Skip to main content

Authentication 2

Authentication Factors

Inherence Factors (Biometrics) are unique identifiable biological characteristics. Inherent to individuals

Biometrics

  • Fingerprints
  • Facial Recognition
  • Iris Recognition
  • Voice Recognition
  • Behavioural biometrics - Dynamics (mouse, keyboard etc), Gait, Posture, Usage patterns

Security Considerations

  • No risk of losing access
  • Very convenient
  • Availability of sensors?
  • False positives and negatives
  • Can never be changed
  • Not fool proof

Hardware Tokens

  • Keys
  • USB tokens - OTP, Security keys
  • Smart Cards - Metal contacts, RFID, Access control
  • Smartphones/wearables - Readily available, often a single point of failure

Traditional hardware tokens

  • Time/counter-based OTP that the user enters
  • Temporary code that changes every 30s
  • Requires manual intervention

Security keys for WebAuthn

  • Public-key cryptography (private key stored on token, public key on server)
  • Embedded MFA
  • Challenge-response during authentication
  • Automatic, if paired with authenticating device
  • If password is a recovery option, security is the same as passwords

Possession Factors Security Considerations

  • Relies on strong keys and cryptography, or on very different channels
  • In principle very secure
  • Often as part of MFA
  • Physical loss, damage(usability) or theft
  • Usability
  • Cost

Managing Passwords

  • Passwords are prone to be guessed, cracked, stolen, misued
  • Often the weakest link
  • Still not always well managed server-side!
  • Much effort to replace them, but still around
  • Targeted attacks versus wide net

Password Managers

Good

  • Single master password vs many passwords
    • Entropy sufficient for individual service passwords
    • Entropy better since a single password is needed
  • Convenience!

Bad

  • Not all free
  • Master password = single point of failure
    • Attractive target!
    • Still requires good password hygiene
  • Vaults still at risk
    • Leaks
    • Can you trust a single third-party with all your auth data
  • Trading some types of attacks
    • Service leaks/mismanagements
    • Lower entropy

Password Managers

  • In the balance, probably a positive
  • Community tends to be cautiously in favour
  • Ultimately, depends on how they are used, the specific service

MFA

  • Combination of several authentication methods
    • Ideally, factors from different categories
  • Disproportionately more difficult to compromise
  • Usability, (in)convenience