A common term used in many different industries is authentication. In information security specifically, authentication is the process of determining if a person is who they say they are. Usually, this process is completed prior to giving that person access to something, so you can envision authentication as a guarded gate before a person is allowed into a protected facility. In computer-based terms, you are authenticating to an application when you type in your username and password (as one example) to log in.
Authentication vs. Authorization
One important distinction to make up front is the difference between authentication and authorization, as these terms are very similar and used in many of the same contexts. Authentication occurs when you say you are John Smith and I have a way to check and make sure you are indeed John Smith. Authorization is what happens when you want to access a particular feature or piece of data, and I have to check a list to make sure John Smith is allowed to access that item. Authorization happens after you have authenticated somebody. So once I know you are John Smith, I can check and see what you should have access to.
Methods to Authenticate Someone
Going back to your college computer science classes or your CISSP training, you might remember that there are three ways in which you can authenticate a person: something they know (like a password), something they have (like a token), or something they are (like a fingerprint).
Something You Know
This is traditionally what everyone thinks of when it comes to logging into an application or authentication in general. A password, passphrase, PIN, answer to a secret question, etc. are all examples of something you know that can be used to authenticate you. Most people will use one of these techniques every day of their life.
Something You Have
Becoming increasingly more common, tokens and other hardware devices that are used in authentication count as something you have. This is something you physically have in your possession that is separate from the device you are authenticating on, as your possession of that device proves you are who you say you are because it has been issued/enrolled to only you. This category includes things like RSA tokens, Yubikeys, and even your own cellphone when you have an app like Google Authenticator on it (although this can get a little nuanced). This authentication factor is most commonly used in multi-factor authentication scenarios with something you know.
Something You Are
Last but not least, this authentication factor refers to a biometric trait that is unique to you. There are a lot of complexities here and a ton of research has been done in this field, as some biometric traits are better suited for authentication than others, and the specific authentication scenario can play a huge role in what factors are available to you and how they need to be implemented. For this high-level overview though, just think of something you are as your fingerprint, handprint, facial geometry (e.g. Apple’s FaceID to access your phone), etc.
Multi-Factor Authentication (MFA)
A conversation about authentication wouldn’t be complete without touching on MFA and its importance. Since you should now understand what the three categories of authentication are, MFA refers to combining multiple categories of authentication together in order to positively authenticate an individual. This could be a username/password you use to login to your email, but then you have to enter a code from your authenticator app on your phone. It could also be something like a key card you use to enter a facility that only works when you provide a separate PIN with it.
MFA is one of the most important concepts in information security because it has quickly risen to being a minimum requirement for accessing sensitive information systems, particularly those that are exposed to the open Internet. As social engineering attacks and the availability of breached password databases has increased, it has become easier for attackers to take advantage of systematic weaknesses in single-factor authentication schemes. As penetration testers, multi-factor authentication is probably one of our most common recommendations in reports still, as it has the power to stop several different attack chains.
Authentication is an extremely important concept in information security and many other disciplines. As organization’s become more aware of effective information security practices for enabling strong authentication, we should continue to see an increase in the adoption of things like choosing a strong password, using MFA, and leveraging password managers.
Contact us to schedule a call to discuss your penetration testing or other information security needs.