Je ponce, donc je suis.
Cogito egro sum.
I think, therefore I am.
Regardless of the tongue, this bit of philosophical thought is one that virtually everyone has heard. What does an esoteric question like this have to do with cybersecurity? One thing that Descartes exposes in his famous declaration is a relationship. One does not exist without the other. This interdependency is something that carries over into cybersecurity.
There are three different approaches to authentication that relate to something you know, something you have, or something you are. Each approach has its advantages and disadvantages. The key (excuse the pun) is to strike the right balance between authentication methods.
What You Know
Knowledge-based authentication (KBA) is the most common form of security measure. This typically consists of a user name and password at the most basic level. Additional questions often supplement this basic data, too. These are supposed to be things that you would know but others wouldn’t, things like your mother’s maiden name, your high school mascot, and the street you lived on as a child.
A complete stranger wouldn’t know the answer to any of those questions off the top of their head. However, the utility and security of KBAs seems to have an inverse relationship with the amount of data available on the internet. The more data that becomes available, the less secure KBAs are.
Thanks to social media, aggregated consumer information databases, and a host of other services that live in the cloud (think about something like Ancestory.com) finding out basic details about virtually anyone is a few keystrokes away. Even the most secure database, with 256-bit encryption can’t do anything about a malicious user who correctly guesses another person’s credentials.
Relying solely on KBA security is like putting a bowl of candy on your front porch for Halloween with a sign that says “Take 1,” and hoping everyone does so. Sure, most kids will abide your request, but sure enough some high schooler will come along, dump the entire thing in their pillow case, and be on to the next house.
What You Have
The thinking behind this type of authentication is that you have a physical item that serves to verify your identity. This can take many forms, like a key fob or a mobile phone, but the critical part is that it is an item that is unique to a specific individual.
Items that possess USB, RFID, or Bluetooth connectivity can generate dynamic keys that a user needs to enter, in addition to login credentials, in order to gain access to information. Pairing this type of authentication with another type of authentication (e.g. KBA or biometric) is known as two-factor authentication because there are two different measures that must be met before granting access. Some companies issue key fobs of this sort to employees, but doing so can be an expensive enterprise when it comes to managing and tracking all of the devices and users.
The ubiquity of mobile phones has made this a bit easier, especially as companies accede to BYOD practices. Instead of relying on a key fob that stores cryptographic information, it is possible to send a message to the smart phone registered to that user, who then has to enter a confirmation code before proceeding.
No matter what type of device is used for authentication, there remains the possibility of loss or theft of the device. This is another drawback of relying on a physical token for authentication purposes.
What You Are
Perhaps the most unique differentiator on an individual level is biology. No one has the same fingerprints, voice, or eyes, and all three of these anatomical features can be used for biometric authentication. Not only does biological uniqueness make biometric authentication more secure, but there is no need to memorize credentials and the likelihood of losing a piece of your body is much lower than a key fob.
Just like technological advances device-based authentication easier with mobile phones, it has also made biometric authentication more accurate and reliable. What would we do without technology?
If biometric data is stolen it is much more difficult for thieves to actually use this data. It’s not like in the movies where the bad guy cuts of a hand and puts it on the scanner, or makes a fake contact lens to fool the eye scanner. The sensors that power these types of interfaces are designed to detect fakes. Even voice biometrics software, which can be easily deployed over the phone, can detect impersonators, recordings, or synthetic voices.
Which To Choose?
With three distinct approaches to security and authentication, which method should companies choose? While resources undoubtedly contribute to this type of decision, most companies already employ KBA. It’s what people know and what they’re accustomed to. This may seem adequate, even with additional KBA security questions to serve as back up, and this presentation of security and trust may be enough for some. Limiting security to KBAs is a paper tiger when it comes to trust though; it’s the mere presentation of trust, not necessarily the actualization of it.
However, there’s a difference between walking the walk and talking the talk. To really earn user trust when it comes to security employ two-, or multi-factor authentication. The latter could include multiple forms of biometric authentication in addition to KBA or object-based security measures. This augments the KBAs that already exist with a combination of what you have or what you are. The more types of authentication required, the more secure the system is.
How do you know when it makes sense to make the move to two-factor authentication though, both as a company or as a user? Start with any entity that deals with medical or financial data. These data are the most frequently targeted and lucrative, and, therefore, should be high on the list of things to protect. This data contains your most personal and private information and has the potential to cause the greatest amount of damage in the wrong hands.
Next look at social media and other large data aggregators. Remember these are the sources that criminals mine to subvert your KBA credentials. Setting up two-factor authentication is a good idea here as well. The same goes for many cloud service providers. Businesses should also scrutinize the security practices of their associates and vendors. Holding others to the same high standards for security is the equivalent of a rising tide lifting all boats.
There is no panacea to questions of security. But one thing is quite clear; KBA alone doesn’t do the trick any more, and two-factor authentication (if not multi-) provides a much more proactively secure IT environment. To return to Descartes, thinking alone isn’t enough; companies need to find balance to construct a relationship between all three authentication variants.