Just about every information security standard or regulation contains requirements for the use of multifactor authentication when restricting access to sensitive information or resources. These requirements may seem daunting at first, but complying with them and thereby strengthening your agency’s security posture is a goal that is clearly within reach.
Multifactor authentication is a straightforward concept, in which a system confirms a user’s identity to a high degree of confidence by using more than one type of proof. For example, if you pass through a turnstile on your way into the office that requires you to present both your identification card and enter a secret personal identification number (PIN), you’re using multifactor authentication.
Identification, Authentication and Authorization
Computer systems, file storage, cloud services and other resources all require access control systems to limit their use to approved individuals. Whether it's an agency allowing only specific IT leaders to have access to confidential data or a cloud video streaming service restricting access to paid subscribers, the three components of access control remain the same: identification, authentication and authorization.
Identification is the process in which a user makes an assertion about his or her identity. In most cases, this is as simple as entering a user name into the system. In the offline world, it’s the equivalent of walking up to someone and saying “Hi, I’m Mike Chapple.” At this point in the process, the other party has absolutely no assurance that the claim of identity is authentic. I could just as easily walk up to someone and say “Hi, I’m Barack Obama,” just as I could attempt to log into a computer system with a coworker’s user name.
Authentication is the process in which a user proves that he or she is who he or she claims to be. In the case of a basic access control system, the user might do this by providing a secret password, known only to the user and the service. Returning to the offline example, I could authenticate my claim of identity by showing the other person my driver’s license. Different authentication techniques have different degrees of confidence. You likely will be more confident that I am whom I claim to be if I show you my driver’s license than if I simply tell you who I am.
Authorization occurs after an access control system authenticates the user’s claim of identity. Once the system is confident that it is dealing with a legitimate user, it must determine what resources or services the user is permitted to access. For example, an individual from an organization’s accounting department should not be able to access human resources records and vice-versa. This is the role of authorization.
Understanding these three concepts is critical to understanding how access control systems work. Each is a discrete process with a specific purpose, and IT professionals must understand the goals of specific components of access control systems when implementing them.
You’re already familiar with the most common method of authentication: a user name and password. More likely than not, you used this method to access your computer this morning and will likely use multiple passwords throughout the day to access other systems. While passwords are clearly the predominant authentication technique, there are actually three different categories of authentication methods:
- Something you (and only you!) know: Passwords are the most common example of this authentication factor, but they’re not the only one. Something you know could also include the answer to a security question, a PIN, or any other secret information. The critical characteristic of a strong “something you know” authentication factor is that it must be known only to the user and not easily guessed.
- Something you have: Another means of authentication involves asking the user to present something that only he or she possesses. Common examples of this authentication factor are a smartcard, security token or identification badge.
- Something you are: The final authentication factor relies upon unique biological characteristics of the individual. These techniques, known as biometric authentication, can include fingerprint scanning, iris recognition or voice analysis.
The strength of an authentication factor depends upon the answers to two questions: How hard is it for someone to impersonate another individual, and how difficult is it to reuse someone else’s credentials if you eavesdrop on their authentication session?
Each of the three authentication factors has inherent strengths and weaknesses. Passwords can be guessed, identification cards can be stolen and voiceprints can be recorded. For this reason, many security standards recommend the use of multifactor authentication: the combination of authentication factors from more than one of the categories described above.
It is very important to understand that multifactor authentication does not simply mean that you are using more than one authentication technique. It requires the use of factors from different categories. For example, requiring a user to answer a secret question and enter a password is not multifactor authentication. Rather, it is an example of using two factors from the “something you know” category.
Here are some common examples of multifactor authentication:
- An identification card (something you have) and a PIN (something you know)
- A fingerprint scan (something you are) and a password (something you know)
- A security token (something you have) and a password (something you know).
When used in combination, multiple authentication factors add a greater degree of security to a system by minimizing the likelihood that an intruder will be able to compromise more than one technique. While someone can pick your pocket to get your ID card and look over your shoulder to obtain your password, it’s much more difficult to do both without attracting your attention.
Two Isn’t Always Better Than One
One final word on multifactor authentication: It’s not always the way to go. While the multifactor approach provides greater security than single-factor authentication in most cases, this is not always true. For example, iris recognition is fairly foolproof. Unless an intruder can somehow steal your eyeball (something you guard with your life!), they won’t be able to defeat this authentication technique. This single authentication factor would likely be stronger than a two-factor approach requiring an ID card and PIN.
When you evaluate potential multifactor security solutions for your environment, keep this in mind. While security regulations might require you to use a multifactor approach, you should always consider the strength of each component as well.