Authentication - Why am I not convinced
Full disclosure:
- My employer provides cyber security services however this is an opinion piece in my personal individual capacity.
- The opinion shared here does not have any bearing on me or my employer.
- This does not constitute as a professional advice in any manner
- Reader discretion advised
What are authentication factors?
Authentication usually uses either one of the three factors:
- something you know (e.g. a password)
- something you have (e.g. a phone)
- something you are (e.g. a fingerprint)
While the first two types of authentications have been in use for long now. In comparison, the third one is relatively new. When you use a combination of any of the three, it's called multi-factor authentication.
One of the often overlooked qualities of any authentication factor is its expendability. Meaning if that factor is compromised in any way, it should be easy to replace it with a new, now secure factor. This is where passwords are the best. If a password is exposed - no problem change it and we're back at the previous assured secured level.
Why I am not convinced
Using "something you have" is like using a code or a random token no. sent to your phone for granting you access. In fact, one of the most common types of authentication factor used these days is a code sent your phone. These are valid only for a predetermined period of time post which they become useless. Using such factor makes it easier for physically close attackers to access your accounts, but potentially harder for remote ones. This also how roughly ~90% of banking transactions is being carried out in India.
Fun fact: NIST in a very subtle way is now saying that text message as 2FA isn't ideal.
Alternatively, using “something you are” is also not safe.
I recently read about how attackers are now using ultra -HD images to recreate fingerprints. Another reason I have my doubts about using "something you are" like your fingerprints have got to do with its lack of expendability. Think about it, you have only 10 fingers to use as an authentication factor. And you're leaving it everywhere you go even without your knowledge. At your local Starbucks, when you're using a common washroom, holding railings for support while on your daily commute. An attacker needs to pick the right place and the factor is compromised, it's lost forever, never to be used again. Now you're left with 9 then 8 and so on and so forth. It does pack a punch, though. Since it isn't as easy as it seems to duplicate it (only time before technology catches up) and hence probably better than the other two.
Finally, we come to my favourite, " something you know" like a password. I love how passwords can be set up in so many different ways, each unique than the other. The best part is that it's the most expendable among the three.
In conclusion, I'd like to say that using two of these three factors improves your security drastically, yet I expect password to still be around for a long while (alongside one of the other two).
If you liked this post show your love in the comments below. Do write, tweet, IM or FB me (I'm faster to respond on Twitter, though). I'd be happy to know your thoughts.
No comments:
Post a Comment