We said in our last blog that we would cover authentication and authorization in this follow up — however we quickly realized there is a lot to talk about on both topics, so we have split them. This post will define authentication and authorization, and in our next post we will look at how best practices intersect to improve overall security. To the uninitiated, it is often difficult to understand the difference between the two.
Authentication in cybersecurity is when you must provide some level of information that the system can use to check that you are who you say you are.
Authorization is when you have successfully authenticated to get access and now the system uses the information on your identity to understand what you are allowed to access and what actions you are allowed to take.
Authentication approaches fall into 3 categories, these are:
1. Something you know
The most commonly used authentication method for something you know is a password. The problem with this is that strictly speaking, every user ID you create to access web sites, applications, etc. should be different. To further complicate things, the latest best practice suggests you need a password of at least 8 characters with upper- and lower-case characters, a symbol such as @ and a number.
In order to help their employees with the multiplicity of passwords required in our working life most organizations now implement Single Sign-On. This provides the ability to use a single password for all your organization’s applications.
The challenge with passwords is how to maintain them, coupled with additional information sometimes required such as memorable words or phrases. The standard approach that most of us use is either a password management tool, of which there are many on the market, and/or the internet search engine. The latter can auto-generate a complex password as well as keep track of which password is used for a particular web site. The key thing to remember about passwords is to not use the same password for multiple sites. This leaves the gate wide open if you happen to click on the wrong link and expose one of your passwords to a bad actor.
We would recommend allowing your search engine to provide you with auto generated passwords and to store them so you can have a different password for each site. For applications that require you to create your own password, use a different one and keep it in a password management tool. Password management tools require a master password to get access to the tool; do not write this down and if possible, make use of the second authentication factor (see below) to unlock the tool. If you do need to write your master password down, keep it separate from your devices and secure it — for instance, put it in a desk drawer where it is only accessible to people in your own home. Do not carry it with you. Don’t worry about forgetting a password, it is preferable to go through the steps to create a new one than use the same password for multiple applications.
2. Something you have
In the IoT arena, in addition to human beings, we also have devices connecting to applications in the Cloud. To use the “something you have” approach there are a number of options:
- A smart card or dongle that provides secure authentication either to a local or remote application.
- One time password — this is a considered “something you have” as it is sent to a device registered to an individual and lasts for a short period of time.
- Certificate based authentication — this is widely used for devices as it can be set up on the device and does not require manual intervention. When a certificate is deployed to a device, we refer to that device as being “trusted.” In large-scale IoT deployments, a platform with robust device management capabilities becomes critical to maintaining security.
The action of keeping the smart cards safe needs to be treated in the same way as any other device and preferably not kept with the device for which they provide authentication. Think about the fact you would not consider keeping a note of your bank card PIN number in your wallet that also holds you bank card.
The private key for the certificate-based authentication is held on the device. This means the responsibility for ensuring the private key is held in such a way as to make it very difficult for a rogue actor to obtain it. This can be done by using an encrypted mechanism to hold the key on disk.
If you have to use a smart card, or something similar, there is only one recommendation — keep it safe. If you do lose it, know how to have the application access revoked.
Many public applications request their users to enable two factor authentication (TFA) — in all instances it is recommended that you do this. What you need to be careful about is when you get a new device. For example, in Google Authenticator when you want to transfer your TFA accounts, the authenticator gives you the option to create a QR code that you can scan with your new device. Make sure you destroy that QR code immediately after successful transfer.
When using certificate-based authentication, store the keys in Trusted Platform Module (TPM). This ensures the private keys are kept as their name suggests — private. If you think your certificate has been compromised, ensure you have the access revoked and that you then obtain a replacement certificate.
3. Something you are
Biometrics in the form of facial recognition and fingerprints are now available on most devices from Smartphones to laptops and provide an easy way to identify yourself.
When choosing a biometric identification, you need to keep in mind two factors, accuracy and speed. Accuracy refers to the confidence level used to correctly identify a person; and for speed, we are talking about biometric recognition time or how long will it take for the authentication software to respond. In either of these cases, if the time is too long, the approach will be abandoned by the user.
Choosing the correct biometric authentication solution that is appropriate for your business and customer profile. The key is for the users to buy-in to the approach, so they do not abandon it for something easier.
Sometimes the biometrics can fail so you need a backup. We have all had the situation where for some reason, facial recognition doesn’t work, or the fingerprint mechanism fails. Technically it is also possible for your fingerprint to be lifted from the reader — this is pretty advanced — and it is likely you would only be in danger of this if you hold high profile or critical information.
People below the age of 12 should not use facial recognition as the human fingerprint is not developed enough to be consistent prior to this age.
Single-factor authentication is our recommended approach as it is the most difficult to replicate and is not something you have to remember.
This is tightly linked to the available hardware and when you replace the hardware, you should always wipe your biometric data.
In addition to the categories discussed above, we can combine them to take advantage of a multi-layered approach to authentication.
Multi-factor authentication (MFA) is the approach of combining two or more factors from each of the 3 categories discussed above. If any one of those authentication mechanisms fail, the authentication fails. This is becoming the preferred approach for many systems.
The downside to multi-factor authentication is that it needs to be implemented correctly. The user must understand which application is requesting the second factor. If this is not the case, users will get into the habit of automatically approving all requests, leading to account compromise.
If you do not know what you are approving, DON’T; wait for something to fail, then approve. If you are in control of implementing this type of authentication, make sure the application and the user ID are included in the request for approval, so the end user has absolute clarity on what they are approving.
Finally, a discussion around authentication would not be complete without mentioning the most comprehensive approach, called adaptive authentication. This is used by organizations who are continually being attacked — for instance, retail banks — and who therefore monitor a raft of behavioral factors, such as:
- Which browser do you normally use
- What operating system do you use, and what patch level it is at
- Speed you normally type your password
- Time zone you normally access the system, etc….
This approach should always be used for such organizations.
In summary then, use the authentication method that is most appropriate for the people who will be accessing your software whilst at the same time supporting the business requirements of your organization. For authentication in IoT deployments, a platform with strong device management capabilities to manage certificates allows for more secure authentication during registration, OTA updates and data encryption. For applications restricted to a specific user group, multi-factor authentication can help disrupt cybercriminals.
The following factors need to be taken into consideration whilst also taking into account the user experience:
- Cost — will your organization be able to maintain the system to ensure the solution always protects against the latest security issues.
- Accuracy — how tolerant your business is to false positives/negatives commensurate with the security requirements of your application/system.
- Performance — how quickly do you need to authenticate the device/person before they give up.
In our next post, we will highlight how authentication and authorization best practices intersect to improve overall security.