We all know that passwords are a nuisance – but necessary
I’m not going to bang on again that you shouldn’t use the same password for more than one account. And we all know that recommended passwords are getting longer and more complicated. It seems to me that there’s a general “average” of what is currently considered to be a good (or, at least, reasonable) password:
- At least eight characters long and possibly up to twenty
- At least two of the following types of character should be included – upper case letters, lower case letters, numbers, special characters (eg $<*! etc.)
- No word that is to be found in a dictionary should ever be used on its own as a password
- Avoid easily-guessed proper nouns (ESPECIALLY your cat’s, children’s, partner’s names!)
But it doesn’t matter how long a password is, or how many billions of years it would take to crack it by brute force if the person trying to get into your account can read the password on the post-it note on your monitor!
So, a lot of websites and organisations (especially financial ones) are bringing in ever more complicated systems of security that require more than one factor to be correct. In these systems, knowing the password is not enough to gain access.
Multi-factor authentication requires the user to satisfy the system that they are genuine by providing at least two from the following three factors:
- a knowledge factor – something the user knows
- a possession factor – something the user has
- an inherence factor – something the user is
Passwords are, of course, an example of the first criterion.
A debit/credit/bank card is an example of something that the user may have. So, getting cash from the hole in the wall entails multi-factor authentication in that you need to have your card (something you have) and you need to know your PIN (something you know – in effect, a password). This is probably the most prevalent form of multi-factor authentication.
Examples of “something you are” include fingerprints (ie you are a person with that unique set of fingerprints) and other biometric measures such as retinal and iris scans. These return results unique to one individual, but there could be complications if you cut your finger off or someone pokes you in the eye with a sharp stick. Just in case you wonder whether someone could present a photograph of an eye for authentications purposes, it won’t work. The machine that “reads” the eye looks for the spontaneous contraction and dilation of the pupil that is present in all “real” eyes.
The theory, of course, is that requiring you to satisfy at least two factors is far more secure than asking you to satisfy just one. Far more secure, too, than just asking you to provide two different pieces of information (known as two-step authentication. It is not multi-factor authentication). Two-step authentication is as useful as a chocolate teapot if you write both pieces of information on the post-it note on your monitor.
I don’t think that anyone is claiming that multi-factor authentication is any kind of panacea. There are still plenty of ways that it can be subverted. Stealing someone’s cash card and forcing them to give up their PIN using threats is just one way that two-factor authentication can be fooled by the person seeking access. So, I’m not about to tell you that you long, complicated, passwords are going to become a thing of the past any time soon.
If anything, life is set to become even more complicated as more and more situations will demand two – or even three – factor authentication.
By the way: I keep meaning to point out that my links to Wikipedia pages in these blogs are only meant for anyone with a faint interest in finding out a bit more about the subject. I really wouldn’t try to suggest that any blog with Wikipedia links has any claims to academic respectability!