Cybersecurity is perennially in the news these days. Every week it seems a different company is victimized by hackers stealing sensitive data—which is why providing robust network security for your clients is more important than ever. The paramount responsibility of a secure system is to ensure that only authorized users have access to the network. Security protocols need to let legitimate users in while keeping cybercriminals out.
Network authentication accomplishes this goal. There are a number of authentication methods and tools available, and it’s essential to understand how they work in order to choose the right one for your clients. In this article, we’ll survey a range of user authentication methods and how they can help clients secure their data. But first, let’s be clear about what authentication actually is.
Put simply, network-level authentication is how a network confirms that users are who they say they are. It’s a system for differentiating legitimate users from illegitimate ones. When a user attempts to login to a network, they indicate their identity with a username. A system then cross-checks the username with a list of authorized users to ensure they are cleared to access the network.
Yet this process is not sufficient to create a secure system. What if a nefarious party pretends to be someone else by entering a username that’s not their own? Here’s where secure authentication methods come in. Authentication is an additional step that verifies the person entering a username is in fact the owner of that username. Once a user has been authenticated, it’s safe to allow them access to the network.
As internet technology has evolved, a diverse set of network authentication methods have been developed. These include both general authentication techniques (passwords, two-factor authentication [2FA], tokens, biometrics, transaction authentication, computer recognition, CAPTCHAs, and single sign-on [SSO]) as well as specific authentication protocols (including Kerberos and SSL/TLS). We’ll now turn to the most common authentication methods, showing how each one can work for your clients.
1) Password authentication
Anyone who uses the internet is familiar with passwords, the most basic form of authentication. After a user enters his or her username, they need to type in a secret code to gain access to the network. If each user keeps their password private, the theory goes, unauthorized access will be prevented. However, experience has shown that even secret passwords are vulnerable to hacking. Cybercriminals use programs that try thousands of potential passwords, gaining access when they guess the right one.
To reduce this risk, users need to choose secure passwords with both letters and numbers, upper and lower case, special characters (such as $, %, or &), and no words found in the dictionary. It’s also important to use long passwords of at least eight characters; each additional character makes it harder for a program to crack. Short, simple passwords such as “password” (one of the most common) and “12345” are barely better than no password at all. The most secure systems only allow users to create secure passwords, but even the strongest passwords can be at risk for hacking. Security experts have therefore developed more sophisticated authentication techniques to remedy the flaws of password-based systems.
2) Two-factor authentication (2FA)
Two-factor authentication builds on passwords to create a significantly more robust security solution. It requires both a password and possession of a specific physical object to gain access to a network—something you know and something you have. ATMs were an early system to use two-factor authentication. To use an ATM, customers need to remember a “password”—their PIN—plus insert a debit card. Neither one is enough by itself.
In computer security, 2FA follows the same principle. After entering their username and a password, users have to clear an additional hurdle to login: they need to input a one-time code from a particular physical device. The code may be sent to their cell phone via text message, or it may be generated using a mobile app. If a hacker guesses the password, they can’t proceed without the user’s cell phone; conversely, if they steal the mobile device, they still can’t get in without the password. 2FA is being implemented on an increasing number of banking, email, and social media websites. Whenever it’s an option, make sure to enable it for better security.
3) Token authentication
Some companies prefer not to rely on cell phones for their additional layer of authentication protection. They have instead turned to token authentication systems. Token systems use a purpose-built physical device for the 2FA. This may be a dongle inserted into the computer’s USB port, or a smart card containing a radio frequency identification or near-field communication chip. If you have a token-based system, keep careful track of the dongles or smart cards to ensure they don’t fall into the wrong hands. When a team member’s employment ends, for example, they must relinquish their token. These systems are more expensive since they require purchasing new devices, but they can provide an extra measure of security.
4) Biometric authentication
Biometric systems are the cutting edge of computer authentication methods. Biometrics (meaning “measuring life”) rely on a user’s physical characteristics to identify them. The most widely available biometric systems use fingerprints, retinal or iris scans, voice recognition, and face detection (as in the latest iPhones). Since no two users have the same exact physical features, biometric authentication is extremely secure. It’s the only way to know precisely who is logging in to a system. It also has the advantage that users don’t have to bring a separate card, dongle, or cell phone, nor do they have to remember a password (though biometric authentication is more secure when paired with a password).
Despite their security advantages, biometric systems also have considerable downsides. First, they are expensive to install, requiring specialized equipment like fingerprint readers or eye scanners. Second, they come with worrisome privacy concerns. Users may balk at sharing their personal biometric data with a company or the government unless there is a good reason to do so. Thus biometric authentication makes the most sense in environments requiring the highest level of security, such as intelligence and defense contractors.
5) Transaction authentication
Transaction authentication takes a different approach from other web authentication methods. Rather than relying on information the user provides, it instead compares the user’s characteristics with what it knows about the user, looking for discrepancies. For example, say an online sales platform has a customer with a home address in Canada. When the user logs in, a transaction authentication system will check the user’s IP address to see if it’s consistent with their known location. If the customer is using an IP address in Canada, all is well. But if they’re using an IP address in China, someone may be trying to impersonate them. The latter case raises a red flag that triggers additional verification steps. Of course, the actual user may simply be traveling in China, so a transaction authentication system should avoid locking them out entirely. Transaction authentication does not replace password-based systems; instead, it provides an additional layer of protection.
6) Computer recognition authentication
Computer recognition authentication is similar to transaction authentication. Computer recognition verifies that a user is who they claim to be by checking that they are on a particular device. These systems install a small software plug-in on the user’s computer the first time they login. The plug-in contains a cryptographic device marker. Next time the user logs in, the marker is checked to make sure they are on the known device. The beauty of this system is that it’s invisible to the user, who simply enters their username and password; verification is done automatically. The disadvantage of computer recognition authentication is that users sometimes switch devices. Such a system must enable logins from new devices using other verification methods (e.g., texted codes).
Hackers are using increasingly sophisticated automated programs to break into secure systems. CAPTCHAs are designed to neutralize this threat. This authentication method is not focused on verifying a particular user; rather, it seeks to determine whether a user is in fact human. Coined in 2003, the term CAPTCHA is an acronym for “completely automated public Turing test to tell computers and humans apart.” The system displays a distorted image of letters and numbers to the user, asking them to type in what they see. Computers have a tough time dealing with these distortions, but humans can typically tell what they are. Adding a CAPTCHA enhances network security by creating one more barrier to automated hacking systems. Nevertheless, they can cause some problems. Individuals with disabilities (such as blind people using auditory screen readers) may not be able to get past a CAPTCHA. Even nondisabled users sometimes have trouble figuring them out, leading to frustration and delays.
8) Single sign-on (SSO)
Single sign-on (SSO) is a useful feature to consider when deciding between device authentication methods. SSO enables a user to only enter their credentials once to gain access to multiple applications. Consider an employee who needs access to both email and cloud storage on separate websites. If the two sites are linked with SSO, the user will automatically have access to the cloud storage site after logging on to the email client. SSO saves time and keeps users happy by avoiding repeatedly entering passwords. Yet it can also introduce security risks; an unauthorized user who gains access to one system can now penetrate others. A related technology, single sign-off, logs users out of every application when they log out of a single one. This bolsters security by making certain that all open sessions are closed.
Now that we have a sense of commonly used authentication methods, let’s turn to the most popular authentication protocols. These are specific technologies designed to ensure secure user access. Kerberos and SSL/TLS are two of the most common authentication protocols.
Kerberos is named after a character in Greek mythology, the fearsome three-headed guard dog of Hades. It was developed at MIT to provide authentication for UNIX networks. Today, Kerberos is the default Windows authentication method, and it is also used in Mac OS X and Linux.
Kerberos relies on temporary security certificates known as tickets. The tickets enable devices on a nonsecure network to authenticate each other’s identities. Each ticket has credentials that identify the user to the network. Data in the tickets is encrypted so that it cannot be read if intercepted by a third party.
Kerberos uses a trusted third party to maintain security. It works as follows: First, the client contacts the authentication server, which transmits the username to a key distribution center. The key distribution center then issues a time-stamped access ticket, which is encrypted by the ticket-granting service and returned to the user. Now the user is ready to communicate with the network. When the user needs to access another part of the network, they send their ticket to the ticket-granting service, which verifies that it’s valid. The service then issues a key to the user, who sends the ticket and service request to the actual part of the server they need to communicate with.
This is all invisible to the user, happening behind the scenes. Kerberos has some vulnerabilities—it requires the authentication server to be continuously available, and it requires clocks on different parts of the network to always be synchronized. Still, it remains a widespread and useful authentication technology.
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) is another important authentication protocol. In SSL/TLS, clients and servers use digital certificates to authenticate each other before connecting. Client certificates and server certificates are exchanged to verify each party’s identity in a process known as mutual identification. The server certificate is a small data file saved on the web server. The certificate links a cryptographic key to the details of the organization that owns the server. A web browser checks the validity of the certificate before connecting to the server.
SSL/TLS support is built into all major current web browsers, including Internet Explorer, Chrome, Firefox, and Safari. This makes it easy and inexpensive to implement since it does not require special software. All traffic in SSL/TLS is encrypted so that it’s inaccessible to eavesdroppers. SSL/TLS has become an integral part of web technologies and continues to be refined and updated. If your clients use it, make certain that they choose a more secure TLS implementation, as SSL is out of date and has significant vulnerabilities.
As you can see, there are numerous factors to consider when selecting the right authentication technologies for your clients. 2FA is making passwords more secure, and biometric systems provide an even stronger level of protection. CAPTCHAs keep out automated attacks, and Kerberos and SSL/TLS enable encrypted communication. As an MSP, it’s your responsibility to understand best practices for user and network security and communicate that security strategy to your customers. Read more on our blog to learn about effectively managing authentication and choosing the right tools for optimal security.