Security in Focus – why authentication is critical to any security solution
Within any security solution, authentication – the process of proving someone is who they claim to be – plays a vital role in keeping areas secure and protected from unauthorized people. In the first of our Security in Focus podcast series, we delved into the topic of authentication, detailing what authentication means, how it works, and why it is critical to security.
What do we mean by authentication?
Access control combines authentication with the concepts of identity and authorization to allow or deny people access to controlled areas. Identity is the claim someone makes about who they are. Authentication verifies this claim, and authorization is the process that happens in the back-end of the system to determine that person is authorized to access that area and grant access.
As Andrew Scothern, Chief Software Architect at Gallagher, explained, there are different types of authentication that can be used to prove identity:
Something I have – usually a physical token, such as an access card.
Something I know – something that isn’t physical; a secret that only you know about, such as a PIN or password.
Something I am – a biometric, such as a fingerprint, iris, or facial ID.
In access control, there are different levels of authentication for opening doors. Single-factor authentication utilizes ‘something I have’, requiring an access card to be presented at a reader in order to gain access to that area. Two-factor authentication requires an access card plus ‘something I know’ or ‘something I am’ as an additional level of security.
According to Adam from Insomnia, attackers will look for the easiest way into a system with the least chance of getting caught in the process. Single-factor authentication could provide the means for bad actors to impersonate a legitimate person using a misplaced or stolen card to gain access. Multi-factor authentication instantly decreases the chances of an unauthorized person gaining entry, as it requires an additional level of knowledge or evidence of a biometric. Not only does it make it more difficult for the attacker, the odds of getting caught in the process are much higher as system operators may be alerted to incorrect PIN attempts, for example.
How can organizations ensure their authentication is secure?
Andrew recommends organizations inform themselves on the end-to-end provisioning of their credentials in order to better understand the security they offer.Understanding how the credentials are issued, where the authentication takes place, what information is stored in the back-end of the system, and what protections are placed around the data, can help organizations make informed security decisions to keep themselves secure.
Utilizing public/private keys is one way to ensure information is secured. Labs’ Rolf Lindemann’s opinion is that passwords are broken, in part because they get stored in some form, usually on a server. If an attacker were to gain access to that server, they could retrieve the passwords and use them for malicious purposes. The same applies for access control authentication. Public/private keys ensures only public information is stored on a server, with the private key remaining safely in the user’s possession.
Likewise, cardholders should be encouraged to protect their access credentials and ensure PINs and passwords remain secret, which includes not reusing a PIN or password across different systems – particularly between high security systems and those that are less secure. In the same way that you wouldn’t leave your credit card laying around, access cards and mobile credentials should be kept safe.
A recent cyber report released by Cert NZ identified a 25% increase in phishing and credential harvesting in the second quarter of 2020. One small but vital thing organizations can do to protect themselves from these kinds of attack is ensure their software is always kept up to date. Publicly known vulnerabilities for outdated software leave your systems open to exploitation if regular updates aren’t applied.
Listen to our Security in Focus podcast on your favourite platform here.