Authentication is a way to ascertain that a user is who they claim to be. This is usually performed by presenting one or more challenges to the user. There are three broad categories of challenges:
Something the user knows. The user is asked for a secret, known only to her. Typical examples are passwords and PINs, but can also take the form of security questions.
Something the user has. The user is in possession of a unique token, like a key. In the case of computer tokens, this can take the form of an NFC tag, or a device.
Something the user is. Aka biometrics. The user is asked to present a part of her body that forms unique and repeatable patterns, like fingerprints, voice, or face recognition.
Two Factor Authentication
In and of itself, a single category of challenge is not enough: a password can be spied on; a token can be stolen; and fingerprints can be lifted from a glass, for example. In order to provide a stronger authentication, a system can choose to present two challenges. For example, a password and a token. This kind of multiple factor authentication raises the cost and the risk of being detected for an attacker.
Passwords are the most common form of authentication. In order to be effective, their use and implementation need to follow basic guidelines. Recommendations follow.
- Passwords are secrets. Keep them so.
- Mix the kind of characters in your passwords.
- Use long passwords. Any windows password up to 9 characters can be cracked in seconds using public-domain tools. The longer the password, the longer it will take for an attacker to crack it. Every added characters increases the cracking time by orders of magnitude. Any password that is not a common word, and is longer than 14 characters cannot be cracked with current computing means.
- Use different passwords for different purposes or web sites. That way, even if someone manages to learn or crack one of your passwords, it does not give them immediate access to your other services.
- Use a password manager to create and remember random passwords.
- If a random password is impractical, use a pass phrase instead.
For systems administrators
- Password managers should be provided to the users.
- Enforce long passwords through systems configuration.
- Do not force users to mix and match. A recent study shows that mandatory capitals or numbers encourage the users to use a predictable structure to their passwords. Instead, encourage users to use long and random passwords.
- Never store passwords, either in clear text or encrypted.
- Use a well-known, specific hashing algorithm like bcrypt.
- Always salt passwords before hashing them.