With technology advancing, and more and parts of our life switching from real-life authentication to digital authentication it is important the substitute authentication methods can still determine exactly who is logging into your account.
Since the early days of computers, there have been usernames and passwords around us, the whole concept can be simply split up into two parts. The identification method, and then the authorisation method. Breaking this down, identification is what tells the system who is logging in, in most cases, this would be your username, email or anything else that you can uniquely attach you to your profile. Then you have your authorisation method, which should ensure you are the correct individual logging into your account, the most common form of this would be passwords.
This has worked wonders for years, although, as we know methods of cracking and breaking these authentication methods has resulted for us all in many painful hours of checking all our accounts and trying to regain control of them, and then the messy cleanup operation once ownership has been returned. But how does an authorisation method such as a password fail? In the real world, there are far too many ways that I could list on this post, nevertheless, there are a few and each come with their benefits and drawbacks. One method commonly called shoulder-surfing, is where you would watch a person enter their password without them knowing, recording each key or button they stroke; others could be attempting to brute force the password, where you would try a range of generated passwords often following words in a dictionary or patterns; malware (malicious software) such as keylogging, where instead of watching a person enter their password the computer will just record everything you enter allowing for a malicious person to review it at a later date.
But these are all methods someone may be able to gain access to your account by knowing your password, the whole infrastructure that is meant to act as an authorisation method to determine it is you who is logging into your account, so are your accounts actually safe? The short answer is mostly, as long as you are vigilant and use your common sense. For example, if you have your password as "password" then you can expect for your account to get hacked. Either way, password integrity is not the main discussion of this post, it is two-factor authentication.
Types of 2FA?
Let's take a step back, as we have already realised passwords although suitable for most things are not flawless. This is where other authorisations and authentication methods are used, something call 2FA/TFA (two-factor authentication), there are multiple different types of 2FA, here are four of the most common ones: knowledge, possession, biometric and environment.
- Knowledge is the most basic one, it may ask for you to input an answer to a question that only you will know, rather than a malicious person. This is an additional factor that can be added to the logging in the system, however, if someone is determined enough they could always find the answer to your questions. Alongside this, if the answers ever get breached in a data security leak, well, the solution is out there for everyone, including the malicious person.
- Possession is owning something that could get you in, for example, a key is a possession that allows you to get into your house. You may also have items such as an ID card or even a smartphone that is a possession that gives you additional security, such as 2FA. This means you must physically steal something from the victim in order to break into their accounts, rather than just cracking a password.
- Biometrics are features that are unique to the person and their physical self, for example, using finger-print scanning, palm scanning or iris scanning are different methods of being about to identify someone. These methods are often preferred as they are unique to the person and can often be scaled up, however, once ith as been replicated it is unrecoverable as you cannot "change" your biometric makeup.
- Environment is commonly not used solely for 2FA and instead may prompt the user to complete an additional authentication method. The different aspects that make up the environment are the time when you are logging in to the system; and location, where you are logging in to the location - whether this is physical or an IP address.
How are these types used around us?
If we know why and how we are able to use these additional factors to help secure our accounts, devices and information then what tools are around us to help do that? How are they built into most systems we use to make sure our accounts are as secure as possible?
Firstly, almost anything requiring authentication would require knowledge to be used through the username and password. It may also explore into using other things such as memorable questions - the more obscure you are with these the better! It is often best to not discuss the topics the question cover with most people, although unlikely, they could use that to help get into your accounts.
Secondly, possession is easy to integrate, for example, using tools such as SMS codes to ensure you are the correct person logging in. Google accounts are a good example, where the person would have to click accept on their phone to agree they are the person who in fact logged in. Not only does this notify the person if their account is compromised but it allows them to block it almost instantly and regain control before they have even got onto "the deck of the ship".
Thirdly, biometrics are used all around us, most people now have face ID or touch ID on their phones allowing them to use their biometric figure to unlock their phones. This can be used ranging from the phones you use every day to large scale organisations having to protect data or information. Apps such as Paypal have a custom locking feature on their app, where you would have to use touch ID to unlock the app - protecting your account even if someone may have your phone.
Finally, the environment, something that will allow us to be alerted if something changes. Whether that is if someone logs in from a new, unrecognised location then you will receive an email or text message - or even just block the person from being able to log in.