e-Zest members share technology ideas to foster digital transformation.

Multi factor authorization

Written by Rupesh Agrawal | Nov 2, 2017 8:22:36 AM

With evolving technologies, data is getting shifted from hard data to soft data and this transition from hard data (paper, physical data) to soft data (data on drives), is now moving to software. Since data can be very confidential and sensitive, this information needs protections, hence password protection is used. 

However, this password protected systems can be breached may be by some tools, technologies or just by plain guessing etc. Passwords aren’t enough to stop today’s sophisticated attackers, so need of new factor arises.  

Multi-Factor Authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism. 

Multiple levels multiple authentication factors are used for authentication. Eg. password with OTP (one time password), Access card with password, etc. 

Below are the key points in failure for most of the password management policies: 

1. Weak or lazy password policies 

Today's enterprise workers typically juggle with a number of passwords. Accounts on a different internal or third-party system or applications may have different password requirements or scheduled password changes. All this adds up to a long list of passwords. 

We find way out by choosing the simplest passwords or using the same password across multiple applications.  

2. Overly complicated or strict password policies 

Overly complicated passwords may be difficult for an attacker to guess, but they are also challenging for users to remember. As a result, employees find risky workarounds like writing their passwords down or storing them in their computers. 

3. Failure to formalize rules into policy 

Overburdened by the day-to-day tasks of maintaining some control over this password chaos, enterprise IT departments can hardly find the time to create overarching rules of password creation, storage, and management. 

When users don’t have clear guidelines to follow supported by training, they revert to the path of least resistance and pick passwords that are easy to remember, replicate passwords across accounts, share passwords with other employees, and write passwords down. 

4. Lack of structured password policies and procedures for contingent workers 

Contract and seasonal employees have become a necessity to many organizations.  

Poor password practices often creep up when members of the contingent workforce need access to sensitive systems and assets during their time with the company. A full access user or someone with access to the former employee's credentials could reach back into the organization and cause a breach 

The factors for multi-factor authentication are:  

The basic authentication factors are knowledge (something they know), possession (something they have), and inherence (biological traits they have). Location factors and time factors are also sometimes considered as fourth factor and fifth factor for authentication. 

  • Knowledge factors (something they know): 

This is the information that user must be able to provide in order to log in. User names or IDs, passwords, PINs and the answers to secret questions all fall under this category. Many multi-factor authentication techniques rely on password as one factor of authentication. Knowledge factors are the most commonly used form of authentication. 

Some authentication methods:- 

1. Password 

Username and password credentials are used for validating user. Very basic and common authentication method 

2. Pictograph 

Instead of entering username and password credentials, users select the images that comprise their password from a pool of images.  

Pictograph passwords are comprised of three images. Users are shown nine randomized images at a time and select one image per round, until they have selected the images that make up their password.  

  1. Avoids many of the complexities of usernames and passwords
  2. Easier to remember than traditional passwords
  3. Ideal for younger users
  • Possession factors (something only the user has):  

The basic principle is key to a lock. Anything a user must have in their possession in order to log in, such as a access card, security token, a one-time password (OTP) token, a key fob, an employee ID card or a phone’s SIM card.  

Some authentication methods:- 

1. Bluetooth Authentication:   

When a user is within a specific range of his or her computer, the computer senses the Bluetooth signal and wakes up, and prompts for password.  

The system can also be configured to automatically lock a computer and logout a user when the user moves out of range.  

2. Magnetic Stripe / 2D Barcode: 

Magnetic stripes contain information about the cardholder that is stored on the magnetic stripe along the back of the card, while with barcode, the data is represented in a 2D image. .  

After scanning, it requests the user to enter the PIN associated with the card.  

  1. Can bescanned/swiped very quickly to identify user 
  2. Significantly more secure than username/password

3. QR Code

Utilizes a QR code on a printed badge that acts as a contactless card. Computer’s internal camera is utilized to read the QR code badge. The user flashes his or her badge during authentication and is then prompted for a password or other factor.

4. One Time Password

One Time Passwords (OTPs) are unique passwords that are only valid for a single login session and a defined period of time. A user simply enters the six-digit code generated on a token or mobile application in conjunction with his or her username and an associated PIN or password. 

The token seeds are then associated with the user and a specific device. Thiscomes with the following benefits:

  1. Considered one of the stronger forms of authentication
  2. Can use a user’s existing mobile phone to generate OTPs
  3. Complements other forms of authentication, such as username/password for added protection

5. RFID

Radio-frequency identification (RFID) utilizes radio waves to communicate a unique identifier between a tag embedded in an RFID card and an RFID reader to verify a user’s identity and grant access.  There is no need to enter a username, but the user can optionally be required to enter a PIN or password. 

  1. Broadly used for building access
  2. Easy to use
  3. Multi-purpose capabilities
  4. Considered more secure than other authentication forms, excluding smart cards and biometrics
  • Inherence factors (biological traits of users): 

Any biological traits the user has that are confirmed for login. This category includes the scope of biometric authentication methods such as retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry, even earlobe geometry. 

This reduces the problem of losing/ forgetting the password:

1. Biometrics: 

Biometrics authentication uses fingerprints, retina scans, voice or face recognitions. 

2. Location factors: The user’s current location is used as a factor for authentication. The ubiquity of smartphones can help ease the authentication. Users typically carry their phones and most smartphones have a GPS device 

Eg:- Employee working in Pune(India) cannot log in from California (United States) 

3. Time factors: Time is also sometimes considered as factor for authentication. Verification of employee IDs against work schedules could prevent some kinds of user account hijacking attacks. 

Conclusion 

The technological progress though welcome has increased threat levels to information security. Where in the multi factor authentication swoops in to make life bearable and accounts more secure and protected. However, there is an increased overhead of OTPs, scanning objects etc, it is more than welcome in order to protect sensitive data. 

References:- 

https://en.wikipedia.org/wiki/Multi-factor_authentication  

http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA  

https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/  

https://www.identityautomation.com/iam-platform/  

https://www.globalsign.com/en/blog/what-is-multi-factor-authentication-mfa/