Two? Two what? Heads? Maybe it’s true that two heads are better than one. Depends on how alike they are, but also how different. Too much alike, and they can reinforce their mutual weaknesses as well as strengths. Not to mention, make the same amount of work simply require more effort without more benefit. That’s all true, too, of the topic I am writing about today: authentication factors.
Authentication factors for computing resources are the ways you prove to the system that you’re the authorized user, and get in to gain access to programs and files. Most frequently, the authentication factor you encounter in the digital world is, your user ID and your password. And that is the first type of factor, out of three. When security pros talk about authentication factors, we talk about three broad types:
- Something you know
- Something you have
- Something you are
You can see how user ID and password fit the first category. You have also probably noticed that there are many sites that will allow you bypass creating yet another user ID and password combination, by logging in via one of your social media accounts. This is a great convenience, when the developers of a web resource have gone to the trouble of integrating their authentication process with one or more of the popular social media platforms. You have the added convenience of having one less password to remember.
Just don’t forget: every time you take advantage of this convenience, you raise the stakes a bit on the logins you have to the base sites. Now a compromise to your Facebook, Twitter, LinkedIn or Google+ login is that much bigger an issue. So it’s all the more worthwhile to consider a way to make the “cracking” of those high-stakes logins much more difficult.
It’s good practice to have two of the three factors for any high-value authentication. For consumers, that means, banking and investment accounts, credit and insurance sites, anything with a financial impact, in addition to social media sites that can have reputational impact, and can be leveraged for other sites you use with integrated logins. Pretty much everywhere you go uses that first category, something you know. Your user ID, and especially your password, are bits of knowledge you carry around in your head (OK), or on bits of paper in your wallet (not so OK), or on post-it notes stuck to your monitor (very bad), or stashed safely in an encrypted password vault (verry goood!). Okay, we’ve got #1 covered. Now we need #2 or #3.
“Biometrics” is the techie term for #3: something you are. It’s growing in popularity. Fingerprint unlocking is not optional anymore on some Apple and other products. Facial recognition is the unlock mechanism they’re furiously pushing for the coming devices, including the iPhone 8. Fingerprint locks are almost ubiquitous in data centers and other places that want to look very secure.
Look secure. I’m not sold on the genuine superiority of consumer-level biometrics sensors. Biometrics sensors all have a measure called the “crossover error rate.” Think about it like this: there are two ways a sensor can be wrong. It can mis-identify someone else’s fingerprint (or retina, or face, or whatever…) as yours. Or it can see yours and not get that it is yours. The first type of error is called “false-positive,” and the second “false-negative.” The charming nature of biometrics devices is, they will always present both kinds of errors. You can tune the device to present less of one, but that increases the rate of the other. And vice-versa. When you balance the two so that the total number of errors — of both kinds — is at its lowest, that is called the crossover point. The false-negative and -positive curves cross there. And the difference between a $4 sensor part and a $40 sensor part? The crossover point is a lot higher in the $4 part.
With an unavoidably substantial number of errors of both kinds, I tend to shy away from recommending biometrics in small-budget situations. The way I prefer to go for a second factor is not, something you are, but something you have. In the past, his has often been a dedicated token with a display that puts up a numeric code every minute or so. This is synchronized with the user’s identity record so that the code entered gives assurance that the user logging in is in possession of that unique key.
This is now possible at a superbly low cost, because the function of the hardware key is now taken by an app on a smartphone. Shown here is a typical screen from Google Authenticator. You install Authenticator on your phone. When you enable a second factor for authentication on any website, you perform a synchronization that shares a randomized secret between the web application and your instance of Authenticator. That seeds a process in Authenticator that generates a six-digit code every minute. You give the current code when logging in to that site thereafter.
There are some sites that send second-factor authentication codes via SMS text, or via email. This is not preferred because of the many intermediaries in those messaging protocols and therefore the difficulty of accounting for the authentication code through the entire process.
Even if using the inferior methods of SMS or email, and certainly if using a smartphone app like Authenticator, it’s always encouraged to use two-factor authentication for every service that matters.
If the service provider does not offer two-factor authentication, I would recommend inquiring of the provider why it doesn’t, and if that will change soon. If the answer to that last is No, then it might be well to switch to an alternative provider.