single-factor authentication (SFA)

The problems with password-based security and counter-measures

One of the main troubles with passwords is that most users either don’t understand how to make strong and memorable passwords or underestimate the need for security. Extra rules that increase complexity are seen to drive call volumes for password-related issues to help desks proportionately. This problem can result in IT and management letting password standards slip and as a result passwords of shorter length and complexity tend to happen, such as simple seven character words. These passwords can be cracked in a matter of a few short minutes making them almost as ineffective as no password at all or a password that is discovered from a sticky note, either in use or carelessly discarded. While those avenues need to be guarded against, passwords also need to be less predictable to machines. A test of password entropy predicts how difficult a given password would be to crack through guessing, brute force cracking, dictionary attacks or other common methods.

While it is clear that passwords need more entropy to be less predictable, employees need to be trained to create passwords with entropy that they can actually remember.  Throwing a number of rules at employees often makes for passwords no one remembers. Length is perhaps even more important in creating entropy -- users should be encouraged to create long but memorable phrases. The addition of capitols, numerals and perhaps a few special characters greatly increase entropy due to the larger character set. Password meters have shown to be effective at motivating users to create stronger passwords, especially those that show a live updated numerical rating.

Still, passwords may be cracked by brute force, dictionary and rainbow table attacks, once an attacker captures the password database that resides on the protected computer. Administrators also have to do their part to protect passwords from dictionary attacks, for example by adding random characters to the hashes of password encryption to make them less vulnerable to dictionary based attacks, a technique known as password salting.

With the speeds of CPUs today, brute force attacks pose a real threat to passwords. With developments like massive parallel general purpose graphics processing (GPGPU) password cracking and rainbow tables, it’s possible for hackers to produce more than 500,000,000 passwords per second, even on lower end gaming hardware. Depending on the particular software, rainbow tables can be used to crack 14-character alphanumeric passwords in about 160 seconds. Rainbow tables achieve this by comparing password database to a table of all possible encryption keys. This hugely memory-intensive task is only possible because of the increasing amount of memory in computers. The threats continually become more advanced: Now purpose-built FPGA cards offer ten times the performance at a minuscule fraction of a graphics processing unit’s (GPU) power draw. A password database doesn't stand a chance when it is a real target of interest against an attacker with extensive compute and technical resources.

Social engineering is a major threat to password-based authentication systems. To decrease its social engineering attack surface, an organization must train all users, from management to staff. Password strength means nothing  if an attacker tricks a user into divulging it. Even IT staff, if not properly trained, can be exploited with invalid password-related requests. All employees must be aware of phishing tactics, where false emails and forged websites may be used to acquire sensitive information from an unwitting recipient. Other threats, such as Trojans may also come in email messages. In short, passwords are one of the most easily stolen/ broken types of authentication.

The bottom line? Password-based security may be adequate to protect systems that don’t require high levels of security but even in those cases, constraints should be enforced to make them reasonably stringent. And for any system that needs high security, stronger authentication methods should be used.

 Strong authentication vs. multifactor authentication

Strong authentication is sometimes considered synonymous with multifactor authentication. However, single-factor authentication isn’t necessarily weak. Many biometric authentication methods, for example, are strong when properly implemented.

Multiple challenge response questions can make for secure SFA authentication when properly implemented. Biometrics can often make for secure SFA so long as the right kinds and implementations are chosen. Retina scans, finger vein scans and voice recognition are good candidates. One must be doubly sure about the biometric scanner and its implementation when it is a standalone SFA solution rather than one component of MFA.

However, Biometric verification systems may require a significant outlay for enterprise deployment. Depending on the degree of security required, it may be preferable to implement multifactor authentication (MFA).

Authentication factors

An authentication factor is an independent category of credential used to verify user identity. With multifactor authentication, each additional factor increases the assurance that an entity requesting access to some system is who, or what, they are declared to be and decreases the likelihood that an intruder can masquerade as them to gain access. The three most common categories of authentication factors are often described as something you know (the knowledge factor), something you have (the possession factor) and something you are (the inherence factor).

The ID and password  combination is still the most common form of SFA. More complex systems include two-factor authentication (2FA), three- (3FA), four- (4FA) and even five-factor authentication (5FA).

Location factors - where the user is at the time of login, is one of the factors argued for a forth factor for authentication. Again the ubiquity of smartphones can help ease authentication burdens here: Most smartphones have a GPS device enabling reasonable surety confirmation of the log in location.

Time has also been considered as a fourth factor for authentication or alternatively a fifth factor in addition to location for 5FA. Monitoring of employee logins against work schedules, for example, could prevent some kinds of user hijack attacks. Another example is a bank customer: They can't physically use their ATM card in North America and then again in China within a few hours. This additional factor could be used to confirm ATM transactions and prevent many cases of online bank fraud.

Levels of multifactor authentication

A 2FA system strengthens security by requiring the user to provide dual means of identification from separate categories. Typically, one proof of identity is a physical token, such as an ID card, and the other is something memorized, such as a security code or password. The second factor helps to ensure that, even if an intruder steals a user password, they would also have to access the physical device to get into the user account.

3FA adds another factor for further difficulty in falsifying authentication. Typically a biometric trait measurement is added for the inherence factor. Such a system verifies that the person logging in knows the password, has their ID card and that their fingerprint matches the stored record.

4FA ups the authentication ante again taking four unique factors of authentication. It starts to seem like mission impossible in order to break the security. Like a spy using a portable compute device to hack a password, while plugging in cloned USB token, and finally the matching employee’s eye for a retina scan.

A five-factor authentication system would use the three commonly-used factors (knowledge, possession and inherence) plus location and time. In such a system, a user has to reproduce something he knows or remembers, provide proof that he has some item with him, provide a biometric sample for matching and have his location verified -- all within allowed times before he is granted access.

From that last scenario, it’s easy to see how increasing the number of factors involved makes authentication more difficult to fake. That’s why SFA has largely been abandoned and replaced with risk-appropriate levels of multifactor authentication.