In my last post on Small and Medium Business (SMB) I touched on creating unique IDs for your employees, contractors, and services. In this blog I would like to expand on access controls for these IDs by briefly describing passwords and other authenticators we can use to secure the use of IDs.
What is Authentication
In cybersecurity, authentication is the process of ensuring an individual using an ID is the person or process they claim to be. Assume we have a group of files that we want Jan from accounting to be able to access. Prior to accessing the files, Jan will need to enter her ID to assert to the system that she is Jan. However, to be secure, Jan also should be required to provide some proof that it is, in fact, Jan trying to access the files, and not someone else who knows her ID.
The process of soliciting and checking factors that can verify the identity of an entity using an ID is called authentication and is a critical part of controlling access to your systems and data.
Authenticators are what we use to ensure an individual using an ID is who they say they are. The most well-known authenticator is the password. Authenticators can take the form of “something you know” (like a password or PIN), “something you have” (like a token or smartcard), or “something you are” (like a biometrics scan of certain aspects of your hand, face, or eye).
Passwords are the most ubiquitous form of authenticators. Weak passwords compose a lot of risk to your company. However, strong passwords can actually be quite secure, particularly when used in conjunction with another authenticator.
In a large enough organization, it is a near certainty that at least one person is using a password that is a combination of their pet’s name, their child’s birthday, and an exclamation mark. Because of this, I recommend that you develop criteria for passwords that govern the length, complexity, reuse, and age of passwords. The longer your passwords are, the longer it will take for an attacker to break them. You can increase the length of time it will take to break your passwords by introducing complexity such as requirements for capital and lowercase letters, the use of special characters (i.e. !,@,#,$,%,^,&,*), and the use of numbers. There are mixed opinions about how long you should allow passwords to remain unchanged. Some people argue that passwords should be changed frequently, and others argue that changing passwords too frequently makes users write down their passwords or store them in a similarly unsecure manner.
I recommend using a secure password generator to generate a 32 character password that includes uppercase, lowercase, special characters, and numbers, and using an encrypted password manager to store it. Because this password is so long and so complex, I feel that you can go a longer time before changing your passwords.
I also recommend that you limit the amount of times the password can be reused as well as the number of iterations of passwords that must occur before any given password can be reused. Furthermore, you should ensure you have restrictions for the minimum times a password can be used so that people don’t change their passwords a bunch of times in quick succession just so they can reuse their favorite password.
Passwords are an important authenticator that can be made stronger by requiring an additional authenticator. It’s generally best practice to augment your password (something you know) with an authenticator that is “something you have” or “something you are”.
“Something you have” authenticators can include hard tokens that look like key fobs, or soft tokens that run on your phone that allow the user to prove ownership by entering a one-time key code they generate. Many applications are preconfigured to use a variety of hard and soft tokens. Another strong type of “something you have” authentication involves chips that store certificates that transmit encrypted keys that authenticate the user. This functionality can be found in Smart Cards, keys that are inserted into computers, and NFC Devices.
The other authentication method that can augment passwords is the use of “something you are.” This type of authentication generally alludes to biometrics. Common biometrics include fingerprint scans on mobile devices, retina scans and facial recognition on computers and mobile devices with forward-facing cameras, and palm scans on physical access systems. Biometric authenticators have issues with false positives and negatives, so be sure to check the error rates for the biometric you would like to use to make sure it’s within the tolerances for your purpose.
Thank you for reading this installment of my blog for small and medium businesses. Please check back next month when I’ll discuss configuration and patch management.