Demystifying Authentication: Keeping Your Digital Accounts Safe
You may have heard that you should create long, strong, and unique passwords for all your accounts, that you should use a password manager, and perhaps that you should use two-factor authentication. But do you know why? This blog will explain the basic theory behind the steps you can take to keep your digital accounts safe.
Authentication comes from the Greek root ‘authentikos’, meaning ‘real’ or ‘genuine’. At its core, authentication is about proving that you are who you claim you are.
Let’s imagine a scenario where Alice opens an email account and sends an email to her friend, Bob. She returns a day later to check for a response and is prompted to sign in with her username and password. When she enters her username, she’s making a claim about who she is. She is Alice. But anybody could claim to be Alice, so the email service needs something stronger to rely on so that they know they are interacting with the real Alice (or at least, that they are interacting with the same person who claimed to be Alice when they first set up the email account). This extra ingredient is what allows for authentication.
Authentication relies on one or more of the following – something you know, something you have, and something you are. You’re probably already familiar with the first group. Pins, passwords, and lock-screen patterns all fall under this category. If Alice’s secret is difficult enough to guess, and the person identifying themselves as Alice supplies the correct secret, the server can be confident that they are interacting with the real Alice. Of course, this method is far from perfect, as it’s vulnerable to phishing, man-in-the-middle attacks, or credential stuffing where attackers try millions of previously compromised username and password combinations, or attempt to guess commonly used passwords. This is why this method is often recommended to be accompanied by one of the other two categories, or ‘factors’.
The second type of authentication relies on proving that a person identifying themselves as Alice has in their possession something unique that Alice has in her possession, this often access to a smartphone with a given telephone number or application. Six-digit verification codes such as those generated by using authenticator apps such as Google Authenticator or Authy, or sent via SMS allow the remote server to confirm that the user identified as Alice has possession of some device that Alice had in her possession. It would be highly unlikely that, without possession of the phone that can generate the time-based verification code or receive the SMS-based verification code, a person without that device could guess it correctly. Thus, if they correctly supply the code, the server can confidently infer that the person is who they claim to be. Hardware security keys, such as the Yubikey, also fall under this category but provide additional protections against phishing and man-in-the-middle attacks, which verification codes cannot defend fully against. A phishing website can be set up to also collect and pass on the verification code to sign in, whereas a hardware security key will only work if the user is interacting with the genuine website, making these the best option.
The final type of authentication relies on characteristics of the user themselves, often called biometrics. This includes fingerprints, facial features, retinal patterns, voice, or other unique characteristics of the person being identified. For privacy reasons, this form of authentication is often only used locally (for example, to unlock a smartphone or computer). It’s not typically used for authenticating a user with a remote server.
Combining password-based authentication with one of the other categories of authentication is called two-factor authentication (or multi-factor authentication in it’s more general form). Two-factor authentication adds a significant additional layer of security, as it addresses many of the weaknesses of password-based authentication and makes it much harder for a potential attacker to gain access to your account.
Now that we know the why of authentication, let’s look at how it’s done in practice and how to use this knowledge to keep your digital accounts safe.
Creating secure passwords
The most important thing that you can do to protect your accounts is to use strong and unique passwords. But what is a strong password anyway? There are two factors that affect its strength: length and complexity.
Length improves the strength of passwords by increasing the total number of possible passwords that the attacker must attempt if they tried to access your account by guessing every password. If your password uses lowercase and uppercase letters and the common symbols on your keyboard, each additional character increases the number of possible passwords by a factor of 62. If your password is 12 digits long, that’s more than 320 billion trillion possibilities!
Complexity controls how many of all the possibilities the attacker will need to guess. A password that is a random string of numbers, letters, and symbols is much more complex than something that is common, or personally significant to you such as your date of birth. If your password is not complex, an attacker will have to guess only a handful of passwords to get the right one.
There are two main types of attacks that involve guessing a password: brute force and dictionary attacks.
1. Brute force attacks involve guessing every possible combination of characters until the right password is found. If the password is long and complex, brute force attacks can be infeasible even on today’s most powerful supercomputers. However, not all passwords are secure just because they are long. There are around 9,000 common words in the English language.
2. Dictionary attacks take advantage of this by guessing only the common words in a dictionary, or variations of them (e.g. ‘p@ssw0rd’). A password like ‘cupcake’ could be guessed within seconds, while a password that uses a string of six words (e.g. cupcake-orange-key-nose-sweater-telephone) would be much harder to guess.
You should also avoid reusing the same password – even if it’s a really good one! Websites can get hacked, and a malicious actor could then gain access to your password. However, you can limit the damage by avoiding reusing passwords so if they are ever exposed, a would-be attacker could not access your other accounts.
Attackers often try to reuse previously leaked passwords, so if your password has been compromised it may appear on a list that attackers use to break into accounts.
You may have more accounts than you have space in your brain to remember all your passwords. A password manager is a tool that helps you keep track of all your passwords. You probably already have a password manager available to you.
Most browsers such as Firefox or Google Chrome have a built-in password manager, and if you use an iPhone or Mac you’ll also have access to Keychain. Commercial password managers, such as 1Password or LastPass, often have additional features such as secure document storage to keep your passwords and other sensitive information safe. While password managers such as 1Password are generally considered to be more secure than your browser, the best password manager is the one that you use. If the choice is between using your browser or not using a password manager, use your browser.
Just for fun, you can find a list of the most common passwords, here.
In addition to having a strong password, you can further protect your digital accounts by using two-factor authentication (2FA) whenever it’s available. Two-factor authentication ensures that even if someone has your username and password, it’s not enough to access your accounts. 2FA works by requiring you to present something you know (i.e. your password) along with something you have. This second factor can take on several forms, but it typically involves providing access to a trusted device such as your smartphone, your email, or a physical hardware security key. Using any form of two-factor authentication significantly improves the security of your accounts.
Types of 2FA
1. SMS Many services will send you an SMS with a six-digit code which you must then enter to prove you have access to your device. It’s convenient as it does not require downloading additional software, but it can be defeated by a motivated adversary who can gain physical access to your phone and read the SMS, or via a SIM swap attack.
2. TOTP Time-based One Time Passcodes are six digit codes that are refreshed every 30 seconds, and must be entered before they expire. They are supported by most sites which support 2FA, and can be set up via apps such as Google Authenticator or Authy.
3. Hardware security key Hardware security keys, also called U2F keys, are physical devices that you can insert into the USB port of your computer to prove your identity. They are considered the gold standard for working safely online.
Now that you have this information, you are able to put this into use to secure your digital accounts and ensure that your sensitive information, as well as any sensitive information that you hold on behalf of others, remains safe and secure.