The average person now has over 100 accounts that require some form of authentication. These range from relatively innocuous profiles to mission
critical financial accounts. The challenge, therefore, is as urgent as it is
difficult: how can we institute better authentication techniques that can be
applied across a wide range of assets?
critical financial accounts. The challenge, therefore, is as urgent as it is
difficult: how can we institute better authentication techniques that can be
applied across a wide range of assets?
In this article we’ll review pros and cons of the most popular authentication strategies along with some of the latest emerging solutions.
Step 1: Choosing an Authentication Technique
Nearly all authentication that takes place nowadays can be grouped into one of three categories: what you know, what you are, and what you have. Let’s start with the first and work our way down the list.
- What You Know
This is one of the oldest authentication strategies and refers to a piece of information that only the user should know. This includes passwords, PINs, security questions, and the like. Due to their ease of use, passwords and PINs are by far the most popular option when it comes to authentication. But it has its downsides.
For one, users tend to reuse the same password across applications, often regardless of account sensitivity and security. This means that once hackers gain access to a vulnerable account, they’ll be able to execute repeat attacks across dozens of applications. Moreover, many users fail to store their passwords securely, often relying on sticky notes, paper ledgers, or excel sheets. This means that a single misplaced file can lead to a catastrophic breach. Finally, since the authentication information is not linked to any particular person or device, there is no way for the application to identify or cross-reference who is using the password.
For these reasons, the industry has since rolled out a new authentication strategy that mitigates the above issues.
- What You Have
Just like it sounds, this category refers to physical objects like phones, token devices, smart cards, NFC tags, and USB drives. These can be configured to provide OTPs, deactivate in case of loss/theft, and are usually application-specific.
The downside? The object or device in question needs to be physically available, which makes it that much easier to lose, break, forget, or have stolen. Furthermore, physical devices need to be maintained and require some kind of enrolment before they can function in place
of a password. This often requires substantial time, money, and additional workload.
This brings us to the last category.
- What You Are
Over the last decade, biometric authentication has become an increasingly viable and widely adopted option. From fingerprinting and retina scans to voice and facial recognition, these once futuristic technologies are now available on most high-end smart phones and computers. Users no longer need to remember any codes or scan any devices; now the user themself is the password.
While there are obvious benefits to biometric authentication, the downsides are equally clear. They require expensive systems that often still contain critical vulnerabilities and are subject to high maintenance. Equally important are the data privacy, protection, and management policies that make many users reluctant to share their
personal data with software providers. Finally, biometric credentials can never be shared, edited, or deleted.
Which form of authentication you choose should depend on your particular use case and needs. This decision should never be made solely
on a compliance basis but rather should be crafted to respond to your
individual risks, strategic requirements, and physical contexts. Balancing
security and usability will be the key consideration here. Contrary to popular opinion, there is such a thing as too much security.
on a compliance basis but rather should be crafted to respond to your
individual risks, strategic requirements, and physical contexts. Balancing
security and usability will be the key consideration here. Contrary to popular opinion, there is such a thing as too much security.
At SharePass, we recommend implementing multi-factor authentication across two different categories. This often takes the form of a traditional password plus an OTP code linked to your phone or email. However, as hackers have demonstrated a capability to circumvent OTPs via phishing
campaigns and the like, many mobile applications now prefer some form of biometric data such as fingerprint or facial recognition. Again, it is
important to consider the needs of the end users, developers, and business units before making any final decisions. For sensitive applications, consulting with an external security partner is highly recommended.
campaigns and the like, many mobile applications now prefer some form of biometric data such as fingerprint or facial recognition. Again, it is
important to consider the needs of the end users, developers, and business units before making any final decisions. For sensitive applications, consulting with an external security partner is highly recommended.
Step 2: Sharing Your Authentication
Say that you’d like to allow a family member to sign into your email account, but don’t want to tell them your password. Or perhaps a client requires single use access to a particular business application, and you
don’t want to change your password after. There are several ways to share
account access without handing over any credentials, devices, or biometric
data. However, as we’ll see, each of these methods incurs a certain security
risk and is therefore not recommended for general use.
don’t want to change your password after. There are several ways to share
account access without handing over any credentials, devices, or biometric
data. However, as we’ll see, each of these methods incurs a certain security
risk and is therefore not recommended for general use.
- Password Injection — “Autofill"
Similar to the way in which browsers can fill out saved credentials, credentials could also be shared across devices via a browser extension or standalone application. This injects the password into the appropriate field, while displaying only a series of asterisks.
While this sounds good in theory, and would work for non-technical users, the true password would always be discoverable by using the browser’s developer tools to inspect the credentials sent to the authentication server (usually in the body of the POST request method). A more determined user would also be able to use a keylogging tool to capture the credentials in cleartext, as if they had been physically typed with the keyboard.
- Browser Session Cookie
A more promising method would be to share the actual browser session cookie. In other words, rather than sharing the credentials and having the recipient create their own session, here they are instantly logged in to an ongoing session. However, since this uses the same methodology as a popular hacking technique (Session Hijacking), many web pages and applications will actively block such attempts and flag them as a security breach.
Furthermore, since the recipient is being logged into an existing session, they would only retain access so long as the original user remains logged in. This limits the practicality of such an approach (even as it mitigates certain security risks).
- Remote Session
Finally, access could be shared by remotely connecting to the recipient’s host and entering in the credentials. However, this would require some degree of manual intervention and may still leave the password vulnerable since it would be entered in cleartext.
Alternatively, SharePass allows users to convert their credentials into an E2EE link which, once clicked, grants the recipient permission to copy-paste the credentials directly. You can set the link to expire whenever you wish, deleting any digital footprint along the way. Try it here for free!
Step 3: Managing Your Authentication
With passwords here to stay for the near future, password management has become the keystone of authentication security. Unfortunately,
once you’ve centralized all of your passwords in one place, that becomes a
prime target for malicious actors. It’s therefore critical that your password
manager is employing the highest security standards, both during development and in their choice of authentication method. SharePass recommends employing all three encryption types (credentials, OTP, and biometric) to limit your risk as much as possible.
once you’ve centralized all of your passwords in one place, that becomes a
prime target for malicious actors. It’s therefore critical that your password
manager is employing the highest security standards, both during development and in their choice of authentication method. SharePass recommends employing all three encryption types (credentials, OTP, and biometric) to limit your risk as much as possible.
At SharePass, we’ve gone one step further and developed a pioneering zero-trust Passwordless solution which shields passwords even from
logged in users. Instead, it relies on “mutual authentication” which will alert
both sender and receiver of potential access to the data, preventing a breach even if someone gains access to your account.
logged in users. Instead, it relies on “mutual authentication” which will alert
both sender and receiver of potential access to the data, preventing a breach even if someone gains access to your account.
Unlike other services, SharePass leverages a patent pending security funnel system to ensure that passwords are unbreakable, even by us.
Moreover, our ACID-compliant databases provide an all-or-nothing approach to data transactions thereby protecting users from any rare event which might impact data confidentiality, integrity, or availability.
Moreover, our ACID-compliant databases provide an all-or-nothing approach to data transactions thereby protecting users from any rare event which might impact data confidentiality, integrity, or availability.
Don't risk it, SharePass it!
To learn more about SharePass or sign up for a free trial, visit https://sharepass.online/