| technology | system admin - Jon Welling
3 Ways to Authenticate a User Beyond a Password
Passwords have been the standard way of authenticating user accounts and access rights for computer systems for as long as the notion of individual user accounts has existed. Though password authentication works, we have learned over the years that password authentication is not necessarily the safest or best way to safeguard account access.
Computer scientists are actively working on new and creative ways to secure user accounts, but until we figure out a system that is both easier to use and more secure, two things that usually don't mix well, we have other ways of adding additional layers of security to the login process on top of the antiquated password system. In this post, we will discuss three ways you can authenticate a user account in addition to a password.
What is a One-Time Password (OTP)?
One of the most common ways to authenticate users in addition to a password is a secondary one-time password. This is called multi-factor authentication.
Multifactor authentication (or 2FA) is a philosophy of proving identity by providing both something you know as well as something you have.
Something you know might be your normal password. Your password is something that you have agency over. It's something that you choose and isn't known to the authentication system (other than storing it, hopefully, encrypted, and using it for comparison).
On the other hand, a one-time password is something you have. That one-time password is given to you by the authentication service. That one-time password can be shared with you in a variety of ways such as a pre-configured algorithm that changes that one-time password in fixed intervals, a hashed one-time password, SMS, email, or even a phone call.
It's important to note that multifactor authentication doesn't just involve one-time passwords, though. One-time passwords are the most common form of 2FA, but the second factor (the something you have), can also be something like a hardware key or fingerprint, too.
An Overview of One-Time Passwords [VIDEO]
In this video, Keith Barker covers three ways to authenticate your users other than with passwords. Passwords can be problematic for obvious reasons, but authentication comes with several approaches for validating who the user is. Network security can be drastically improved with different authentication and verification approaches.
What are the 2-Factor Authentication Methods?
In this section, we will discuss various one-time password options for two-factor authentication. One-time passwords can be generated in various ways.
The most common form of a one-time password is a time-based one-time password. Technically all of the one-time password methods are time-based, but TOTP (time-based one-time passwords) are much more restrictive in the length of time that one-time password is available before it rotates.
Other methods of one-time passwords include HMAC (hashed message authentication codes) as well as one-time passwords that are delivered through an alternate communication method (Eg. Text message or phone call).
What is TOTP (Time-based One Time Password)?
A time-based one-time password is typically a six- or eight-digit code that changes in a regularly timed interval – typically every 30 or 60 seconds. That digit code is automatically generated for users with either an application or a hardware-based key.
The most common form of TOTP generation is a software-based application. These applications use a seed key generated by the TOTP system that both the TOTP authentication system and TOTP password generator used to generate the same one-time password in the same fixed-interval time chunks. Those seed keys are typically delivered via a QR code for convenience to those code-generating applications, but they can be manually added to authenticator apps by a user as well.
Popular examples of these one-time password generator applications are Google Authenticator, Last Pass, or Authy.
One-time passwords can also be generated from a hardware device, too. Hardware-based key generators are less common than application-based key generators due to additional complexity and cost. These hardware-based authenticators can technically be more secure, though. They do require more steps to configure user accounts to sync with the hardware key generator, and they require a physically secure way of distributing that hardware key generator to the appropriate user.
What is HMAC (Hashed Message Authentication Code)?
Another way to create a one-time password is through hashing. This method is called HMAC or Hashed Message Authentication Code. HMAC one-time passwords are far more complex than time-based one-time passwords, but they have the benefit of being available for a much longer amount of time.
An HMAC one-time password consists of a couple of critical parts:
- Cryptographic hashing methods such as SHA-1
- A secret key
- A counter
- A hashed one-time password
HMAC-based one-time passwords work by encrypting the value of the secret key along with the counter. Once that value is computed, it is compared. If the user's hashed one-time password matches the login system, the user is authenticated successfully.
Each time a password is hashed, the counter value is increased by one. This can impose issues, though. If that counter value increases on either the client or server-side, both the client and server will become out of sync. When both the client and server are out of sync, hashed one-time passwords will not match during the authentication process. Thus, users will not authenticate properly.
There are mechanisms for HMAC-based systems to re-sync themselves, but they are not part of the official HMAC specification (RFC 4226).
Why Password Delivery Matters for Security
Another method of implementing one-time passwords is by simply giving users a one-time password when they request it. In this case, instead of using any special algorithms that need to stay synced such as time-based one-time passwords or hashed one-time passwords, a one-time password is simply sent to the user via email, SMS, or through a phone call. Though this method of providing one-time passwords is convenient and works, it is considered the most insecure form of two-factor authentication and should never be used with sensitive data.
Delivery Method #1: SMS (Text Message)
One method for providing one-time passwords is through text messages. A text message is the most popular way of providing a 2FA code for additional account security. It is commonly used with banks or applications like Twitter.
SMS is susceptible to certain kinds of attacks, though. For instance, an attacker could perform a SIM swap attack on a targeted victim. Jack Dorsey, the CEO of Twitter, was very publicly the victim of this kind of attack a few years ago. SIM swap attacks are typically performed through social engineering attacks where attackers contact mobile service providers, pose as account holders and have the SIM card replaced for the victim's account.
Delivery Method #2: Email
Email is also used as a delivery method for one-time passwords. Services like Steam and Slack are known for using email as a delivery method for one-time passwords.
Email is not the most secure way to deliver one-time passwords, though. Email accounts can easily be broken into since many people re-use the same password between multiple accounts online. Likewise, emails are often sent in plain text between email providers and are not encrypted. That means that emails containing one-time passwords are highly susceptible to sniffing or man-in-the-middle attacks.
Delivery Method #3: Automated Phone Call
The last common way of providing one-time passwords through communication methods is through an automated phone call. Facebook is known for using this method of OTP delivery. Using automated phone calls is also a common backup system for providing one-time passwords when SMS is not an option, too.
Automated phone calls are more secure than both SMS and email delivery methods for one-time passcodes. That's because an automated phone call may not necessarily go to a cell phone. Traditional land-line phones or corporate VoIP systems are much harder to spoof than a smartphone.
Phone calls are much less convenient than SMS messages, though. Sometimes users may not be able to hear phone calls to listen for that one-time password. This is the reason SMS is the preferred delivery method for one-time passwords in many cases.
How to Securely Deliver One-Time Passwords
Indeed, sending a one-time password to users as they request them is the most insecure way of providing a one-time password, but if that is the case, why do banks use this method of 2FA?
The answer is simple. While sending a one-time password through text message is the least secure way of providing an OTP, it is still more secure than using a password alone. Organizations, like banks, need a way to secure user accounts as best as possible, but those organizations still need to walk a careful line between usability and security. Very secure systems can also be difficult to use, and as a system becomes more difficult to use, it will require additional support for end-users. Adding support capacity can be costly for businesses.
Organizations, like banks, are guaranteed to have information for something a person has like a phone number (required by law in most countries) or an email address. So, they can leverage that data to provide the most secure way of account authentication with the least amount of friction for a user as possible.
How to Set Up 2FA Recovery Passcodes
Using one-time passwords can make user authentication systems much more secure, but they pose an issue when it comes to account recovery. That is because users will need to recover two different pieces of information.
For a traditional username and password-based system, if a user has trouble authenticating their account, a password can easily be reset for them. That is not possible with accounts that have 2-factor authentication enabled for them, though.
One-time password-based 2FA mechanisms typically have one advantage over other forms of 2FA. They provide a limited amount of recovery passcodes that do not expire and can be used for authentication.
Recovery passcodes are long strings of random characters that do not change. When enabling 2FA on accounts, users are offered these recovery passwords just in case they forget their password or become locked out of their account.
Some organizations might still offer other account recovery features, too. For instance, Facebook and LastPass can recover accounts if a proper ID and documentation is submitted to either company. This process does take a lot of time and effort, though. Other businesses still offer account recovery via email or SMS even if 2FA is enabled. For these types of accounts, it should be made known that they are not any more secure than having 2FA disabled. That is because the weakest link in the authentication chain is still a user's email account or mobile phone.
Bonus: Two Other Methods for Providing 2FA
Though the most common form of two-factor authentication is provided with one-time passwords, that isn't the only way to provide 2FA. So, here are two additional ways that you can provide two-factor authentication for users that have been made much easier to implement recently due to advancements with smartphones.
2FA Method #1: Push notifications
Instead of using a one-time password for authentication, applications can send push notifications to a smartphone. Push notifications on both iOS and Android are now interactive. That means push notifications can include actions in them and not only deliver information. By installing and logging into an application on a smart device, web applications can use that app on the smart device to deliver push notifications to it.
This is a far more secure way of delivering a second-factor authentication method to a user than something like an email or a text message. It is far more difficult to spoof something like an application than SMS.
2FA Method #2: Biometrics
Another method of providing a second factor of authentication is biometrics. Biometrics were once reserved for only the most secure of facilities and systems due to their complexity and cost. Devices like the iPhone have made things like fingerprint readers a commodity that everyone has access to, though.
Likewise, both iOS and Android have APIs available that developers can use for things like accessing the fingerprint readers in smartphone devices. That makes fingerprint readers in mobile devices available to both applications and websites. That means biometrics can be used for user authentication easily today.