Exploring Authentication by Something Known and Something Possessed

Leave a Comment / Computer Systems Security / By /

Introduction

Authentication is a cornerstone of secure computer systems. One of the most common authentication mechanisms involves something known (e.g., passwords) and something possessed (e.g., tokens). This article focuses on the use of passwords and tokens, explaining their strengths, weaknesses, and best practices for implementation in secure systems.

Authentication by Something Known: Passwords

Passwords are the most widely used form of user authentication. They function as a shared secret between the user and the system. However, their effectiveness depends heavily on their strength and secure management practices.

Common Password Vulnerabilities

  1. Weak Password Choices:
    • Using simple, predictable passwords such as “123456” or personal information (e.g., birthdays, pet names) makes them easy to guess.
    • Reused passwords across multiple platforms increase vulnerability—if one account is compromised, others may also be at risk.
  2. Poor Password Secrecy:
    • Writing passwords on sticky notes or sharing them compromises their confidentiality.
    • Leaving a logged-in device unattended poses security risks.
  3. Brute Force and Dictionary Attacks:
    • Attackers use automated tools to guess passwords by trying all possible combinations (brute force) or using common wordlists (dictionary attacks).

Characteristics of Strong Passwords

  1. Randomness:
    • A password is stronger when it is a random sequence of characters.
    • Random sequences are harder to predict and resist brute force attacks.
  2. Entropy:
    • Entropy measures a password’s unpredictability and resistance to attacks.
    • Calculated using the formula:
      E = log₂(Cᶫ), where:
      • C = Total number of possible characters.
      • L = Length of the password.
    • Example:
      • A 4-character password using lowercase letters only (26 characters) has an entropy of 18.8 bits.
      • An 8-character password using all printable ASCII characters (95 characters) has an entropy of 52.56 bits.
      • Higher entropy implies stronger resistance to attacks.
  3. Password Policies and Modern Practices:
    • Use passwords at least 12 characters long with a mix of uppercase, lowercase, numbers, and symbols.
    • Leverage password managers to generate and store random, high-entropy passwords securely.
    • Use passphrases, which are easier for humans to remember but hard for machines to guess (e.g., “CorrectHorseBatteryStaple”).

Authentication by Something Possessed: Tokens

Tokens are physical or digital objects possessed by the user and provide an additional layer of authentication.

Types of Tokens

  1. Hardware Tokens:
    • Examples include USB security keys (e.g., YubiKeys), smart cards, and card readers for online banking.
    • Provide secure access through cryptographic functions.
  2. Software Tokens:
    • Examples include time-based one-time passwords (TOTP) generated by apps like Google Authenticator or Authy.

Strengths and Challenges of Tokens

  1. Strengths:
    • Tokens enhance security by requiring something physical that the user must have.
    • They are often used in multi-factor authentication (MFA), combining something possessed with something known (e.g., a password).
  2. Challenges:
    • Physical tokens can be lost, stolen, or damaged.
    • Software tokens may be vulnerable to malware or interception if devices are compromised.

Securing Passwords and Authentication

1. Password Storage:

Passwords must be stored securely to prevent them from being exploited by attackers. Best practices include:

  • Hashing:
    Use cryptographic hash functions (e.g., SHA-256) to store passwords in a non-reversible format.
  • Salting:
    Add a random value (salt) to the password before hashing. This ensures that even if two users have the same password, their hashes will differ.
  • Slow Hashing Algorithms:
    Use algorithms like bcrypt or Argon2 that increase computation time, making brute force attacks more difficult.

2. Challenge-Response Systems:

Challenge-response methods mitigate the risks of password interception during transmission.

  • How It Works:
    1. The system generates a random challenge (e.g., a number or string).
    2. The user computes a response using their password and a one-way function.
    3. The system verifies the response.
  • Example: Card readers for online banking use challenge-response to prevent replay attacks.

Conclusion

Authentication by something known and something possessed forms the backbone of secure systems. While passwords remain a fundamental element, their vulnerabilities demand careful management through strong policies, high entropy, and secure storage. Combining passwords with tokens in multi-factor authentication significantly enhances security, making it harder for attackers to gain unauthorized access.

Related Posts:

Leave a Comment

Your email address will not be published. Required fields are marked *