For this discussion authentication refers to the act of confirming someone’s identity and right to access data, funds, etc. When you want to get into your home you authenticate your identity and right to be there with a key. When you pay for something online you authenticate and prove your right to those funds with the information on the credit card. When you open up your iPhone you might authenticate with your fingerprint.
There are three main types of authentication:
Possession factors require only that you have possession of something. One very old example would be a key – possession of that key opens a lock. Another would be a credit card that does not use the latest chip-and-PIN technology – simply having the credit card is enough to use it.
Possession factors – in the form of locks and keys – have been used for hundreds of years but most are vulnerable to one of a variety of different attacks and are not on their own adequately secure.
A more modern, and much more secure, possession factor is a mobile application like Google Authenticator which will be discussed later.
Probably the most common form of authentication knowledge factors include things like passwords and PIN numbers. Other examples involve what are often referred to as “password recovery” or “secret questions” like “what was your mother’s maiden name?”
The great advantage of knowledge factors like passwords is that they are easily changed. The disadvantage is that, using modern technology, simple passwords are easily cracked, necessitating the use of complex passwords.
Unfortunately it is extremely difficult if not impossible for most people to remember more than a few strong passwords, and reusing even strong passwords is very dangerous. If your favorite “strong” password is comprised in a large scale attack on one retailer (for example) it means that all the accounts that use that account are compromised. To use passwords effectively you absolutely must commit to a sound password strategy.
Even strong, unique passwords can be hacked using techniques like keystroke logging and, once compromised, can be easily shared. This means that knowledge factors alone are not enough.
Inherence Factors typically involve biometrics – most often a fingerprint or retina scan, sometimes facial or voice recognition. The Touch ID home button on iOS devices is one popular example.
The first major disadvantage to biometrics is that they can, with varying degrees of difficulty, be copied. Many mobile devices that use facial recognition can be fooled simply by pointing them at a photograph of the owner of the device. Copying fingerprints is harder but not impossible. In this regard they are more secure than knowledge factors like passwords which can be shared very easily.
The second major disadvantage is that once a biometric factor has been compromised it cannot easily be changed. A password or PIN number can be changed. An ATM card can be replaced. You can’t change or replace a fingerprint.
When you enter a key into a lock you are using a single possession factor. If instead you enter a combination or PIN number you are using a single knowledge factor. When you swipe a credit card you use a single possession factor. When you use your thumb to unlock your iPhone using the Touch ID feature you are using a single inherence factor.
When you withdraw money from an ATM you are using two different factors. Something you have (the ATM card with data on the magnetic stripe) and something you know (the PIN number). The PIN does not appear on the card and is not stored on the magnetic stripe which means that simply having the card is not enough – the PIN number is something you have to know.
What about the CCV used with credit cards? This is very different than the PIN on ATM cards because the CVV code appears on the back of the credit card. It is not stored on the magnetic stripe, but it does appear on the card. That means that the card is the only factor that your need.
The newer chip-and-PIN technology which, like ATM cards, requires a separate PIN number that does not appear anywhere on the card addresses this weakness. This makes them much more secure. If you lose a credit card now you need to cancel it immediately because possession of that card is all someone needs to use it. With chip-and-PIN technology the card use useless without the accompanying PIN.
A less common example can be found at many data centers or higher security offices. These often employ a system that requires the visitor to first swipe an ID card or token (possession factor) and then submit to a fingerprint or retina scan.
As additional authentication factors are introduced security improves. An outstanding example of this is the Google Authenticator application.