Which of these 10 Authentication Options Best Secure Your Data on Your Device? Just type one word answer ...
Dipto Chakravarty
Chief Product Officer at Cloudera | Ex Amazon | Board Member | CPO | CEO
Rollup of password-less authentication startups into mother ship is a loud and clear signal of the password-less economy. Duo's rollup into Cisco was the beginning of this trigger. There are more rollups coming this Fall ...
Basic capabilities – authentication, authorization, attribution and audit have undergone a "shift left" from user interaction standpoint.
Simple login is enhanced by adding gesture-based preambles. Similarly, authentication schemes for commoditized single sign-on is expanded via layers of authentication to ensure you are really you in the context of myriad devices, apps and contexts. For instance, direct authentication used to involve a pin, a password, a fingerprint and often a knowledge-based question. Now there are few new direct protocols like WebAuthn, however it is heavily based on a relatively old model of the “Internet boom" years. Also, there are indirect methods that involve keys, tokens and one-time passwords based on risk profiles. Add to it, the notion of continuous authentication that strengthen the method via voice prints, facial scans, lexical keystrokes, and even walking gaits. Lastly but not the least, there is the notion of contextual authentication that factors in behavioral statistics, session cookies, IP address and time of the day before granting full access to the user. So, which one would you opt for to strengthen plus simplify security?
1. Password. Your password is your basic form of authentication, and it simply doesn’t work anymore due to users reusing them, writing them down, using easily-guessed combinations, etc.
2. Certificate. Certificate-based authentication uses a digital certificate that is stored locally and identifies the user, machine, or a device trying to gain access to the network.
3. OTP hardware. Also called a “token,” One Time Password hardware is a physical device that gives you your password. Often hardware tokens are plugged into your computer via USB port to provide the OTP directly to the system.
4. OTP app. An OTP application delivers your single-use password directly onto your smart phone.
5. Physical smart card. These are common in offices. The implication is that the person holding the card is the correct individual.
6. Virtual smart card. Using the Trusted Platform Module (TPM) chip that is standard in most computers, you can get the same functionality as a physical smart card without any additional hardware.
Out of Band Authentication are popular as they authenticate the user via two different systems. There are four basic varieties of OOBA types. The typical process is that you start by logging into the system or application you wish to access using a password. This triggers an alert through an entirely different system, which you then use to complete the login process.
7. Push. You receive your alert via push notification on your smart phone.
8. SMS. You can also get your notifications via text message.
9. Email. The alert is sent to your email address.
10. Voice. You get a call to your phone number.
Technology is constantly evolving, new security threats vectors are popping up even faster with the increase in attack surface. Simplicity in a complicated world is the answer. So, you better opt for one or two types of multi-factor authentication schemes to safeguard your data on your device, and protect your data in the cloud.
I really feel that people should not abandon a strategy towards MFA just because they cannot implement the most ideal second factor. Organizations have to start somewhere, and if we increase the barrier to entry, people and organizations will be afraid to even consider looking at MFA at all.
Identity and Access Management Architect and Strategist
5 年There is no single “best” solution out there for password-less MFA. What is important is using any of the factors that you identified alongside of risk scoring, behavioral analysis, and authentication sequencing. Instead of using a single factor, allowing the user to enroll with multiple factors and choosing how to authenticate based on the situation can make end users lives easier. Don’t trust just a sms? Add another factor to it in medium and high risk situations where the user is displaying atypical behavior. It is just as important that the tools you use allow for this level of flexibility.
Identity & Access Management | PKI Expertise | SaaS | Cloud Security | Cybersecurity | IOT | Blockchain Technology
5 年Good List. But SMS, VOICE and EMAIL are insecure second factor of authentication. NIST guidlines to depricate them for regulated industries and applications.? FIDO2 U2F and FIDO2 WebAuthen should be considered as vaible second factor of authentication. In certain unregulated applications, it can be first factor (passwordless Authentication).