Access control and authentification: threats and solutions
In terms of IT security, user’s management and their access to resources is a major issue both from the point of view of accessibility and data security. The authentication mechanism comes into play at this stage, as it enables the verification that the person is the one authorised to access the user account.
End users are the Achilles heel of an information system. Identity theft, access to resources they should not have access to… are all threats that compromise data security, and can then facilitate computer attacks (ransomware, information theft…).
The authentication stage before accessing resources is therefore essential, so much so that the French National Agency for Information Systems Security (ANSSI) published last year a set of recommendations for the implementation of an authentication procedure that is sufficiently robust and adapted to the different types of system
As an expert in information security and data protection, Ventio is particularly aware of this issue of authentication, and details for you the solutions allowing a strong and secure authentication.
1. One-factor authentication and its limits
a) Type of Authentication Methods
Authentication is a mechanism involving two distinct entities: an applicant and a checker. The applicant is a user of the information system who initiates the authentication procedure and tries to prove his or her identity to the verifier using an authentication method known to both of them and agreed upon for access to the requested resource. For example, the applicant may need to demonstrate knowledge of a secret credential such as a password. The verifier must be able to ensure the validity of the applicant’s identity by checking the accuracy of the credentials, and their validity (e.g. the accuracy of the password provided by the applicant).
The method and secret of authentication is usually known or possessed only by the applicant and allows him or her to be uniquely authenticated.
that can be :
- A knowledge factor (a password or a code to know),
- A factor in the user’s possession: a physical or electronic private key, a smart card, etc.
- A factor inherent to the user: a biometric data, fingerprint, DNA or a behavioural data (voice…)
The method of authentication is created or configured when the user registers on the system (e.g. by registering for a site or creating a new user). During authentication, once the credentials have been entered and verified, the checker will authorise the user to access resources (data, services, applications, etc.) according to the rights defined for the user. In general, only one authentication factor is set up in the configuration of the authentication method, and this factor is a knowledge factor.
Unfortunately, this authentication system, although widely used, has proved to be insufficient in terms of security.
b) Limitations of one-factor authentication
One-factor authentication is a truly insufficient procedure, as it exposes a number of computer attacks aimed at bypassing or cracking the authentication process in order to access resources without being entitled to them, regardless of the authentication method used.
The ANSSI has listed and classified the main ones according to their processes and their attack areas. Here is an overview of the threats to the different categories of authentication.
- Threats and attacks on knowledge factors
Hacking a password, can be done by an exhaustive search, testing all possible combinations, or by limiting oneself to a list of the most common passwords. The tools to do this are easily accessible and powerful. A well-protected system should anticipate this type of attack by prohibiting passwords that are too simple and by limiting the number of unsuccessful attempts too close together. For targeted attacks, social engineering can be very effective: backdoor methods such as phishing are used to get your password directly from you.
- Threats and attacks on possession factors
Can’t find your card? The main threats to possession factors are theft, loss, duplication, falsification or even total compromise of the equipment carrying the possession factor. In order to gain access to the cryptographic secret and to usurp your identity, attackers will be able to carry out ‘physical’ attacks, for example by using side channels.
- Threats and attacks on inherent factors
Spy films feature severed fingers or eyeball extraction to gain access to the most sensitive secrets. In the mainstream, people may simply use a photograph, pre-recorded video footage or a cast of your fingerprint to impersonate you.
In summary, of the three authentication methods, the one most vulnerable to attack is the knowledge factor, both because the modes of attack are varied, but also because they are more likely to succeed. Although widespread, basic authentication, based solely on a password, is therefore a clearly insufficient security method for protecting access to information systems.
2. How can these threats to authentication be addressed?
To strengthen the authentication process, several measures can be considered:
- Favouring authentication based on the inherent or possession factor
- Strengthening the authentication factor
a) Favouring authentication by inherent or possession factor
Considering the number of attacks against password or pin code authentication, it is preferable for a company to adopt another method of authentication, such as the possession or inherent factor (badge or access card, identification key, fingerprint or DNA for example), which offers greater security and reduces the scope for attack.
In this sense, these two methods (possession factor and inherent factor based authentification) seem to be preferable to the knowledge factor based method.
Nevertheless, even if they are less exposed than the former, authentication by possession factor or by inherent factor are not exempt from all risks (theft of badges, physical attack to recover encryption keys or signatures for possession factors, fingerprinting, deep fake… for inherent factors).
These authentication methods are also less scalable and changeable (10 fingers, 2 eyes, a DNA fingerprint…) than knowledge factor authentication, where an infinite number of passwords can be generated. In a word, knowledge factor authentication is fairly easy to strengthen or evolve, while possession factor or inherent factor authentication is more ” static “.
b) Strengthening the authentication factor
One way to reduce the risk of infiltration into the system is to strengthen the login credentials. This involves making the means of authentication quite complex to imitate, guess or replicate.
This method is not very easy to apply with the inherent factor because it is not directly modifiable data, even if the procedure can be strengthened by requiring, for example, a more explicit acquisition (more complete fingerprinting of the surface of the finger, verification at times with a second fingerprint, changing the sentences to voice recognition, requesting mimics when identifying the face, etc.) In this way, a maximum of detail is obtained on the inherent data in order to identify whether it is real or comes from a copy or falsification.
For the possession-based authentication method, the encryption algorithms used to generate the smart card keys can be strengthened. Protective measures against physical attacks on smart cards, magnetic badges and physical keys (eavesdropping attack, DPA attack by consumption analysis, etc.) should also be put in place. However, these measures remain ineffective in the event of theft or reproduction of the means of authentication.
Finally, authentication based on knowledge factors is the easiest to reinforce. For this, a good password policy must be put in place and applied. This policy should define the standards to be followed for the choice of passwords and PINs so as to guarantee a sufficiently high level of entropy or complexity (passwords with lower case letters, upper case letters, numbers and special characters and a sufficiently long length). The password policy should also define and update a list of passwords that are not allowed because they are too easy to guess, or to attack (word from the dictionary, proper name of an acquaintance, or too frequent password…). The aim is to make the password strong enough so that the attack requires too much time and resources to succeed. In addition, measures such as time management of passwords and the impossibility of reusing a previous password must be taken. In order to reduce the attack surface, the verifier can also be prevented from knowing the password explicitly, by storing the hashes of the password rather than the plain text in the database.
The authentication process can also be strengthened by limiting the number of attempts and banning for a time the IP addresses from which unsuccessful attempts were made. This prevents exhaustive search or “brute force” attacks.
3. Multi-factor authentication, the only effective solution
Multi-factor authentication is a form of authentication that involves multiple (usually two) authentication factors.
The advantage is that the weaknesses of one factor are covered by the other. For example, in the event of a successful attack on the knowledge factor (discovery of a user’s password), the attacker will not be able to access the system because he will not possess the object of the possession factor (key, badge, smart card, etc.) or inherent factor (fingerprint, face, etc.) of the user whose identity he is impersonating.
Alongside multi-factor authentication (MFA), two-step authentication also has its advantages. It consists of using two successive means based on the same factor.
The two means of authentication may be configured for the user at the time of registration or the second may be generated after validation of the first during the login process. This can be, for example, a password followed by a single-use authentication code of very short
validity that the verifier sends to the applicant via a registered means of contact when he is added to the system. This solution also offers a good compromise in terms of security.
Multi-factor authentication and or two-factor authentication are currently the most secure and attack-resistant authentication methods. They double the attack load for the hacker, thus reducing the risk of access to the system.
It is obviously desirable to combine all these good practices by setting up a multi-factor authentication with reinforcement measures, especially if one of the required factors is a knowledge factor (strength of the password policy).
There are several authentication methods described by the ANSSI with their weaknesses and alternatives to reduce them.
User authentication is a complex subject, as it is the Achilles heel of IT systems. Although technologies are evolving rapidly, offering great diversity in the applications of authentication factors, no process can totally eliminate the risk of attack. Only multi-factor identification and the implementation of measures to strengthen these factors can limit the risks. Nevertheless, these processes must correspond to the users’ uses and above all be adapted to the risks incurred.
It is therefore up to the organisation, and in particular the person responsible for security, to carry out a risk analysis beforehand in order to determine the most suitable solution for the context in which authentication is to be implemented.
At Ventio, aware of the sensitivity of health data, we have developed expertise in the analysis of associated risks as well as in multifactor authentication and access control systems. If you want to protect yourself from the storms and their consequences when handling sensitive data of this type, contact Ventio for a breeze of peace.