Authentication deserves special attention when it comes to security, since its task is to make sure that the user really is who he claims to be. At the third step of the process, authorization will give him the authority to act in the information system, and if these rights are given to an outsider, the consequences can be very sad. Accordingly, there is a constant search for such solutions that would distinguish the right user from everyone else with impeccable reliability.
Why site authentication is important:
- Ensuring high-level authentication methods on your website is a huge factor in maintaining a high level of security and a great experience on the Internet.
- If your website lacks an authentication process, you risk accessing sensitive user information by unauthorized users (a trend of traditional username and password authentication strategies). These data breaches can not only harm individual users when their personal information is stolen, but can also damage your reputation and bottom line as a company or organization.
- There are two key factors to consider when creating or updating your website’s authentication systems: user experience (or UX) and security.
Authentication methods are divided depending on the type of resource, the structure and subtleties of network organization, the remoteness of the object and the technology used in the recognition process.
Based on the degree of confidentiality, several levels of authentication can be distinguished:
- Unclassified (open) data. Their leakage does not have significant consequences for the user and the Internet resource. In such a situation, it is sufficient to use a reusable password.
- Data for internal use. Their disclosure or loss will result in significant damage. In this case, stronger authentication is required: one-time passwords, additional verification when trying to access other sections of the resource.
- Confidential data. Access to such data provides for mutual authentication and multi-factor verification methods.
User Authentication Tracking
The security of user data largely depends on the behavior of the user himself. Many web resources monitor suspicious activity and notify the account owner about it. For example, Google captures the IP addresses from which the system was logged in, logs the authorization process and provides the user with the following settings:
- switch to transmitting information only via HTTPS;
- enable the tracking of suspicious sessions: in this case, Google will send you notifications about account activity at suspicious times, a large amount of outgoing spam, deletion of old messages, etc.;
- track lists of third parties that have access to the same Google services as the user.
Another example is IBM. By enabling the user session auditing feature, you have access to the following information:
- entry time and session duration;
- type of session (with or without registration);
- success in authentication or failure to complete verification;
- the point from which you logged in.
Multi-factor authentication involves the presentation of more than one “proof” of the authentication method for accessing data.
Such “evidence” can be:
- Certain knowledge – information owned by the user (pin code, password, code word).
- Possession is an item that the subject has (flash memory, electronic pass, magnetic bank card, token).
- Property – a quality inherent exclusively in the subject – this includes biometric data and personal differences: the shape of the face, the individual characteristics of the iris and retina, fingerprints.
One variation of multi-factor authentication is two-factor authentication (also called two-factor authentication or dual authentication). This method involves checking user data based on two distinct components.
An example of two-factor authentication are services from Google and Microsoft. When trying to authorize from a new device, in addition to the login and password, you must also enter a code that consists of six (Google) or eight (Microsoft) characters. You can get it in one of the following ways:
- SMS message to a mobile phone;
- voice call to phone;
- register of one-time codes;
- mobile or PC authenticator software.
You can choose the confirmation method in your personal account.
The main advantages of dual authentication are convenience (the smartphone is always at hand) and security (the constant change of the verification code).
This method also has certain disadvantages. Problems with the mobile network can interfere with receiving a confirmation code, and the SMS message itself can be intercepted by intruders. There is also some delay in receiving the SMS due to the authentication procedure.
Multi-factor (two-factor) authentication
The ideology of multi-factor authentication (MFA) is to compensate for the shortcomings of several separate factors, at least two that have different key risks. Most often, two-factor authentication is used in practice. For example, a system built around hardware keys that users must carry with them can be enhanced with a password mechanism that users must remember. Then the attacker with the token will not know the password, and the attacker who stole the password will not have the token. Of course, the most common and well-known version of two-factor authentication is two passwords, permanent and one-time; however, the essence of this construction is similar to that described above, because mobile communication remains the basic method for delivering a one-time password.
As usual, when choosing elements of a security system, it is necessary to comply with the requirements of laws and standards, as well as commensurate risks with costs. Most identity verification methods in information systems are based on arbitrary attributes, i.e. those that have no direct connection with the person’s identity and can be transferred from one user to another. This creates obvious risks, but in so far as these measures are sufficient and there are no better alternatives for them, operators are ready to put up with their shortcomings. After all, perfect security is unattainable in any case, and if the authentication system copes with its tasks, then there is no need to change it to something more perfect.
Only biometrics provides an unconditional guarantee that the user is really who he claims to be, since it uses inherent attributes, such as parts of the human body, that cannot be transferred to another. Provided that readers are technically advanced, easy to manufacture, and economical, sensitive information systems can be expected to rely solely on this authentication method as the primary one. However, two-factor (and multi-factor) options are unlikely to disappear: after all, two factors are always better than one, and even biometrics is always useful to back up with an additional layer of protection.