What is Authentication?

So moving on from identification, we move into authentication. So with authentication, this is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. What kind of data are we talking about? Well, potentially our username and our password. So this is the process of confirming the identity when access to a restricted zone is attempted. So here we have issued credentials, and what we’re trying to do is to ensure that when the subject is attempting to access an object that we are verifying that the subject is who they say they are, that the identity matches. And so typically we do this, easiest example is through username and password.

So we verify the identity through the use of credentials. What kind of credentials might we use other than a password? Well, it very much depends on what our requirements are. In some instances, just entering a username may be fine. If we have a bank pass, typically we’re required to enter a four digit PIN number. For different types of transaction, of different levels of assets that we’re trying to protect, we may want greater levels of assurance for that. So authentication, we have typically three different ways in which somebody may be authenticated, and this is something people have, something people know, or something people are.

So each of these authentication factors covers a broad variety of elements that we can use as part of confirming that identity. So for something you know, we have the example that we’ve given of a password. Something you are typically relates to our biometric factors. And something you have can be some kind of token – very basic example would be that of a key, or a soft token, or hard token. So security research has determined that for positive authentication, ideally, we use at least two of those different factors. And, preferably, for high levels of authen– for strong authentication, stronger authentication that we use all three factors.

Worthwhile just saying, at this point, a common mistake that people make is to assume that if you ask for a username, and a password, and a PIN number that that represents multi-factor authentication, that we’re using more than one of the factors. That’s not the case. In that instance, what we are asking for is a username, which is something you know, a password, which is something you know, and a PIN number, which, again, is something you know. This is three examples of a single factor. With this example, if somebody has installed a key logger or somebody has access to your credentials, it’s easier to replay them or to falsify them.

So the use of a single factor twice, more than once, can add strength but nowhere near as much strength as using a second or a third factor. So we hear the term dual-factor, where we’re using two of those three factors, and multi-factor, where we use any number more than one. So typically the easier term to use these days is multi-factor, referenced as MFA.

So very commonly now, we’re seeing people are using their mobile devices as a second factor. People tend to have a smartphone, very, very high levels of ownership, and it’s something that people carry with them. It’s not the only way of doing that, and we’ll look at some different examples as we move on.