Secondary Authentication Methods Password Security


There are an increasing number of ways of increasing security through secondary authentication methods that can be used along with the more traditional methods of standard password authentication. Secondary authentication methods are traditionally used by large entities to login to their corporate networks (using RSA SecurID, etc) but have seen increasing use on the internet by banks in order to increase the security of users data.

The Trust Model

A website operator places trust in the fact that a users' password is secure enough to avoid easy hacking. Traditionally, users can choose any passwords within the bounds that an operator declares (for instance, more than 5 characters, etc). When using secondary authentication methods, these typically involve physical devices which are used as a secondary component to the typical password.

In using a secondary system in order to authenticate users, an operator places further trust in the user to solely have physical access to the additional components used to facilitate successful authentication. However, this does somewhat substantially increase data security as it requires more than one factor in order to break in.

Implementations

The primary implementation of secondary authentication includes a physical device that is used by the system to supplement the traditional password. Most typically, this includes either a standalone device providing numerical additions (such as RSA SecurID, HSBC Secure Key, etc) or a device that uses the EMV chip in a credit or debit card to authenticate using a challenge system (typically a PIN and generally used by banks). Most of these methods are, however, typically out of the reach of a standalone website operator or developer and we will concentrate on the other methods available.

There are secondary authentication methods that require significantly less cost and these include distributing OTP (One-Time Passwords) via SMS and email. These substantially reduce the risk of being able to brute-force a password directly, as they require access to the secondary authentication measure. Clearly, using email for distributing OTP is an inherent risk as many users choose to use the same password everywhere and it could be safe to assume that if a malicious individual has a user password they may try it with the corresponding email account.

Using SMS for OTP ensures that the user is able to use a physical device (as opposed to a website) to receive the key with which they can use as the secondary authentication method. Doing this, it also adds an element of challenge & response which the user has to cross. While this incurs some cost in order to send out each SMS, it may be considered worthwhile for an operator to use this in order to 'challenge' the user to verify who they are when viewing or updating sensitive private data.