Authenticate: To prove or serve to prove to be real, true, or genuine.
Thats how Merriam-Webster defines the word, but how does authentication apply to your computing life?
To access our various banking, retail, library, mortgage, etc accounts, we need to first authenticate our identity / credentials, to prove that the person signing in is the account holder or an authorized proxy.
At least thats the intent, but it doesnt always happen that way. As we all know by now, account security can be compromised, authentication is granted to someone other than you, with the hacker then gaining damaging access to your personal information.
There are 3 distinct forms of authentication:
- Something you Know
- Something you Have
- Something you Are
Something you know is the most common form of authentication. It is usually your username + a password. You know this information because you created it when you created the account. Secret questions and answers are often also used for account recovery.
Something you have is often referred to as a token. It can be in physical form like a key-card fob or a key generator. A token can also be virtual, in the form of an application on your mobile device such as google authenticator, Lastpass authenticator, RSA token, Duo mobile, etc. The token either has a chip with a unique code, or generates a symmetric cryptographic key that synchronizes with a key on the server youre logging into.
Something you are can also be thought of as biometrics, tying your authentication to a unique body feature such as your retina, iris, fingerprints, or hand geometry. The biggest challenge with biometrics are potential false positive and false negative rates. It can be very challenging to read biometrics accurately, and in fact, some biometrics can also change.
For example, when a woman gets pregnant, her blood vessels dilate, including those on her retina. As such, her retinal scan results can change from the original baseline scan and cause authentication to fail. (For that matter, retina scans management could also lead to HIPAA concerns, as the biometric interpreter could comment on any changed results as being linked to pregnancy, diabetes, etc)
In using multifactor authentication, 2 or more of these factors are used. The most widely combination is something you know, your username and password, + something you have, a token. With this multifactor protocol implemented / enforced on your email account, if a hacker successfully gleans your password, they will then be prompted for the symmetric key on your phone app or other token generator in your physical possession. Without it, theyre still locked out of your account.
But dont forget to change that password and every similarly spelled password in your other accounts! Youll likely be alerted of the failed access attempt, and so assume that the hacker now knows your password. He could then attempt to use that password (or similar variants) on your other accounts, so change them all immediately.
In our opinion, every login should authenticated via multifactor. It is an increasingly efficient process and provides proven benefits to keep your accounts secure vs. relying solely on passwords / secret questions.