I’ve posted a few articles in this blog about the need for passwords, the problems with passwords, and the alternatives to passwords. In the end, it looks like passwords are here to stay. What can be done to make them stronger and more effective in protecting the end user? One method that has been in place for years now is multi-factor authentication. From our friends at Wikipedia:
“Multi-factor authentication is as an approach to security authentication, which requires that the user of a system provide more than one form of verification in order to prove their identity and allow access to the system. Multi-factor authentication takes advantage of a combination of several factors of authentication. Three major factors include verification by something a user knows (such as a password), something the user has (such as a smart card or a security token), and something the user is (such as the use of biometrics). Due to their increased complexity, authentication systems using a multi-factor configuration are harder to compromise than ones using a single factor.”
Logically, multi-factor authentication is more secure since any potential thief will have to acquire two or more items instead of just your password. Most of you have probably been exposed to various methods of multi-factor authentication in the past, but here are some examples I have run across:
- One of my banks requires my user ID and password combination, but they also want me to verify that the picture they show me on the web site is one that I selected during my account setup.
- I used to work at a large hi-tech company in the Silicon Valley as part of their Treasury department. One of the banks we dealt with provided us with a smart card that generated a new four-digit number code every five minutes. The number code served as our password into the bank’s system, but the code was dependent upon the time at which we attempted to login.
- In my travels, I have run across companies who use fingerprint authentication to grant access to systems. Small hardware devices plugged into your computer are taught to recognize your thumb print and use that as the method by which you login. When fingerprint authentication fails, a traditional password is the backup plan.
- With tablet use becoming more prevalent, the use of fingers on the screen is in wider use. Windows 8 allows for a ‘swipe’ method of authentication. You choose a picture and a series of finger swipes from points on the picture to create your authentication. When the swipe pattern is forgotten by the user, a traditional password is the backup plan.
- Physical device authentication has seen a surge in popularity lately. I may set up my account on one computer, but several weeks later, I try to access my account from another computer. Companies with a higher standard of security will recognize that this is a computer you do not normally use. They make take the authentication beyond a simple user ID and password and ask some of the security questions you set up when you created your account.
- Another security method gaining acceptance is to require the end user to respond to an email before gaining entry to the web site. In the past, this was usually reserved for resetting passwords, but recently, some businesses are requiring that you respond to the email each time. Their thought process is that it is unlikely the thief has compromised both your web site password and your email account.
Of course, there are more multi-factor authentication methods out there, but this should give you a good flavor. Are they overkill? My answer would be ‘yes’ and ‘no’. A simple user ID and password is probably sufficient for buying a book from Barnes and Noble as long as I haven’t stored my credit card information online. However, a multi-factor solution is better for banks and web sites containing my personal information. Health care facilities and government entities should require multi-factor authentication.