In today’s digital age, ensuring secure access to online platforms and sensitive information is paramount. User authentication serves as the first line of defence against unauthorised access, and it comes in various forms. Traditionally, authentication relied solely on passwords, but as cyber threats evolve, the need for more robust methods has emerged. Today, authentication typically involves three factors: something you know, something you have, and something you are.
Something You Know
The first factor, “something you know,” is the most familiar to many users: passwords. Passwords have long been the primary method of authentication for digital systems. Users create unique combinations of characters to safeguard their accounts. However, passwords are vulnerable to several security risks, such as brute force attacks and phishing attempts. To enhance security, best practices include using complex passwords, avoiding common phrases or words, and frequently updating them.
Something You Have
The second factor, “something you have,” introduces an additional layer of security by requiring possession of a physical token or device. This factor includes methods such as smart cards, security tokens, or mobile authentication apps. Smart cards are credit card-sized devices that store authentication data and require users to insert them into a card reader for access. Security tokens may generate one-time passwords (OTPs) that users enter along with their credentials. Mobile authentication apps leverage smartphones to generate authentication codes or facilitate biometric authentication, adding convenience and security.
Something You Are
Biometric authentication falls under the third factor, “something you are.” This approach relies on unique biological characteristics to verify a user’s identity. Common biometric identifiers include fingerprints, facial recognition, iris scans, and voice recognition. Biometrics offer several advantages over traditional methods, such as increased convenience and resistance to phishing attacks. However, they are not without limitations, including concerns about privacy, accuracy, and susceptibility to spoofing.
Where You Are
Apart from the three factors mentioned above, occasionally, a fourth factor, “where you are”, uses your location as additional verification. Location, is however, not used alone as a factor, as a user’s location without other factors is not sufficient to determine their identity. In tandem with the other factors, it can help in reducing the possibility of unauthorised access attempts from locations not usually associated with the user.
Each authentication factor has its strengths and weaknesses, and combining them creates stronger security measures. This approach, known as multi-factor authentication (MFA) or, in older terms, two-factor authentication (2FA), requires users to provide two or more factors to access their accounts, significantly reducing the risk of unauthorized access.
Implementing multi-factor authentication enhances security by adding layers of defence. Even if one factor is compromised, the others remain intact, thwarting potential attacks. For example, a hacker may obtain a user’s password through a phishing scam, but without the accompanying physical token or biometric data, they can’t access the account.
Despite its effectiveness, multi-factor authentication isn’t immune to challenges. User adoption can be a hurdle, as some users perceive the need for MFA as cumbersome or time-consuming. There are also weaknesses in certain implementations that may be exploited by threat actors. OTPs generated by tokens can still be phished as keying in an OTP to prove the possession of a token essentially converts what you have (token) to what you know (OTP) and hackers have now come up with automated scripts that can utilise OTPs harvested in real time. In line with this fact, the industry has come up with newer solutions such as FIDO2 tokens that do away with the need for OTPs to prove possession by using public key cryptography.
As cyber threats continue to evolve, the importance of robust user authentication methods cannot be overstated. By incorporating multiple factors, organisations can bolster their security posture and better protect sensitive information and resources. At the same time, it is essential to strike a balance between security and usability to encourage widespread adoption and mitigate potential friction for users.
Check out our IBF-approved courses! There is no better time to upskill than now!