Authentication is a central part of an authorization scheme – it is important to know who someone (or some thing) is to know what he/she/it is allowed to do. Recently there has been a lot of discussion of multi-factor authentication on the web.
First, what is multi-factor authentication? There are three general ways to authenticate someone. They are generally referred to as
The best example of the first is a secret password. You know it. You never share it (right?!) and you change it frequently. Ideally, only you know your password. Sadly, though, some people share their passwords. Sharing a password makes it no longer secret! If I know someone’s password, I can impersonate that person. In such a case a computer or website will not be able to distinguish between me and the owner of the password. If at its heart authentication means being able to prove one’s identity, there is no authentication in this case. I’ve written about this before.
Examples of the second are a credit card or other item with a magnetic strip, RFID token or electronic circuit. It is easiest to think of the credit card. Years ago, and in some small towns today, one could go to a store and say “Just put it on my tab” and the owner would keep track of who owed what. This is no longer practical as we often patronize many shops, often all over the world. So the charge card and subsequently the credit card were created. (I wish I could find my dad’s old paper American Express card…) The point is that the card authenticated the holder, perhaps along with a signature. People seldom share their credit cards…
Many companies have ID cards with magnetic strips or RFID chips in them that allow employees access to buildings or secure areas. When used alone, these are further examples of “something you have”.
The last of the three authentication methods is “something you are”. This is often referred to as biometrics. I’ll talk more about this in a future post.
It turns out that we can get more reliable authentication (fewer mistakes of accepting the wrong person) if we combine two of these factors. One big win of combining factors is that if one factor is stolen or defeated or otherwise compromised, the other is still available to protect you. Of course, one could share two factors, and that’s where some of the benefit of biometrics comes in.
So, back to the original topic: how do you get two factor authentication on the web without issuing some sort of electronic device (more on these another time) to each user of a website? One way is to require use of a cell phone. There are other ways, too including one-time passwords. Check out this Google video for instructions for adding two-factor (or “two-step” as they call it) authentication to gmail.
Should you do this? It is probably a good idea if you use multiple devices or you access your email from public access sites. Do you do this? Let us know in the comments below. Are there other two-factor alternatives for other situations? Yes, we discuss them in Learning Tree’s security introduction class.