Understanding the Three Factors of Authentication
One of the first steps of access control is the identification and authentication of users. There are three common factors used for authentication:
- Something you know (such as a password)
- Something you have (such as a smart card)
- Something you are (such as a fingerprint or other biometric method)
Identification occurs when a user professes an identity (such as with a username), and authentication occurs when users prove their identity. For example, users are authenticated when they provide both their username and correct password. Permissions, rights, and privileges are then granted to users based on their proven identity.
Certifications that Include Authentication
If you’re planning on taking the CompTIA Security+ exam, the (ISC)2 SSCP exam, or the (ISC)2 CISSP exam, you should understand the three factors of authentication. They are specifically referenced in the following objectives:
- CompTIA Security+ (SY0-201)
- CompTIA Security+ (SY0-301)
- (ISC)2 SSCP
- (ISC)2 CISSP
3.6 Summarize the various authentication models and identify the components of each
5.2 Explain the fundamental concepts and best practices related to authentication, authorization and access control
Access Controls domain
Access Control domain
Something You Know
The something you know factor is the most common factor used and can be a password or a simple personal identification number (PIN). However, it is also the easiest to beat.
When using passwords, it’s important to use strong passwords. A strong password has a mixture of upper case, lower case, numbers, and special characters. In the past, security professionals recommended that passwords should be at least eight characters long. However, with the increasing strength of password crackers, it’s common to hear professionals recommending longer passwords. For example, many organizations require that administrator passwords be at least 15 characters long.
Longer passwords are harder to remember unless they’re put into some type of meaningful order. For example, a phrase like “Security breeds success” can become a password of “S3curityBr33d$Succ3$$”. Notice that each word starts with a capital letter, each lower case “s” is changed to a $, each lower case “e” is changed to a 3, and the spaces are removed. The password is easier to remember, yet is very complex. However, if a user is required to remember a long password without any meaning, such as “1kqd9% lu@7cpw#”, they are much more likely to write the password down, weakening the security.
Passwords should not include personal data like a user’s name or username. Additionally a password should not be a word that can be found in a dictionary. A dictionary attack uses a database of words similar to a dictionary, trying all the words in the database for a match. It’s worth stating the obvious here[md]attackers have access to dictionaries in other languages. In other words, a password using a word from another language is as simple to crack as a password used in your native language.
Something You Have
The something you have factor refers to items such as smart cards or hand-held tokens. A smart card is a credit-card sized card that has an embedded certificate used to identify the holder. The user can insert the card into a smart card reader to authenticate the individual. Smart cards are commonly used with a PIN providing multi-factor authentication. In other words, the user must have something (the smart card) and know something (the PIN).
A token is a hand-held device with an LED that displays a number and the number is synchronized with an authentication server. Consider Figure 1, which shows the authentication server and the user with a hand-held token. The number displayed on the token changes regularly, such as every 60 seconds, and the authentication server always knows the currently displayed number.
Figure 1 Token-based authentication
For example, at 5:01 PM, the number displayed on the LED may be 963147, and at the same time, the server knows that the number is 963147. A minute later, the number displayed in the LED may be 246813 and the authentication server would know this new number.
A common way that tokens are used for authentication is with websites. The user types in the number displayed in the token on a web page. If the user types in the same number known by the server at that time, the user is authenticated. It’s common to use multifactor authentication with token-based authentication. In addition to entering the number displayed in the token, the user is often required to enter a username and password. This proves they have something (the token), and they know something (their password).
Something You Are
Biometric methods provide the something you are factor of authentication. Some of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris scans, handwriting, and voice analysis. Fingerprints and handprints are the most widely used biometric method in use today. Many laptops include fingerprint readers and fingerprint readers are also available on USB flash drives. Handprints are used with many amusement parks that sell season passes, or multi-day passes.
While biometrics does provide the strongest authentication, it is susceptible to errors. A false rejection error (also called type 1 error) occurs when a system falsely rejects a known user and indicates the user is not known. A false acceptance error (also called a type 2 error) occurs when a system falsely identifies an unknown user as a known user. Biometric systems typically can be adjusted for sensitivity, but the sensitivity affects the accuracy.
Figure 2 shows the FAR and FRR of a biometric system. Notice that the false accept rate (FAR) decreases as the sensitivity increases. In other words, a less sensitive system falsely authenticates unknown users. In contrast, the false reject rate increases as the sensitivity increases - more known users are rejected as unknown.
Figure 2 Crossover Error Rate (CER)
The point where the FRR and FAR crosses is known as the crossover error rate (CER). You can compare the CERs of different biometric systems to determine how accurate they are. A lower CER indicates that the biometric system has a higher accuracy.
Multifactor authentication uses any two or more authentication factors. A key part of this is that the authentication factors must be in at least two of the categories. For example, using a smart card and a PIN is multifactor authentication since the two factors are something you have and something you know. However, if a user were required to enter a password and a PIN, it would not be multifactor authentication since both methods are from the same factor (something you know).
Location-based authentication rarely comes up, but it has been used with dial-up remote access as an additional authentication factor. Imagine that Joe is authorized to work from home using a dial-in remote access connection to connect to work-based resources. The remote access server can be configured so that as soon as Joe calls in and authenticates, the server hangs up and calls Joe’s computer at home.
As long as Joe tries to connect from his home computer, the connection will work. However, if an attacker was trying to impersonate Joe using Joe’s username and password, the attacker could not connect. Instead, when the attacker authenticated with Joe’s credentials, the remote access server would hang up, and try to call Joe’s computer.
If you’re preparing for a security based certification exam, you should have a good understanding of the three factors of authentication (something you know, something you have, and something you are). You should also understand how they can be used together with multifactor authentication.