Be the change you want to see in your password

Widespread skepticism about the strength of single factor authentication increased dramatically as it actually became single factor. One of the things about authentication is that it is often described in a vacuum, as if the user was in a lab. Even in popular culture, this is known/shown to be unrealistic. There are scores of movies and TV shows made over the past three decades that show some hacker breaking into a computer by divining a user ID and password. That the hacker needed to break into someone’s office and did their magic while their accomplice was on the lookout for “[quiet there’s] someone coming” is forgotten once the hacker, usually one of the good guys/gals, gains access. The really well researched scenes have already explained that the need to break into the office was because the server was on a “closed network”.

{If, at this point, you’re looking for some reference material—simple or technical— on types of authentication, etc. please go to the bottom of this post. Then come back for the rest of this.}

What’s forgotten in today’s discussions that I’ve seen is that networks used to almost all be closed. It is only when you can gain access from anywhere, with any device, that authentication can truly be single factor. It is only when the client is wafer thin and reachable from anywhere that authentication is limited to something you know.

Was single factor authentication stronger in the old days? Yes. Why? Because it wasn’t really single factor. If you were logging into a closed network that was only accessible at a terminal inside your company’s office, then single factor authentication was not just something you knew but *somewhere you were*. Maybe needing to have access to a terminal hooked up to the closed network did not double the strength of knowing a user ID and password, but it was such a symbiotic mitigating control that you cannot say the strength of authentication was reliant on JUST a user ID and password.

So, once remote access was available, could we then say that the systems were protected by only single factor authentication? Usually no. They often had another layer of protection. While you may think that “something you have” as a factor needs to be something unique to you, there was a time when, for remote access, you needed a relatively obscure VPN client installed on your remote computer and that client needed to be configured by someone from IT. Maybe authenticating to the VPN with a user ID and password (something you know) was not quite doubled in strength by needing to own a computer that had correctly configured software (something you have) but it was certainly stronger than simple single factor authentication. And, and you probably saw this coming, when you add a token of some kind to that remote access through a computer with correctly configured software on it, it is a stronger control than JUST two factor authentication.

Looking at it from the other direction, the cases where authentication shortcuts opened obvious security holes are frequent. When an authentication shortcut weakens the authentication it is because it removes more than just a factor, but the shortcut also allows authentication out of a secure context. The latest example of this comes from Facebook:

Compare Facebook’s shortcut to a single sign-on solution that uses both a password and requires you to swipe a badge before you are prompted for the password. Is this as strong as two factor authentication (something you know and something you have?). No, it’s stronger because it also requires that you are at a computer with a badge reader (re-introducing “somewhere you are”).

The bottom line is that authentication outside the cyber security laboratory requires an understanding of both the user context and how that creates (or destroys) symbiotic mitigating controls on access.

Finally, if you think I’m hinting that there needs to be as much attention paid to closing networks as to opening them, you would be correct.


For anyone who wants a primer on types of authentication, we have your primer right here (from another blogger):

Looking for a more technical treatment? Nothing beats NIST 800-63:

And because there is never a bad time to link to Bruce Schneier, here’s his take on when even two factor authentication doesn’t cut it:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.