Zero trust security basics
Authentication For Beginners: How to Protect Your Online Accounts
Odds are, you complete authentication processes multiple times a day, whether that’s entering a password to open your social media account or scanning your fingerprint to access your phone.
Authentication represents a critical component of digital security for both individuals and businesses… but not all authentication methods are created equal.
There are many types of authentication, and some are significantly more secure than others. It’s always a good idea to put multiple layers of authentication into place on all accounts — especially those with sensitive or personal information — but if you’re going to go to the effort to add these types of protections, you should be sure to choose the most effective methods.
To help you get started, here are the basics of authentication that will help keep your data and devices secure.
What is authentication?
Authentication is the process by which you verify your identity to access an online account, device, or document. There are many ways to digitally authenticate your identity.
On most accounts, the default first layer of authentication is a username and password. In the earlier days of the Internet, password authentication was pretty much the full extent of cybersecurity. But as the digital landscape has evolved and cyber threats have become more complex and widespread, so too has the standard of authentication. While password authentication is still the most common type, it’s no longer sufficient as a standalone protection on most accounts — especially those containing sensitive or private information.
Other common authentication methods with which you may be familiar include security questions, personal identification numbers (PINs), SMS or call verification, authenticator apps, and facial or fingerprint scanning.
Why authentication is important
Strong authentication is a crucial cyber protection method both for individuals on their personal accounts and for companies on their business and employee accounts.
Ideally, every single online account and device you have should be protected with multiple layers of authentication, because this is the best way to prevent unauthorized users from accessing them.
Although this increases the time it takes to access information and can feel like overkill, establishing multiple factors of authentication is one of the easiest ways to reduce overall cyber risk. Plus, adding protective measures is worth it for the time, money, and headache it can save you by helping you avoid a cyber attack.
While the strength and amount of authentication matter most on more sensitive accounts, like online banking, telehealth, social media, and similar, it’s worth it to use strong and varied authentication methods on all accounts. The reason for this is that if one of your accounts is compromised in a data breach or cyber attack — even an account that doesn’t contain private data — it can open up the door for attackers to access your other accounts, potentially granting them access to your finances, medical records, or personal information.
There are various ways that individuals and companies can implement authentication on their accounts. Each method relies on a certain factor, which is the type of data or characteristic used to verify a user’s identity.
- Knowledge factor: Relies on information to verify identity. Only those with certain knowledge can enter. This can include a PIN, username/password, or a security question.
- Possession factor: Uses an item in the person’s possession to verify identity. Only those with access or ownership of a certain item can enter. This can include a mobile phone, a security token, or an authentication app that generates a PIN or one-time password (OTP).
- Biometric factor: Verifies identity via physical identity. Only those with certain biological characteristics can enter. This can include facial, fingerprint, thumbprint, and retinal scans.
- Location factor: Uses location to verify identity. Only those in certain locations can enter. This is a supplementary authentication method that can block users in geographic areas far removed from the typical location of access.
- Time factor: Relies on time to verify identity. This is another supplementary authentication method, and it’s often used in tandem with a location factor. For example, if a user in Europe attempts to log in to an account or device within hours of a user in North America, they would be blocked due to the time and location inconsistency.
Location and time are the only two factors in this list that cannot act as standalone authentication methods; however, best cybersecurity practices recommend multiple strong methods of authentication on each account.
That said, there is some variation in the strength of authentication methods depending on the behavior of the user. For example, a weak or reused password is much less secure — even as one step within multiple layers of authentication — than a strong, unique password that is changed regularly.
Authentication weak points
It’s important to know the potential vulnerabilities of various authentication methods so you can make informed decisions about protecting your personal and business accounts and devices. If you’re going to bother adding security layers, you should make them count.
Here are the two most common authentication vulnerabilities:
Password protection is no longer the alpha and omega of cybersecurity like it was in the earlier days of the Internet. That said, most online accounts still offer a username and password as the first layer of protection, and it’s crucial to use good password hygiene.
This means always selecting unique, non-obvious, complex passwords for every single account that you never reuse or share with others. You should also change passwords on all accounts every three months, as well as any time you’re notified of a data breach or compromise.
The reason why it’s so critical to implement strong passwords is due to the prevalence of password cracking. There are multiple methods by which cyber criminals perform password cracking, but the main takeaway to keep in mind is that there are many ways to hack into password-protected accounts. The stronger and more complicated your passwords are, the harder it is for hackers to find or guess them. And if a hacker does get one of your passwords, you can keep accounts protected with other levels of authentication.
Phone-based authentication is vulnerable to SIM swapping, a type of cyber attack that is on the rise. While SMS or phone call protections are a common authentication method that you might think would decrease cyber risk — after all, you should be the only one with possession of your cell phone — the truth is that this authentication method is surprisingly vulnerable.
SIM swapping is a scam in which attackers use fraudulent means to transfer a victim’s phone number to a new SIM card in their possession, thereby allowing themselves to receive the texts and calls intended for the victim. This then allows the attacker to access accounts and devices that use text or phone call verification because they can request password resets.
Comparing authentication methods
You’ve likely heard of various authentication methods like multi-factor authentication (MFA) and two-factor authentication (2FA), but what exactly do these terms mean and how do you know what’s best?
Here are the basics you should know about various levels of authentication protections:
Single-factor authentication (SFA) is just what it sounds like: one single layer of protection. Some examples of this include unlocking an account with only a username and password, opening a phone with a fingerprint scan, or accessing a document with a PIN number.
As mentioned earlier, SFA in the form of passwords used to be the norm for account protection, but that’s no longer the case in the current landscape of cyber risk. In fact, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) added SFA to its list of bad cybersecurity practices in 2021, naming it a low-security, high-risk method that should be avoided.
Once again, the name says it all: two-factor authentication, or 2FA, describes an account or device that requires two methods of authentication for access. Typically, a username and password will be the first layer, while the second layer can be any other of the factors described previously: knowledge, possession, biometrics, location, or time.
Many accounts with built-in 2FA offer security questions or SMS/call verification, which aren’t the strongest options. Hackers can guess the answers to security questions based on your digital footprint or social media presence, and the danger of SIM swap fraud weakens phone verification.
For that reason, you should select a different secondary authentication method whenever you have the option — ideally biometric authentication, which is the easiest way to make sure only you are accessing your accounts (more on this below).
MFA is the current standard of authentication. Simply put, this is a multi-layer approach to data protection in which a user must input multiple credentials to access an account, device, or document. 2FA is a form of MFA, but MFA can also include more than two authentication methods.
Even if one credential becomes compromised, like a password, accounts will still be protected thanks to the additional layer(s) of authentication. While you could take a maximalist approach to cyber protection and implement as many authentications as possible on all accounts, what’s most important is actually layering the strongest possible authentication methods. Just because you technically use MFA doesn’t mean your accounts are safe — you need to take into account which types of authentication will actually offer the best protection.
Biometrics are the future. The best way to ensure that you and only you can access your accounts is to secure them with your unique biological features, which are much harder to replicate or steal than information.
SIM cards can be swapped, passwords can be hacked, security questions can be guessed, time and location can be falsified, PINs can be stolen, authenticator apps can be duped… but only you have your fingerprints, face, and retinas.
If you want to keep up with the dynamic cyber landscape and stay a step ahead of the bad guys, you should consider adding biometric protections to your accounts — especially those containing financial, medical, or personal information.