Authentication : definition and methods

CyberSecura
CyberSecurity and GDPR compliance
8 min readOct 19, 2021

One of the most important aspects of cybersecurity is to successfully identify the users who are going to access your services or your computer network. The focus is on the interaction between the user and the service, also known as the HMI (Human-Machine Interface).

And that’s where authentication comes in.

Whether you want to improve your internal security, provide a better user experience or reassure your customers, it is important to understand what authentication is and how to implement it properly. A strong authentication mechanism ensures the confidentiality of sensitive information to its users. It is the first line of defence against cybercriminals coveting data.

Image libre de droit : unsplash

What is authentication ?

It is very simple to find a generic definition by taking the first link in a Google search result (often Wikipedia).

Authentication is the set of security mechanisms that verify the legitimacy of the interaction either between machines or between human and machine.

However, this verification only concerns the access request. On its own, it does not identify the person or machine requesting access. If the correct identification information is presented (IDs/passwords, badge, etc.), access will be authorised. Thus, several groups of people may have the same access keys for a resource, which is not very recommended. To remedy this, more advanced mechanisms have been developed but we will see that later in this article.

How does authentication work ?

To gain access, the user (or machine) must prove to the system that it is who it claims to be.The ID and key are sufficient to confirm the identity of the user, which will allow the system to grant access to the user.

It is important to note that authorisation, on the other hand, is what dictates what users can see and do when they log in. Although authorisation and authentication are often used interchangeably, these two different terms work together to create a secure login process.

Quite simply, authentication must :

  • Managing the interaction between the applicant and the system :

a-Ask for identification information.

b-Create a secure tunnel to transmit this information.

  • Check the validity of this credentials.
  • Approve (or deny) the access request so that the system can grant access to the resources.

Here is an example of an authentication process:

  1. The user fills in a form with his credentials.
  2. The authentication system retrieves this information in a secure way (e.g. encrypted tunnel) and tries to find a match with its identification database.
  3. If a match is found, the system authenticates the user and gives them access to the resources. If not, the user is prompted to re-enter their credentials. If the attempts are unsuccessful, it is recommended that an automatic account blocking mechanism be set up to prevent brute force attacks and that the system manager and the account owner be notified.

A few authentication methods

In the previous sections, we have already briefly stated the principle of identification information, also called “authentication factors”. These factors are defined in three categories :

  • What I know : it can be a username, a password or a PIN. The problem with these factors is that they can be weak in terms of security because they can be shared or guessed.
  • What I own : these can be one-time password tokens such as temporary codes provided by an OTP application, key fobs, ID cards and physical tokens.
  • What I am : any biometric authentication process, such as fingerprints scanning and facial recognition, falls into this category.

And for each of these categories, several methods exist. Here are some of them :

  1. The username/password combo

This is one of the most commonly used methods, with which users are most familiar. When you arrive at the page, you are asked to enter your username and password.

Your credentials are sent to the credentials server and compared to the information it holds in its database. When a match is found, you can access your account.

Passwords are often used to secure personal accounts such as social networking profiles, online banking and e-commerce sites, and other online resources. However, passwords are not as secure an option as they seem. And the damage can be catastrophic if a hacker gains access to one of these accounts or to the database containing all the credentials.

In addition, users often have difficulty remembering multiple passwords (personal and business) and most take the easy way out by using a single password for all access.

And to top it all off, it is often a simple password that can be found by doing a little research on the person (e.g. name of high school + year of graduation => Bonaparte1991; or name of a granddaughter with the year of her birth => Julie2006, etc.).

This method is the most used and indeed the easiest to break.

2. Biometric authentication

Biometric authentication relies on a user’s unique biological characteristics to verify their identity. This makes biometrics one of the most secure authentication methods available today. In addition, it causes less friction during the authentication process than the previously mentioned methods, making the user experience more pleasant. The most common identifiers are fingerprint scanning, facial recognition and voice identification.

However, in order to use these methods, it is necessary to invest in fingerprint readers or voice/facial recognition technologies. This is one of the most effective methods but it comes at a cost. Moreover, depending on the factor chosen, there may be more or less errors causing both false positives and false negatives.

Finally, there is the question of privacy, as this involves storing very personal and sensitive information about the user. The security that must be put in place to protect this information must be drastic.

3. QR Code / Push Notifications / SMS OTP

This kind of authentication method is often linked to a double authentication to add an extra step of security, either to request access to a sensitive resource (MFA, or Multi Factor Authentication to access your bank’s website), or to validate a transaction (QR Code displayed on a website after a purchase that has to be scanned through your bank’s application).

In some cases, it is used to authenticate the user directly on an application. For example, Uber Eats sending an authentication code by SMS (the phone number being the ID) or Slack sending an email with a link to click to authenticate.

4. Behavioural interaction

Behavioural authentication verifies a user’s identity based on unique patterns recorded during interaction with devices.

Exemple :

  • On phone : a pattern recording the movement pattern, the angles “selected”, the speed performed, etc.
  • On computer : Windows Hello offered to load an image and select a specific number of points on the image that only the user knows.

These identifiers are similar to the password identifier because they are in the “what I know” category but instead of using letters and numbers, “drawings” are used.

Improve authentication methods

Now that we have a better understanding of authentication, let’s move on to how to make it more secure, more efficient and, if possible, more enjoyable for the user.

Enforce a strong password policy

We have seen that the use of passwords is not the most secure method, but it has the advantage of being cheap and easy to implement. In order to improve this method, it is necessary to set up a password policy to mitigate the weaknesses of this method :

  • Longer passwords. Security experts suggest creating passwords of at least 12 characters.
  • Complex passwords. Passwords with a random combination of upper and lower case letters, numbers and symbols are more difficult to crack/guess.
  • Avoid using dictionary words. Dictionary brute force attacks are very common and more effective than traditional brute force attacks. Also, avoid using obfuscation methodologies such as changing the letter “A” by the character “@” or letter “I” by the number “1”. These methodologies have already been incorporated into brute force dictionary attacks to counter these obfuscations.

P@$$w0rd : good practices

  • Do not reuse passwords between different services/websites.
  • Change these passwords frequently.

You can try to test the security of your passwords yourself with the website howsecureismypassword.net.

Source : website screen shot howsecureismypassword.net.

Here is an example of a 17-character password with complexity (uppercase, lowercase, number and special) that is not a dictionary word: the site explains that it would take a computer 93 trillion years to crack this password.

Using a password manager

Having implemented a good password policy, you now need to remember them, but remembering “9sKJ5?k-He8F” can be difficult. This is where password managers come in. They allow you to store passwords securely but also to generate them easily, and some of them also offer to auto-fill forms on websites. So you only need to remember one password: the one that will open the password manager and access the others.

If we put some good will into it, we might finally be able to dethrone the great champions, namely the most used passwords of the last 7 years : “123456” and “password”.

Implementing SSO authentication

The term SSO, or Single Sign-On, defines the processes of staying logged into one account and using multiple resources. This system is ideal for organisations that have various products and services located on different servers or websites.

Google is an excellent example of how this works. When a user logs into their Gmail account, they have access to all of Google’s services (YouTube, Google Analytics, Google Drive, etc.) without having to log back in.

Source : visual-guard.com

When SSO authentication is used, users can dramatically reduce the number of accounts they need to manage. With fewer passwords to remember, users can focus on creating (and remembering !) stronger credentials.

Multi-Factor Authentication (MFA)

Despite all the passwords, there are many services that allow you to add a second layer of security, through the use of two-factor authentication. This can be a code generated on your device or sent to your phone. It is also possible to generate such a code on an external device.

Source : visual-guard.com

At first glance, this type of authentication may seem much more reliable than simple passwords. However, there are also some pitfalls. The problem is that the user may lose access to their SIM card or a phone card or the process that is responsible for generating the code. In the worst case, you could even lose your device.

To conclude

Hopefully this article on the importance of authentication has been understandable. By adding a few small enhancements, you will have mastered secure access. From email authentication to token verification to biometrics, there are several different options, each with their own advantages and disadvantages.

Authentication technologies are constantly evolving. None of them are foolproof, but they can still give you a head start on attackers.

About CyberSecura

CyberSecura is a Grenoble-based company providing consultancy, services and support for professionals in cybersecurity and GDPR regulatory compliance.
Comprising experts in every facet of these fields, CyberSecura has been working since 2017 on securing infrastructures, software or mixed digital products, business processes, as well as the governance of the protection of personal data used.
CyberSecura’s customers range from large corporates to small organisations in both the private and public sectors, and it offers support solutions designed specifically to improve security and compliance for very small businesses, SMEs and small local authorities.
Discover the CyberSecura website!

--

--