I’ll be honest, I had never given death much thought until my dad was diagnosed with terminal lung cancer in 2017. There was no treatment to pursue, so he went on hospice and I moved back in with my p...
Each day you probably use authenticators to prove your identity and establish trust. Whether it's accessing your cell phone, your bank accounts, or your employer's network, authentication is a part of our daily life. Without authenticators, establishing trust would make business transactions very difficult, and without secure authentication, an imposter could severely damage a business and your digital persona. Proving identity is increasingly important as we use global online services and surround ourselves with the internet.
The Trust Problem
Businesses have a trust problem because you could be their nightmare if you are impersonated. Authenticators help establish that we are who we claim to be and that we control one or more valid means to authenticate. By using strong authenticators, we are able to prove our identity and establish a reasonable level of trust. This trust is essential to your digital identity. Authenticators are grouped into three categories:
1. Something you know is a secret authenticator that only the authorized user should know and remember.
Examples include passwords, personal identification numbers (PINs), passcodes, and passphrases. Since only the authorized user knows the secret, the user is granted access when they present the correct secret. For example, an application will compare the password you enter to the one it has in storage; if they match, you are granted access. Something you have is an authenticator that the authorized user possesses. Examples include a magnetic strip card, token, proximity card, or smartcard. This factor assumes that the authorized user physically controls the authenticator. For example, an employee must swipe their proximity card on a door reader to enter a facility.
2. Something you are is an authenticator based on a human behavioral or physiological factor.
Examples include fingerprints, retinal scans, facial features, voice prints, and keystrokes. This factor relies on measurable characteristics of the user that are difficult to spoof. For example, a mobile phone may use a fingerprint for authentication.
Many services are able to support multiple authenticators. Multifactor authentication (aka, two-factor authentication) requires successful authentication with two independent factors before you're granted access. For example, withdrawing money from an ATM requires physical possession of a card (something you have) and a PIN (something you know). Also, accessing a business network remotely may require an employee to enter a password and then a code sent to their mobile phone.
“I want you!” should be the mantra of hackers—a malicious actor who desires to compromise or steal your authenticator, to act on your behalf. Among many tactics, hackers may exploit:
Reusing a stolen authenticator may allow an attacker to compromise multiple devices or services. For example, avoid using the same PIN for your bank card and your phone. Similarly, using the same password to access your personal email and bank services can be unsafe. Do not reuse authenticators that protect access to high risk services.
The use of weak authenticators unnecessarily increases your risk. Choose strong passwords and use multiple factors. While inconvenient, enabling multifactor authentication increases the burden for the attacker. Avoid using services or devices that do not support or require strong authentication. Choose authenticators wisely, based on your risk tolerance.
Hackers will try to trick you into revealing your authenticators. For example, attackers may use phishing to deploy malware on a device to steal credentials; set up fake websites with “password checkers” to steal your password; monitor public Wi-Fi to steal unprotected authenticators; or call you to ask for your authenticator. Protect yourself and do not share your authenticators with anyone.
An attacker may compromise a device and then exploit the services connected to the device. For example, a lost mobile phone may allow access to automatically authenticated email or bank services. With access to the device, an attacker may request password resets through email or text. Protect your mobile device with a strong passcode and require authentication to all critical services linked to the device.
Authenticators help verify your identity and are designed to protect you. While we take many of them for granted, you should select reliable authenticators and employ them thoughtfully. Using one or more strong authentication factors helps lower the risk of someone impersonating you. If you fail to protect and prove your identity, malicious actors are eager to become the nightmare of you.
Jeffrey Julig is Vice President and Chief Information Security Officer (CISO) for SWBC. In this role, he leads a team of security professionals to protect SWBC’s diverse lines of business from internal and external cyber threats. Jeffrey is passionate about information security and privacy and belongs to numerous international, national, and local professional and community organizations. He has a Bachelor of Science degree in Cybersecurity from the University of Maryland University College and earned several of the information security industry’s most respected certifications, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Law of Data Security and Investigations (GIAC-GLEG) certifications. Jeffrey attended the Department of Defense Cybercrime Investigations Training Academy (DCITA) and is a certified digital forensics examiner.