Menu

Authentication Today

With AI helping hackers, and with so much money potentially on the line for bad actors, defending your login credentials is more important than it’s ever been before. In our continuing series on 15 Ways Top Protect Your Business Let’s talk a bit about the different ways applications are verifying your identity, and what you can do to leverage them effectively.  To clarify, ‘authentication’ is the term for verifying that a given person trying to use a system is who they claim to be.  You provide your Real ID at the airport, these days, to verify you are the person named on the ticket.  Your username and password are the classic, historic way to verify your identity with computers and their applications.

two gentlemen collaborating with laptops

Multi-Factor Authentication

It used to be that just a username and a password were enough to prove your identity in cyberland, and many systems still rely on just these two items. More and more, though, online applications are requiring an additional element of proof, like that you have access to a specific email account, or that you are in possession of a phone number already associated with the account. These are examples of multi-factor authentication, or MFA.

If you have an option to turn that on for a given account, it will usually be a good idea to do so because if your username and password end up on the dark web, the bad actor will still need to find a way to intercept or spoof that MFA challenge in order to get access to a system protected by username, password, and MFA.

Federation

Federated Identities are scenarios in which one application trusts another to do the hard work of authentication. Let’s say you work in Richmond, IL. When you go to LinkedIn, for example, and you wish to sign in with your Google ID, LinkedIn will check to see if Google thinks you are you. LInkedIn will trust Google’s word on it, and let you into the LinkedIn application with the same ID you use for your Google account. There are some advantages to this approach, and some potential downsides, as well.

In terms of advantages, identity federation is typically a faster process to go through than username, password and MFA. It takes more or less an instant for an app to check with a federated identify provider like Apple, or Google, or Microsoft. In terms of potential downside, though, if your identity with the federated provider is stolen, that bad actor who has it now has access to all those other applications relying on that account for authentication.

Also, if your situation changes with respect to that identity with the federated provider, you may no longer have access to the account you set up with that identity. Imagine, for example, that you’re working for a company, in Carpentersville, IL. Pretend they give you a Microsoft email account. If you set up an account with a website site using your work account, when (if) you change companies, you may find it cumbersome or impossible to change your login identity with that application. You might have to start all over with a new ID.

Art of the Password

Whether or not you implement (or can implement) MFA with an account you’ll still want an effective password. Thinking on passwords has evolved with the evolution of tactics used by bad actors. At one point, policies called for rotating your passwords on a regular basis. Some experts think this creates more problems than it solves, and some applications make the process pretty cumbersome. I dropped an application, recently, when I found I could not change the password at all.

Password complexity has been the guidance for quite some time, now, but there are nuances even within that. Because some bad actors will just try every combination of letters possible to try and break into an account, there’s an advantage to having a long password. With the speed of computers, these days, eight characters is just not long enough to prevent a brute force effort by trying all possible combinations. Because the effort required to crack a password is directly proportional to its length, so some will recommend 12 or more characters, including “special” characters, like these: #@%^(. This makes the number of possibilities much greater, requiring more effort to get through for a bad actor.

But it can be difficult to remember a password like “ACmiu)&*4913”. It can also seem daunting to type on a regular basis. For this reason, xkcd gave guidance around just threading a few real words together, like correct + horse + battery + staple. It’s not that hard to remember, and it’s very long, which means it would take a long time to crack with brute force methods. What bad actors have done, though, knowing this guidance is out there, is use dictionaries of common words as an alternative to just random characters.

These “dictionary attacks” tend to reduce the complexity of word-based passwords, because instead of having to guess at all the 24 characters in electricbatteryhorsefarm they’re really only guessing four words. Of course you can easily up the ante by misspelling the words, or dropping odd characters either in between, or amid the words.

A few random underscore characters will effectively halt the potential for a dictionary-based attack to succeed, but don’t get too cute. Bad actors have already put @pple and p@55w0rd into the dictionary they use.

Password Managers

But what if you didn’t have to remember the password at all? Then it could really be a long string of gibberish. This is where password managers come into play. They ride along with you as you get authentication challenges from applications, and they fill in the appropriate password you’ve stored in them–so you don’t need to remember it. Google Chrome, Apple’s Safari, and Microsoft Edge all have these password managers built-in, but they only work for web-based applications. There are other vendors, though, whose password managers will work with web-based and locally installed applications.

On the positive side, it’s great to have a complex password which is effectively too long to brute-force, and is proof against dictionary attacks. On the downside, if the password manager itself is hacked, a bad actor now has all of your passwords. While this is not a common occurrence, it has happened within the last few years.

Passkeys

A new approach is to substitute a “passkey” for the password.  In this approach you register a cryptographic key with your operating system and the application.  When you next try to authenticate with the application it asks to see the key you have stored on your local computer, or your phone. Your computer, your phone, tablet, or whatever you have used to store that key will then try to authenticate you as it would normally, and if you pass, it will forward the key to the application, to prove you are who you say you are.  

Although the mechanics are different, the idea is similar to MFA. To prove you are who you say you are you must have access to the key, which is stored on a device which will try to authenticate you before providing the key.  This is a promising new authentication standard, but it is not yet in widespread adoption. For me, passkeys are similar in inconvenience to MFA, but are more secure than getting a security code by text message.  Ultimately, my recommendation is that If you run into an application which offers to use a passkey, go ahead and use it.  See if you like it.

If you’d like to have more conversation around any of these ideas, just reach out through our contact us link.

#Algonquin, #Barrington, #BullValley, #Carpentersville, #Cary, #CrystalLake, #DeerPark, #FoxLake, #FoxRiverGrove, #FoxRiverValleyGardens, #HawthornWoods, #Hebron, #HoffmanEstates, #HolidayHills, #Ingleside, #Inverness, #IslandLake, #Johnsburg, #Kildeer, #LakeBarrington, #LakeInTheHills, #LakeZurich, #Lakemoor, #LongGrove, #McCullomLake, #McHenry, #Mundelein, #NorthBarrington, #OakwoodHills, #PortBarrington, #PrairieGrove, #Richmond, #Ringwood, #SolonMills, #SouthBarrington, #SpringGrove, #TowerLakes, #TroutValley, #VillageOfLakewood, #Volo, #Wauconda, #WonderLake, #Woodstock