Who are you?  Who, who…who, who

Article Summary

Identity is based on one or more of three factors: Something you know (like your name), Something you have (like a government ID) and Something you are (like a fingerprint).  

Each of these factors has their pluses and minuses. For example, Something you know, like a password, can be learned by someone else. However, that password can be easily changed. 

Recently, multifactor authentication, using more than one of the three factors, has become more prevalent in the authentication process of many systems.

Password Managers have become popular since it is recommended that separate passwords be used for each application that requires a password.

Some tricks for creating unique passwords are to include spaces (if allowed), replace letters with numbers, and develop a formula such as a prefix or suffix when creating a password.

My apologies to Pete Townshend for using one of the most well – known refrains in popular music, but that is really what security is all about.  Since the first guard asked “Who goes there?” identity has been an issue. Since that time, identity has been based on one or more of the three factors of identification.  Those factors are something you know, something you have and something you are.

Identity Factors

Something You Know

The most obvious example of something you know is your name. In the IT industry, an obvious example of something you know is a password.  When I started in this business in the 1970s, a 5 alphabetic character combination was considered a secure password. Now, nearly 50 years later, passwords are still being used as the primary means of authentication. Only now, more characters are required, and typically a password has to contain three of the following four items, an uppercase letter, a lower case letter, a number and/or a special character like one of the following !@#$%^&*().  In talking about special characters, it should be noted that in most systems, a space is a special character. So a password like “I am the Walrus” would be a valid password.

The problem with something you know is that it is something that someone else can learn. However, it is relatively easy to change something you know to something else you know.

Something You Have

You may know your name, but someone might want proof you are the person that was given that name.  That’s when something you have, a government ID, for example, would prove what you already know.  Many systems these days will send a code to either a text capable device or an email address for verification. Access to the device or email mailbox receiving the text is another example of something you have.

The problem with something you have is that it could become something you don’t have either because it is lost, compromised, or just not available.  For example, the key fob could have been lost or left at your office while you are at home. An object like a key may have been copied, so your possession’s uniqueness is compromised. But a possession can be replaced to restore its uniqueness.

Something You Are

In recent years, biometric login hardware and software have become common on new computers and other electronic and mechanical devices. These include fingerprint readers and facial recognition to name the most popular implementations.

The problem with something you are, is that there is a possibility of duplication of the particular attribute.  Many theft and spy movies show the duplication of physical attributes to accomplish the particular caper being attempted. Additionally, the database that is referenced to compare the biometric may be compromised. It is extremely difficult to change something you are. Plastic surgery is about the only option.

Multifactor Authentication

Since none of the factors are completely secure, many systems requiring authentication have switched to Two-Factor-Authentication (2FA). A typical application of this authentication method would be to be asked for a password and then have a code sent to your phone or email that you would have to enter to access the application. The two-step process makes it much more difficult to foil the authentication process.

Multifactor, like most things in the IT business, it’s a two-edged sword. While it is more secure, it takes longer to set up and longer to perform than a single factor authentication.

Password Managers

Nearly all IT security managers realize that currently single factor authentication, typically a password, is used for most systems. To minimize the effect of a compromised password, the industry recommendation is to use different passwords for each system or application that requires a password.  Additionally, the recommendation is that these passwords be changed on a frequent basis. In some cases the recommended life of a password is 30 days or less.  

It is nearly impossible for a human to remember a different password for all the systems a typical business person uses. One of the solutions to this is to use what is called a Password Manager.  Depending on the product, a list of user provided passwords is kept in an encrypted database and/or the Password Manager may create a unique password for an application. In either case, you depend on the security of the Password Manager application’s database and your password to that application to protect your access to all your other applications.

Other notes on authentication

One way of coming up with unique difficult passwords is to develop an algorithm or formula for creating passwords. This could include replacing letters in the password with numbers, for example 3 for e and 0 for the letter o. 

Another example is using a prefix or suffix to a short unique portion of the password. An example of a prefix would be Pass8thepie where Pass is the prefix and 8thepie is the unique portion. An example of a suffix version could be TweetyB1rd or RedWingB1rd where B1rd is the suffix.