The state of authentication in an increasingly connected world

A terse introduction to past, present and potential security standards in the context of digital authentication

Authentication isn't a new concept - we've had to address the issue of security for thousands of years. The Roman empire used ciphers (using patterns as a code) as early as 800BC  to 'encrypt' documents from prying eyes. The 18th century saw the development of the physical lock and key, an invention which has been instrumental to security ever since. Today we have more methods of exchanging data than any other time in history - and our security systems have evolved rapidly in response.

We can roughly categorise these systems in the following multi-factor authentication paradigm:

Something you know

The most common form of web authentication uses an encrypted password stored in a database on a server. This is an example of a non-physical key used to decrypt information. The strength of this technique is that your key is immaterial, and therefore can't be accidentally misplaced on a train or dropped down a grate. However, the key does exist in some physical capacity elsewhere. If the server was to be compromised, a hacker could potentially brute force the database to obtain the encrypted passwords. Brute forcing a password is akin to repeatedly ramming your shoulder against a locked door - given enough time, you will break through. There are techniques that can be employed to make this exponentially more difficult - hash salting is one such example, whereby a common password such as 'password1' is concatenated with randomly generated characters to create a more secure password, such as '9$2%o3password1". Incidentally, renowned corporate networking giant LinkedIn exposed themselves in the recent intrusion by failing to use salts in conjunction with hashing (or encrypting) their passwords.  

2 factor authentication (or 2FA) is an attempt to further refine the integrity of the 'something you know' encryption method. It involves pairing a password with another key, such as another password, an email or an SMS message. Steam employs this protocol by requesting a code sent in an email every time a user logs in on a new device. Google, ArenaNet and many other giants in the tech space incorporate SMS to achieve a similar result.

Something you have

We all use physical keys to unlock doors and start cars - USB's and other token devices can be used in a similar fashion to authenticate a user's identity. The resulting connection is of greater integrity at the expense of being subject to the whim of human error. Integrating a USB token into a 2FA system doesn't mask this exposure completely, but it is a step in the right direction.

SSH key based authentication utilizes a public and private key which are kept on the server and the user's computer respectively. This procedure is a modern day Caesar's cipher - it uses the public key to encrypt a response to a log in attempt, which the user runs through a decryption algorithm unique to the corresponding private key. The usage of an algorithm and random generation is the telling advantage over a password based process. To borrow a previous example, brute forcing in this context is trying to kick down a reinforced steel door, practically futile due to the sheer complexity of the keys. The keys themselves can then be encrypted to provide an even higher level of security, which is what we use here at Digital Garden to regulate and safeguard access to our sensitive information.

Something you are

This field of security operates on the fringe of cutting edge technology, and is already being commercially implemented in many ways. It sounds idealistic, but this concept doesn't belong to the future as Hollywood movies would have us imagine. The latest 2 entries in Google's Nexus smartphone line, the Samsung S5 and many other phones boast fingerprint scanners, and facial recognition apps are now an (albeit weaker) validation system. Biometric authentication uses biological keys such as fingerprints and iris patterns, which is arguably the strongest single form of authentication available today. Its greatest asset is also in some ways a gaping pitfall - if a hacker can obtain a user's fingerprint pattern, the user cannot update this information as easily as one would a password. 

Like crime, cyber security is an insoluble, elastic issue which must be constantly and stringently mitigated. Our capacity for exploitation and protection of data are in a mutually dependent technological arms race, and we all shoulder the responsibility to remain vigilant in implementing reliable security practices.