Factors of Authentication

Factors of Authentication

Why aren’t passwords sufficient?

Passwords are a good first layer of protection, but attackers can guess or intercept passwords. Additional security measures can protect you even if an attacker does obtain your password. You can strengthen that first layer of protection by avoiding passwords based on personal information; using the longest password or passphrase possible(8–64 characters); and not sharing your passwords with anyone else.

What additional security measures are available?

  • Multi-factor authentication (MFA), simultaneously using multiple pieces of information to verify your identity, is becoming more common. (MFA is sometimes referred to as two-factor authentication.) The premise is that even if an attacker obtains your password, they may not be able to access your account if it’s protected by MFA. The theory behind this approach is similar to requiring two or more forms of identification or two keys to open a safe deposit box.
  • You should turn on MFA where it’s available. Authentication categories include something you know, something you have, and something you are:
  • Something you know–This includes passwords or pre-established answers to questions. (See tips below for setting up good answers to these “secret questions.”)
  • Something you have–This could be a small physical token such as a smart card, a special key fob, or USB drive. You might use this token in conjunction with a password to log into an account. However, software-based tokens are also common. These software-based tokens can generate a single-use login personal identification number (PIN). Other variations include SMS messages, phone calls, or emails sent to the user with a verification PIN. These token PINs can often be used only once and are voided immediately after use. So, even if an attacker intercepts the exchange, the attacker will not be able to use the information again to access your account.
  • Something you are–Biometric identification can include scanning of eyes (retinas or irises) or fingerprints, other facial recognition, voice recognition, or authentication through signatures or keystroke movements. A common example of biometric identification is the fingerprint scanner used to sign in users on many modern smartphones.

While additional security practices offer you more protection than a password alone, they should not be considered completely effective. Increasing the level of security only makes it more difficult for attackers to access your information. Be aware of MFA and other security practices when choosing a bank, credit card company, or other organisation that will have access to your personal information. Don’t be afraid to ask what kind of security practices the organisation uses.

What other methods are available to keep passwords secure?

The following security measures can help further protect passwords:

  • Use strong authentication recovery mechanisms: Weak authentication recovery mechanisms can be misused to allow an attacker to gain unauthorised access to an affected system. Strong mechanisms prevent unauthorised access to an account or to reset the user’s password.
  • Implement an account lockout policy: Account lockout should initiate after a pre-defined number of failed attempts.
  • Set accounts to automatically disable: Accounts should be disabled after being inactive for a pre-defined amount of time.

Security questions

When you open a new account (e.g., email, credit card), some organisations will prompt you to provide them with the answer to a question. They may ask you this question if you forget your password or request information about your account over the phone. If your answer matches the answer they have on file, they will assume that they are actually communicating with you. In theory, secret questions and answers can protect your information. However, common secret questions ask for mother’s maiden name, social security number, date of birth, or pet’s name. Because so much personal information is now available online or through other public sources, attackers may be able to discover the answers to these questions.

Treat the secret question as an additional password —when establishing the answer, don’t supply real information. Choose your answer as you would choose any other good password, store it in a secure location (e.g., in a password manager), and don’t share it with other people.