Authentication Methods

Content

Authentication factors
Single vs. Multi-factor Authentication
Passwords
FIDO - Fast Identity Online
Passkeys
Best practices
Sources

Authentication factors

• A way to provide further information to prove your identity
• The three most common authentication factors are something you know, something you have, and something you are.
  • Something you know - stored in your memory, can be retrieved when needed (Password, PIN)
  • Something you have - something you can physically carry with you (Access badge, tokens)
    • Two standards for generating tokens: HOTP and TOTP
      • HMAC-based One-Time Password (HOTP) - generates a token that expires once it is uses
      • Time-based One-Time Password (TOTP) - generates a new token after 30 seconds, regardless of whether is is used or not
  • Something you are - characteristics unique to you (Biometrics, fingerprints)
• Two lesser known authentication factors are somewhere you are and something you do
  • Somewhere you are - related to your location (IP addresses, MAC addresses)
  • Something you do - proves identities by observing actions (Gestures, touches on a picture)

Single vs. Multi-Factor Authentication (MFA)

• Single-factor authentication - only one factor is used
• Two-factor authentication (2FA) or dual-factor authentication - two factors used
• Multi-factor authentication (MFA) - two or more factors used
  • It is better to have two different types of factors (e.g. a password or something you know, and a token or something you have) vs. having two of the same type of factor

Passwords

• Responsible for majority of cyber attacks
• Should not be repeated across different accounts
  • To avoid this, using a password manager is recommended
• Create strong passwords
  • The Dartmouth password rule is:  a minimum of 8 characters, which may consist of upper or lower case letters, numbers, or special characters, in any order.
  • Guidelines for passwords have changed in recent years
  • Previous advice was to use complex passwords (e.g. fd982$@#rD), but this creates the risk of users writing down and/or insecurely storing passwords
  • Now, password length is recommended over complexity in the form of passphrases
    • Passphrases string together a few words that are easy to remember but difficult to guess, e.g. thEdogatEmyhomEwork
    • Other examples of passphrases
      • Correct horse battery staple
      • I love cookie dough ice cream with sprinkles on top
      • 2 be or not 2 be, that is the question
• Don’t reuse passwords across accounts
  • Single sign-on (SSO) or password managers can help reduce the burden of having unique passwords for each account
• Should you change your passwords regularly?
  • Previously, it was recommended that passwords should be changed every 90 days
  • Now, the National Institute of Standards and Technology (NIST), which provides guidance for organizations to manage cybersecurity risks, recommends against forced password changes to help avoid the tendency to choose passwords that are easier to remember
  • Passwords should always be changed in the event of a suspected compromise or data breach

FIDO - Fast Identity Online

• Goal to create a new standard to replace passwords
• Supports a number of authentication methods, but particularly public key cryptography in the form of passkeys

Passkeys

• Instead of entering passwords, a user is required to perform an action or “gesture”, such as the following:
  • Clicking a login acknowledgment message
  • Touching a USB key
  • Biometric finger swipe
• May be the new standard to replace passwords
• Provide faster, easier, and more secure access to accounts across a user’s devices
• Stronger than passwords and much more resistant to phishing attacks
• Simplify account registration
• Easy to use
• Work across multiple devices

Best practices

• Use passphrases instead of passwords (until passkeys become more common)
• Use a password manager to securely manage your passwords
  • Which password manager to use?
    • Apple’s macOS password manager is good for securing passwords and syncing across Apple devices, but does not support syncing on non-Apple devices
    • Google Chrome has the best browser-based password manager, but a dedicated password manager is preferred, as it will have more features and be better supported
    • Bitwarden
      • Currently top pick by CNET, Wired, etc.
      • Free, polished, and user-friendly
      • Passwordless authentication support
      • Passkey support
      • Apps for Android, iOS, Windows, MacOS, and Linux
    • 1Password
      • Apps for macOS, iOS, Android, Windows, Linux, and ChromeOS
      • Costs money, but has a few extra features
      • Can also act as an authentication app
• Use MFA and/or SSO when possible
• Use the How Secure is My Password tool
  • Shows how long (generally in years) it will take a computer to hack the password
  • For the above example passwords, it would take 5 years for a computer to crack the password “fd982$@#rD” and 3 hundred trillion years to crack the password “thEdogatEmyhomEwork”

Sources

The above information was gathered from the following sources:

• https://dojowithrenan.medium.com/the-5-factors-of-authentication-bcb79d354c13 ​​​​​​​
• https://www.linkedin.com/pulse/youll-likely-using-passkey-soon-roger-grimes/
• https://www.linkedin.com/pulse/what-fido-why-good-authentication-roger-grimes
• https://fidoalliance.org/passkeys/?trk=article-ssr-frontend-pulse_little-text-block
• https://www.cnet.com/tech/services-and-software/best-password-manager/
• https://www.wired.com/story/best-password-managers/ ​​​​​​​