User authentication and passwords
The unique identifier that a user types to sign into a system or application is that user's login ID on that system.
Authentication is a process by which a user proves his identity to a system -- normally when logging in.
- Authentication factor
An authentication factor is something a user presents to a system in order to prove his identity. It may be something he (and hopefully only he) knows, or proof of possession of a physical object, or a measurement of some physical characteristic (biometric) of the living human user. In other words, something the user knows, or something he has, or something he is.
- Multi-factor authentication
Multi-factor authentication means authentication using multiple factors . For example, a user might sign into a system with a combination of two things he knows, or a combination of something he knows and something he has, or perhaps something he knows, something he has and something he is.
The premise is that adding authentication factors makes it more difficult for a would-be attacker to simulate a legitimate authentication and consequently impersonate a legitimate user.
- Strong authentication
Strong authentication refers to an authentication process which is difficult to simulate. It may be based on use of multiple authentication factors or use of a single but hard-to-spoof authentication factor .
Types of credentials
There are three types of credentials:
Secrets: Something you know.
Secret information known only the user.
|A password or PIN.|
Tokens: Something you have.
A physical device possessed only be the user.
|A one time password (OTP) token, smart card or app on a smart phone.|
Biometrics: Something you are.
A unique, measurable characteristic of the user.
|Voice print verification, fingerprint, vein pattern, retina or iris scan.|
Generally, it is more secure but less convenient to combine multiple credentials, preferably of different types, to sign into a system or application. For example, use a password plus a token, or a biometric plus a PIN. This is called multi-factor authentication.
The strengths and weaknesses of different types of credentials can be generally described as follows:
|Reliable identification?||Good||Very good||Excellent|
|Requires client-side hardware||No||Sometimes||Yes|
|Requires client-side software||No||Sometimes||Yes|
|Typical deployment cost/user||0||$50||$100|
|Works with legacy systems||Yes||No||No|
Due to cost and compatibility with legacy systems, the most popular type of credential remains the password.
Moreover, as non-password credentials are deployed, they are commonly combined with passwords or PINs. For example, tokens are secure -- unless they are stolen, in which case the person who stole the token can impersonate the legitimate user. This is remedied by requiring the user to sign into systems by entering the pseudo-random code displayed on their token and also enter a password or PIN, which a thief would not know.
The remainder of this document discusses how to best manage passwords, to maximize security and minimize cost of ownership. The guidelines here apply primarily to passwords used as a single authentication factor, but can also be applied to passwords used as a second authentication factor, in conjunction with biometrics, tokens or smart cards.
Passwords are simply secret words or phrases. They can be compromised in many ways:
- User devices may be compromised with a keylogger or similar malware, and disclose user input to an attacker.
- Users may write them down or share them, compromising secrecy.
- Passwords can be guessed, either by a person or a program designed to try many possibilities in rapid succession.
- Passwords may be stored or transmitted over a network either in plaintext or encoded in a way which can be readily converted back to plaintext.
Each of these vulnerabilities create an opportunity for an attacker to acquire password values and consequently impersonate users.
Conversely, if passwords are managed securely by users and if password systems are constructed so as to prevent brute-force attacks and inspection or decryption of passwords in transit and in storage, then passwords can actually be quite secure. This document will describe some of the mechanisms for securing passwords.