, OR 97123