So far we have talked about indispensable role that the password plays in our lives on the web. But a password is simply one piece of a larger mechanism that we refer to as Authentication. This is simply the process by which we prove that we are who we say we are. Passwords are the most common method of authentication and they are prolific on the internet.

The First Factor: Something That You Know

A password is something that you know. It satisfies the first factor of authentication. This is why it has become so prolific on the web. It’s comparatively easy for a website owner to implement a password style authentication.

There is a problem with passwords however: You might not be the only person that knows this piece of information. And even worse, you might not be the only person that can guess this piece of information.

The Second Factor: Something That You Have

Another way that a user could be authenticated is to check for the presence of something that a person possesses. This could be a cell phone, a smart watch, a personal smart key (yubikey) or any number of other devices that can provide a unique identification.

There are many ways that the second factor of authentication can be validated. You may already use some of them:

• SMS or Emailed One Time Password
• Authenticator Application (Time or HMAC-based One Time Password)
• Hardware Token (Yubikey, RSA SecurID)

One Time Passwords

A One Time Password (OTP) is a short password that, like the name implies, is only good for a single session or login. The concept is pretty simple, you have requested access to some secured system and the entity that is validating your authentication will generate a single use passcode and send it to your device.

The one time password is generally sent to a phone number via SMS or an email address. The assumption is that your phone or email is secure and only you have access to this information. However, one small hiccup in this authentication method is that both SMS and email are not secure systems by default. It can be possible for a nefarious actor to intercept the passcode before it reaches you, causing a bit of an issue.

Authenticator Applications

An Authenticator Application can solve this problem of transmitting the one time password via SMS or email. An Authentication application uses a shared key or “secret” that is setup prior to attempting authorization. Using this secret key the authenticator app can generate one time passwords that are only valid for about 60 seconds. The other advantage is that there is no transmission of data, so no one can oversee the generated passcode. This provides a higher level of security than the previous example.

In contrast to an application that you may have on your cellphone a Hardware Token comes with a built in shared key. These provide the same functionality as an Authenticator Application, but in a completely separate isolated environment. The devices usually look like USB flash drives, and there are a few different iterations of the devices.

Hardware Tokens

The RSA SecurID system provides a small device with a display that generates a new one time password every 60 seconds. It’s powered by a small watch battery and lasts for many years. These are generally produced by companies and sent to users upon request. For example, your bank may allow you to request one of these hardware keys to secure your online accounts.

Another type of harware token, the YubiKey, is designed insert into your computer via a USB port, or to connect to a cellphone with near field communication (NFC). This device generates the keys and passes them along to the computer or phone that is performing the authentication. Check them out at www.yubico.com.

Two Factor Authentication (2FA)

The most common way that a you experience this second factor of authentication is through Two-Factor Authentication (2FA). Although strictly speaking this is usually presented as a combination of the first and second factors of authentication. In other words you have to provide two of the three items in this list to pass authentication. Most of the time that means that you need to provide some type of one time password when trying to authenticating.

The Third Factor: Something That You Are

A more commonly known name for the third factor of authentication is Biometrics. Anyone who has ever seen a spy movie knows what biometrics are. The hero (or potentially the villain) is trying to break into some “secure” facility and they have to get past a fingerprint reader or a retinal scan, etc. This is the concept behind biometrics. Authentication is based on something physically about your being.

In fact, if you have bought a cell phone in the past few years, you might have a biometric system hanging out in your pocket! Fingerprint readers are becoming ubiquitous on new cellphones because they provide quicker access than trying to type out a complex password or even a short PIN on your phone’s tiny touch keyboard. And if used properly these systems can provide added security to your device.

Touch ID and Face ID

Apple’s Touch ID and Face ID phone unlock methods are based on biometrics. Of course Touch ID is for fingers and Face ID applies biometrics to the composition of your face. But if the movies have taught us anything, neither of these authentication methods is perfect.

According to Apple’s FaceID Security Guide, the chances of a random person being able to open your phone that is protected with Face ID is about 1 in 1 million. In contrast, the security of Touch ID is claimed to be about 1 in 50,000. The camera that provides Face ID authentication is a 3D infrared camera. This means that it works in the dark and can even verify your identity if you are wearing sunglasses (except for one of my pairs of cheap sunglasses for some reason).

Granted, there is a little bit of a chance that a random person could pick up your phone and unlock it with their finger or with their face. But unless your in the habit of passing your phone full of secure information around a stadium just to see what happens or you have an identical twin–if you didn’t know identical twins have different fingerprints–that you don’t trust, you’re most likely going to be very happy with the convenience and security of these systems.

One day I caught my wife resetting her password to access a website. Turns out that she could never remember the password and always reset it to access this website. Come to find out, she also used this strategy to manage the passwords she needed for other websites.

Needless to say this started quite the discussion about passwords and how to deal with them. We talked about a few ideas to both help her situation and improve her overall online security. Here’s the short list:

• What makes a good password? Why are strong passwords important?
• What is Two Factor Authentication? And why would I want to deal with the hassle?
• Password Managers – A way to keep everything organized.
• Biometrics – How secure are fingerprint scanners (Touch ID) and facial biometrics (Face ID)?

What makes a good password?

Passwords have been a staple of internet security for decades now. It seems that every website that you use today has a password. You may have hundreds of passwords, each for a different website, some of which you use every day and others that you may not access for months at a time.

This is complicated by the fact that every site has a different set a password requirements. Most sites have a minimum length. Some sites require that you include numbers, special characters, or uppercase characters in your password.

But why are you, the user, required to jump through all of these various, complicated hoops? Why is one password better than another password?

As it turns out, website organizers are trying to get their users to create strong passwords. Restrictions on passwords are simply a way to coax users to select passwords that are stronger than they normally would choose on their own.

Why Strong Passwords are Important

User information is valuable. It can be sold for monetary gain or used to steal someone’s identity. A password is a primary safeguard against this kind of behavior. Having a stronger password can help to protect this information. As more and more companies digitize their records and systems, there is more information that needs to be protected. But how do we quantify the strength a password?

The strength of a password is sometimes measured by a term called password entropy (usually measured in “bits”). The higher the entropy of a password the longer it will likely take to guess the password. What this means is that we are trying to increase the number of guesses a hacker might have to make to guess or “crack” your password.

Let’s play a guessing game! I am thinking of a number between 1 and 10 (including both 1 and 10 as possibilities). Now you take a guess…

Check Guess Correct! Try Again!

How many guesses did it take for you to get the right answer? Hopefully it took you less than ten guesses, considering that there were ten total possibilities. But most likely it didn’t take all ten guesses to get the right answer. Ten is only the maximum number of guesses that it could have taken. There was also a 10% chance of getting the correct number on our first guess.

Now, what if we take our guessing game and make it a bit harder by adding 26 english letters to the mix? A number between 1 and 10, in addition to 26 characters is 36 possibilities in our guessing game. We could also make a distinction between upper and lowercase letter and treat those as correct or incorrect. Now we have 62 possible answers. Adding in a list of special characters like: !@$%^&*_-=+ increases that number to 74 possibilities. Now your chance of guessing it on the first try is 1 in 74.

---

Let’s apply this to passwords. We can calculate the entropy of a password using this formula:

E = Log₂(R^L)

Calculating Password Entropy

Where E = password entropy, R = pool of unique characters and L = the number of characters in the password.

For example a password of “password123” has an entropy of 57 bits. Taking the characters in the password and assuming that the requirements were 26 English characters and 10 digits, that’s 36 for our unique pool of characters (or R). Next the password is 11 characters long. Thus our equation becomes: E = Log₂(36¹¹).

Let’s try a more complicated password. Say we are using the password “P@s$w0rdL2E”. This password has an entropy of 68 bits. This is derived from our equation of E = Log₂(74¹¹). As you can see, adding the extra complexity did give an improved entropy, but, not by an extreme amount. We increased the pool of characters (R) to 74 in this example, but the length stayed at 11. Also, this is a much more difficult password to type. Seriously, trying typing that out 20 times as fast as you can.

Instead, lets tweak the length of the password. Say our new password is “josephisamadman”. Now we only are using lowercase Enlgish letters, which means that our pool size (R) is 26. The length of the password is 15 characters. E = Log₂(26¹⁵). This makes our password entropy 71 bits. And this password is MUCH easier to type.

A simple solution to increase the strength of your passwords is to use a few common words strung together or use a simple phrase. This works two fold. It makes your password longer (thus increasing it’s entropy), but it also makes it easier for you to type and harder to guess for a hacker. The web comic XKCD has a great panel about this password security method here.

Conclusion

Passwords have long been the guardians of our internet security. They protect the information that we exchange on the internet. However, the venerable password is now not the only method that we can use to authenticate to a website. Many services are turning to Two-Factor Authentication, Device Authentication, and even Biometrics for security. Let’s investigate some new methods for security and talk a bit more about authentication in the next post.

NEXT: The Three Factors of Authentication