Hello everyone and welcome to ZD Tech, ZDNet’s daily editorial podcast. My name is Louis Adam and today I will explain to you why authentication can no longer rely on a single password to protect an account.
Authentication was better before. In the 80s, for example, when you wanted to connect to a user account, you could settle for a simple identifier and a password. The most paranoid could opt for a long and complex password and it was a security measure considered sufficient to discourage a third party who would try to connect to the account by guessing the password.
But that is no longer enough today. The evolution of the computing power of computers combined with the multiple leaks of passwords now allow attackers to guess the simplest passwords without too much trouble. Several types of attacks aim to guess or steal passwords to access an online account, and these have been perfected by cybercriminals for decades now.
What I know, what I have, what I am
To face this challenge, authentication therefore seeks new avenues in order to guarantee sufficient security. The frequently recommended method is multi-factor authentication, which can take several forms. Rather than relying on a single password for access verification, we will ask the user for several proofs of identity before granting access.
In addition to his password, we will for example ask him to enter a single-use code sent by SMS to his phone. Or connect a USB security key, such as Yubikey or Google Titan, to the computer. Finally, authentication can also be reinforced by the use of a biometric factor: for example a fingerprint or retinal print sensor. To remember the different types of authentication factors, we can summarize them as follows: what I know, what I have, or what I am.
The combination of these different factors allows for more secure authentication than that of a simple password. To these elements can be added contextual data related to the connection: is the person connecting from a new device or from a known device? Is the connection time or the geolocation of the IP address unusual? So many parameters that can be taken into account to estimate the reliability of a connection and trigger additional verification measures.
Still not infallible methods
Today, digital giants like Google and Microsoft would like to democratize these new authentication methods as much as possible in order to limit the hacking of user accounts and better secure access to sometimes critical services.
But these methods are not foolproof: a fingerprint can be copied, an SMS containing a one-time password can be intercepted, a security key can be stolen or even cloned.
In terms of authentication, there is therefore no miracle solution. We can simply make it more difficult for the attackers, to the point of discouraging them from trying.