Disclaimer
I am not an expert in IT security, and this is not a recommendation of any sort. These are my thoughts on the matter of authentication, security, and ensuring the safety of operations.
What are authentication factors?
Authentication is the process of asserting the identity of someone or something, while authentication factors are proofs that someone or something is who they claim they are.
The standard approach is to split them into three groups:
- “What you know” - such as passwords, PINs;
- “What you have” - such as physical keys, PKI, proximity cards;
- “What you are” - such as iris, fingerprints, voice, etc.
Some of the factors have been around for thousands of years and have mostly served us well. For example, a man comes to the gates and the guards recognise his face (“what you are”). He passes the gates and comes to a building. There, he uses his keys (“what you have”) and goes in. Finally, he unlocks a combination lock as he knows the code (“what you know”).
Reliability of authentication factors
Naturally, some factors can be faked. People may have twins, keys can be copied, and known information can be peeked at or obtained through rubber-hose cryptanalysis. Therefore, in the case of somewhat sensitive applications, you should rely on more than one factor. Two is usually enough, hence 2FA is so popular these days.
Now let’s note that not all factors are made equal.
A plain proximity card would emit its code but that’s little more than saying “My name is Joe” in a room full of people. It is not difficult to record the relevant radio waves and create a duplicate of the card. A smart card asserting the identity via asymmetric cryptography is a much more reliable choice. Yes, you could argue that there may be a supply chain attack or a weakness in crypto, but realistically it is very hard to copy such a device. So the factor is more reliable. It is important whether a factor can be copied or not.
How do physical keys and fingerprints compare? Both are authentication factors and both can be copied. The difference is that in order to copy your keys, someone usually needs to get hold of them or at least make a photo of them. Fingerprints, however, can be copied trivially. You went to a cafe, had a coffee, and threw away the cup. Your adversary picks up the cup and makes a copy of your fingerprint. Job done, and you did not even notice. The ease of copying matters.
What about PINs and passwords? They can be peeked at, and they can often be intercepted (with the help of keyloggers, etc.), but when PINs are used with specialised devices they can be better than passwords in the sense that you cannot guess them indefinitely: just a few wrong attempts and the device will lock up permanently. The same can be done for passwords, but usually it is not done and almost universally the use of PINs and passwords with anything other than specially designed and certified devices means there is a reasonably accessible way of breaking into the system and stealing the credentials. Therefore, PINs — when used in a specific way to unlock certain security devices — are superior to passwords and PINs used to unlock computers/tablets/smartphones.
When 2FA is 1FA
So let’s say you followed the best practices and chose to use two-factor authentication. One of your factors is biometric (say, fingerprint), while the other one is an NFC token. Technically, you have a two-factor authentication: one factor is “what you are” while another one is “what you have”. Best of all, you do not need to remember any pesky passwords. Where is the catch?
The catch is that all “what you are” factors are actually a weak form of “what you have”. So instead of 2FA, you have 1FA. Why is it so?
Almost any biometric authentication factor can be forged without you knowing about it. We have already covered the matter of fingerprints. But similarly, it is not hard to make a photo of your face without you knowing it. Your iris is a bit tougher but (a) there are ways and (b) few are using it as it is not particularly convenient. Some systems use infrared cameras or 3D images, but this does not change the situation much: nothing stops an adversary from taking a photo of your face in the IR spectrum or making a few photos from different angles, uncovering the 3D shape of the face. With that at hand, making a model of a face that is plausible enough for a biometric system is possible.
With that in mind, how much do “what you are” factors differ from “what you have”?
Not much. Let’s re-phrase it: you have fingers, you have a face, you have an iris. What you are is what you have. Are those authentication factors any good? If your goal is to prevent your grandma from accessing your collection of music - yes, absolutely. But as far as automatic authentication is concerned, for anything sensitive where an adversary is well-equipped and qualified “what you are” is a very weak—easy to copy without you even knowing—kind of “what you have”.
Nevertheless, biometric factors are not entirely useful. There is still a place for a guard who knows the people who should have access and visually checks for imposters. But such situations are few.
Passwords are a security hole
As previously mentioned, passwords can be intercepted and stolen in a variety of ways: peeking, using [keyloggers] (https://en.wikipedia.org/wiki/Keystroke_logging), decrypting a stolen user database with passwords (when nobody cared to salt them), and so on. There is also a probability that a person would type the password into the wrong login field and the password will end up in the wrong hands. The probability of this mess-up is particularly great when a person had to type that password often.
Yes, passwords are not meant to be shared across the systems and should be regularly changed. But that is a burden and a chore. Few people do it even if they have helpful tools like password managers. Even if they do, you do not roll your password every minute. Let’s say you roll it every half a year. If someone steals it, they may be able to impersonate you for up to half a year. That is a lot of potential damage.
So if you do care about security, I would recommend avoiding passwords like a plague.
Interlude: popular authentication factors
Let’s put some popular authentication factors into a table and see how they compare.
| Authentication factor | Type | Ease of copying | Can copy discreetly | Ease of guessing |
|---|---|---|---|---|
| Iris | what you are | Hard | Likely no | N/A |
| Fingerprint | what you are | Easy | Yes | N/A |
| Image of the face | what you are | Easy | Yes | N/A |
| 3D image of the face | what you are | Medium | Yes | N/A |
| IR image of the face | what you are | Medium | Yes | N/A |
| Physical keys | what you have | Easy | Maybe, if photo is available | Easy |
| Proximity tokens | what you have | Easy | Yes, at the time of use | Practical |
| PKI token with asymmetric crypto | what you have | Hard or impossible | No | Impossible |
| OTP token | what you have | Hard or impossible | No | Hard |
| Password | what you know | Easy to medium | Yes | Hard (ideally) |
| PIN for a PC / tablet | what you know | Easy | Yes | Easy to hard |
| PIN for a security device | what you know | Easy to hard | Yes | Easy to hard |
The estimates like “Easy” and “Hard” are somewhat arbitrary and depend on the context, but I hope the general idea is not lost.
A relatively secure approach
Let’s say you want to ensure a high level of security, but you cannot go over the top. There is an approach which should work fairly well.
When authenticating to a computer system, users must never use passwords. Instead, they use smart cards with relatively long PINs. With a long enough PIN and a limited number of attempts, guessing it is not an option. Authentication via a smart card (via asymmetric cryptographic signatures) is great as it does not leak the secret much. This combination is fairly robust in many cases.
Is it ironclad? No, of course not. There are many vectors of attack which can be used by an adversary, but it is much better than the naive password-based approaches.
The matter of physical security is a bit harder. If your team is small, then a guard may be able to remember the faces of everyone and that can be a useful filter. As for doors, proximity tokens are perhaps inevitable.
Going an extra mile
Let’s see what can be done if you want to protect yourself from more sophisticated attacks.
The problem with PINs for unlocking security devices is that such PINs are often entered via a computer, and a computer may have a keylogger on it. Furthermore, in the case of a fake card reader, the reader may be able to generate a few more signatures and leak them to an adversary as soon as you have typed in your PIN.
The first easy improvement is to use a card reader with a PIN pad so that a computer could not see the PIN. The second one is to use a device which combines a card and a card reader and basically carry the reader with you. This could help to avoid a situation where someone tampers with the device. Also, signatures should be created only one at a time and only when the user approves their creation. This is to avoid the creation of extra signatures.
Even more robust approaches are theoretically possible here, but I have not seen them being implemented. Essentially, you would want to have a system where the user can confirm with some certainty that the security device is not fake, and where the acts of authentication / creating a signature would be thoroughly linked to the system requiring the signature so that nothing could piggyback on it. One more improvement would be that the PIN typed in by the user would have to be a function of a random token generated by the security device each time authentication is required. Of course, it is not particularly convenient, but sometimes convenience is not the main concern.
As for doors in high-security environments, I suppose iris scanners are a good choice.
Proximity tokens are not so good. You would want to avoid the possibility of recording, and it is trivial to record radio waves. A simple approach here is to have electromagnetic shielding in the room where the gate is, but you would have to ensure only one person is in the room at all times. If you have more than one, one of them may be carrying a recording device. A more advanced approach would be to use a challenge-response mechanism, but how many proximity tokens do that?
When lives are at stake
Let’s say you are working on a particularly sensitive project and lives or more are at stake. What is the big matter which we have not covered so far and which can nullify all the efforts easily? That matter is coercion.
Authentication can ascertain that an individual is who he/she claims to be, but it cannot check that the individual is acting without coercion from an adversary. Furthermore, an individual under coercion may “voluntarily” give away many authentication factors.
There are different kinds of coercion. One kind is where someone is holding you at gunpoint and demands that you perform certain actions. The other one is where there may be no immediate danger to your life, but you were made aware of what would happen to you or your interests (such as your family) in case you do not comply.
The way to deal with the former case is to limit the validity of authentication factors to a controlled environment where you can observe the people and ensure they are safe and not under direct threat. The latter issue is far more complex. It is the bread and butter of “people in grey clothes”, and I am not going to even begin discussing this as (a) I am totally not an expert in this matter and (b) if you have to do these things then you are either an expert already or you are easy prey.
The bright future
The future is going to offer new challenges, and we can get a glimpse of this already.
For example, the wonderful feature of “what you know” factors is that they are in the human mind, and traditionally it has been difficult to extract them discreetly and without a person’s cooperation. However, as technology is advancing, first side-channel attacks against the human brain are becoming a reality. The tech is not yet there to steal PINs remotely and discreetly but are you going to bet against this happening in the next 5-10 years?
Another interesting vector is using sound as means of reconstructing the key presses and identifying the person who is doing the typing. Some inroads have already been made. You may argue that it may be difficult to pull that attack without bringing the recording equipment into a clean environment, and that is true. Just make sure people do not bring their personal backdoors with them.
Final words
I do believe that passwords are the bane of IT security, especially where stakes are at least moderately high. The introduction of face- and fingerprint-based authentication has lowered the security even more, while PIN-based unlock for computers and smartphones is a joke, aimed at making it easy for users to create an illusion of security while actually eroding that security.
If you do care about security and if you work in an organisation whose adversaries are powerful, well-equipped, and ruthless, you are almost out of valid options to perform even the basic sort of authentication as most of the commercially available solutions are aimed at simplicity and appearances rather than actual performance. The situation seems to be getting worse year after year.