Authentication is the act or process of confirming that something (or someone) is who they say they are in order to subsequently access certain defined resources, and authorization is the process in which the types of resources are allowed or denied for a certain user or group. of users specifically.
In order to carry out the two previous processes or acts successfully (especially authentication), most systems are based on three sources of information:
- What I know: there is information, such as a password, that is supposed to be known only to the person who wishes to authenticate himself and, therefore, if it is correct, the identity of the legitimate user is considered to be accredited. What I have: there is an object that is in the possession of the person who wants to authenticate. If it can be verified that that person has that object, it will be considered legitimate, such as a magnetic card or a mobile phone. What I am: This section refers to biometrics, any biological parameter that can be measured and sets us apart from anyone else. The most common are the fingerprint, the iris of an eye or our face.
What is involved with the use of the double factor of authentication is to combine two or more sources of information than those mentioned above to try to have greater security in the authentication process.
For example, an authentication process that requires a code obtained from an application or an SMS message, in addition to a password to access the service, is a process that meets these conditions.
The previous case is a method widely used, for example, in authentication and authorization processes in the banking sector, due to the criticality of the operations that these companies handle, they have been using double factor methods for a long time (for example, a physical device together with a PIN in the case of financial cards).
All large companies such as Twitter, Google, LinkedIn or Dropbox, among others, already offer this feature as an optional (and in some cases mandatory) security for their accounts or accesses, but regardless of the size or criticality of the companies it is a measure that is implemented every day in more companies.
Due to the large number of targeted attacks and known vulnerabilities, what tends is multi-factor authentication, in which a user combines two or more factors to complete the process of accessing any application.
Some of the examples that can be combined in any of the commented cases could be:
- A smart card Enter a PIN Client digital certificate Password Single-use code (OTP) Random security token Scan a fingerprint Face recognition Security question Enter a USB authentication
To finish this article, it is important to note that there is no foolproof method and that: double factor or multiple factor systems are better than the password alone, but malicious attackers or users can find a way to violate all the mechanisms and therefore having our authentication system compromised.
Fernando Saavedra
Cybersecurity Manager
Áudea Information Security
