Most of our day-to-day authentication uses a single-factor to provide access. In this video, you’ll learn about the different factors of authentication and some of the challenges around using single-factor authentication.
<< Previous Video: Authorization and Access ControlNext: Multi-factor Authentication >>
When we talk about authentication factors, we’re talking about one of these things. It may be something you know. It may be a password, it may be a personal identification number. It may be something we are typing in or something we know about that we can tell this computer system about that would help prove that we are who we say we are. It might also be something you have. You might have a smart card with you that you physically put into a computer. You might have a token the generates pseudo random numbers, and you’re prompted to put in what the latest number is on your token.
And that would ensure that you have something physical with you. So that must be you because you have this physical device that nobody else could possibly have. The other authentication factor we often see is something that we are. It’s a biometric. It’s a fingerprint, it is a handprint. It’s an outline of your hand or your fingers that you would use to put onto a system, and maybe then also put in a personal identification number. You get to choose one of these factors in single factor authentication to provide people with access to the network or access to resources.
Most often, the type of factor we’re using for single factor authentication is your password where you have a secret word that only we know about. We’ll put in our username and then add that secret password or passphrase into the computer. Now, what’s interesting about this is that our username generally isn’t something that’s private. But it’s not something you would want to share with people either. If they have half of the equation they might be able to guess your password.
That’s why in a number of organizations you don’t get your first initial and last name as your username. You get a bunch of numbers all put together. And if you were to look at that number you’d have no idea who that person was. And that’s just another layer of security put on top of everything else to try to prevent somebody from guessing your username and password combination. This password or passphrase is usually a set of numbers.
It’s some special characters. It’s probably a combination of all these things, some uppercase and lowercase. You want to be sure your password is as strong as possible so people don’t guess it. And you might also be required to type in something like a personal identification number. That’s another type, another factor of authentication. And this might also have some personally identifiable information, or PII associated with it.
Especially if you need to reset your password. It may ask for what you were high school was, what is your full name, what is your address, what is your social security number, that may be a bit of information that’s very personal to you that you’ll be able to share with the computer system, or share with the management of the security in your environment to let them know that this is really you’re trying to log in or trying to reset your password. Single factor authentication is very easy to implement.
But there are a number of challenges associated with it. And you can imagine if the only thing between you and resource is a password, becomes now very easy for the bad guys to gain access to what’s on the network. They’ll look over your shoulder as you’re typing a password in, or they’ll guess your particular password and gain access to resources. And between them and everything is just that password. Nothing else is stopping them from getting into the network.
And the bad guys are getting very good at getting their hands on these passwords. They’ll send you an email. The email says your Google account has been compromised, you’ll need to log in to verify and reenable your account. And you click a link, and it pops up to something– looks just like Google’s login page. But it isn’t, it’s the bad guy’s login page. And you type in your username and password. And now, they have your credentials to get onto that system.
Again, a very big limitation of a single factor environment. Many passwords, of course, very, very easily guessed. We’ve talked about this before in previous videos that too many people are using the password of password, or 123456, or cookie. It’s very, very simple. You can go through a top 50 of the well known passwords, and you’ll probably get a pretty good hit on what somebody might be using as their password. And lastly, you want to be sure you don’t reuse these passwords.
If your password on Google Mail is one thing, you we use a different password for your domain login, and a different password to log into your banking account, for instance. In 2011, there were some breaches in Sony and Gawker that provided a list of usernames and passwords out to the world. And we found that in 88 emails that were the same between them, 92% of them had the exact same password. We need to get out of this habit of using the same password over, and over, and over again.
Because if the bad guys get a hold of just one of your passwords, they’ll now be able to access any of those accounts wherever they may be.