Get your authentication right

Considerations to understand and improve safe user authentication through passwords and multi-factor authentication

Nowadays everyone has multiple accounts across multiple domains and services, you have your email account, your work email account, your online bank account, your Amazon account, your Netflix account…

The list goes on and on, and sure: nobody likes remembering a lot of passwords; but for now, they are not going anywhere. Even with other means of authentication, in the end, you still need to hold on to your trusted password.

Password best practices

Everytime the password policy topic is discussed, the same principles are spelled out as a gospel:

• A minimum length of 8 to 12 characters long
• Password complexity that means it contains at least three different character sets (i.e., uppercase characters, lowercase characters, numbers, or symbols)
• Password rotation – passwords must be changed every 90 days or less
• Use of account lockouts for bad passwords, with a limit of 5 or fewer bad attempts

But these policies are at the very least incomplete, and mostly wrong.

To choose a proper password policy we need first to understand the most common attacks to which the password will be subject.

Stepping away from social engineering – where we directly reveal our password, the most common attacks are:

• Dictionary attacks: where the passwords are compared against a known list of common passwords and actual words with meaning
• Cracking attacks: where attackers try to reverse the encrypted password.

  

To make it as hard as possible for attackers to succeed using these methods, let’s take a look at modern password policies that we should try to implement in our personal accounts and within our work environment.

1. Create A Strong, Long Passphrase
   Use a Passphrase that you will remember easily “ILoveMyRedCarWith4SeatsAnd2Doors”
2. Apply Password Encryption
   Make sure all your passwords are stored encrypted
3. Implement Multi-Factor Authentication
   Always check if the service allows MFA, and use it.
4. When changing the password, change it completely
   Changing one number or letter doesn’t have any impact if the attacker know the previous password
5. Test Your Password
   Microsoft’s Safety & Security Center has a password testing tool that can help you generate strong passwords
6. Don’t Use Dictionary words
   Avoid single words that would be easily identifiable by a dictionary
7. Use Different Passwords for Every Account:
   Otherwise, if one account is breached, other accounts with the same credentials can easily be compromised
8. Avoid Periodic Changes of Personal Passwords
   Frequent password changes will lead you to end up reusing common weak passwords.
9. Use Password Managers
   Use Password managers like “KeePass2” to forget about the passwords all together, you can even generate strong passwords automatically with them.
10. Avoid sharing credentials
    It is very common to share credentials with family, friends and co-workers, we should try to avoid it as much as we can.

Passwords have changed only slightly over time, but password management is evolving considerably. Password managers represent one of the safest solutions to safeguarding your authentication information.

Stolen or weak passwords are still the most common reason for data breaches, so we should carefully examine our password security policies and password management.

Following the ten tips we provided in this article, you can create an effective password security policy and enforce stronger protection against unauthorised access.

After understanding the best practices on choosing and managing passwords, it is time to increase the security degree with some more protection measures. Consider that a password is a proof or evidence of identity that is “known to the user”, but this can be combined with other different kinds of evidence, in case some of the password knowledge is leaked.

Multi-Factor Authentication methods

The three well-known authentication factors, or kinds of credentials to verify the identity of a user, are grouped based on something the user…

• Knows (like passwords, specific questions or magic links)
• Owns (a phone, a physical token, etc)
• Is (typically patterns in the fingers, eyes or behaviour)

A basic, common parallelism with real life is the need to protect a bike parked in the street. First, it should have different kinds of locks, to be opened with something owned (a key) or known (a code). A burglar will have a harder time removing all locks in order to get the bike in a profitable state. Another example would be accessing an office with any combination of card, fingerprint and/or access code.

Combining different authentication factors (e.g., something known by the user and something owned by the user) comprises the so-called Multi-Factor Authentication (MFA). In MFA, multiple (at least two) types of authentication factors are combined in order to increase security. Some of the most common types are:

• SMS messages
• Push notifications
• Magic links
• Authenticator apps
• Hardware tokens
• Biometrics, like fingerprint or face recognition

  

Naturally, each authentication type has its pros and cons. Aspects like the security of the process, the reliability under failing conditions or the user experience are to be considered.

On the security side:

• SMS messages are discouraged and less used for some years already, given the higher chances of interception or impersonation (called SIM swapping).
• Push notifications are somewhat more secure than SMS, yet there are trojans which can intercept or spy them, and fake push notifications can be triggered.
• Magic links send a remotely generated Time-based One-Time Password (TOTP code) to authenticate for a limited amount of time, in the order of minutes.
• Authenticator apps, like Google Authenticator, Authy or FreeOTP, locally generate this TOTP, which expires in the order of seconds to a minute. Thus, these two are considered more secure than the previous ones. However, for the latter, a secure backup needs to be done or else access can be lost if the cellphone dies.
• Physical hardware tokens and biometrics are considered more secure and tamper-proof.

On the reliability side:

• If access to the mailbox is interrupted, magic links will not be received.
• When a physical device gets lost, stolen or broken; receiving SMSs, TOTP codes or push notifications will not be possible unless there is an alternative device or mechanisms to receive them (such as having a second device of the same type, using a TOTP generator based on a browser or computer, etc).
• In case the physical device is deconfigured or reset; a safely stored backup will be needed in order to recover the previous setup, e.g., to regenerate the TOTP codes of the services in use.
• For some specific persons and diseases, biometrics like fingerprinting may lead to authentication failures.

Now, besides the different types of MFA, other techniques may help achieve safer authentication:

• Certificates can help provide an extra layer of security based on a proof of ownership. A certificate may be backed up safely and replicated in different devices, allowing passwordless access and also allowing to demonstrate the user identity against a verified authority, as well as carrying extra metadata that can be automatically populated in sensitive services requiring full identification, e.g., in government-related services.
• Single Sign-On (SSO) is a good way to reduce the attack surface, as only a set of credentials (ideally combined with other MFA techniques) is in use at any time. Internally, the federated systems communicate back and forth to authenticate with the provided set of credentials, e.g., the ones used by the user’s institutional account.

Wrapping up: whichever combination of authentication factors you use, you should ask yourself questions like how easily your password could be guessed by others (or a machine); what could happen and what would be your backup plan in case a specific piece in the authentication chain is not accessible anymore or fails; in case all authentication steps rely on the same infrastructure (e.g., a mailbox, your computer and PC if bundled together in travels); etc.

---

Authors: Nil Ortiz, Carolina Fernández