Secondary account authentication on the site
What is secondary authentication?
When the site has user accounts, authentication or user authentication is applied.
But for some time they began to use secondary authentication - passwords are stolen, they can be lost, often forgotten. Yes, and erroneous user actions or trivial inattention can lead to this.
Secondary authentication helps identify and return data access.
Various secondary authentication procedures are used:
• sending an access key to the user via e-mail;
• sending SMS with access code;
• answer to a specific security question;
• enter the old password;
• proof of identity from a third party (third parties).
If the site is hacked, the system will be directed to a secondary authentication system (and not to bypass a more complex access system with a password), then the account may become less secure.
For example, in 2008 in the United States, a hacker hacked Sarah Palin's account (presidential candidate) only by guessing the answer to a secret question for her account: “Where did you meet your future spouse?” (I.e., the hacker imitated the famous Morris virus) .
Secondary Authentication Issues
The problems of secondary authentication of a web resource are completely different than primary authentication:
• there is no need to memorize complex codes;
• there is no need to master them for a long time;
• the need for secondary authentication arises, as a rule, precisely because of problems with primary authentication (both for the user and the owner of the resource);
• secondary authentication is used less frequently than primary authentication;
• Failed secondary authentication leads to loss of account access.
When solving the problem of secondary authentication, it is necessary to take into account not only the behavior of the “protected side”, but also the behavior of the “attacker”.
The most important qualities of secondary authentication
The most important qualities of secondary authentication include:
• reliability (success of secondary authentication);
• security (opposition to “false” authentication or authentication under the guise of the account holder);
• efficiency (small required resources - material, energy, informational, organizational, human);
• flexibility (readability);
• minimum sufficiency (a small amount of confidential data disclosed by the account owner during authentication);
• less profitable (if the secondary authentication mechanism would be as beneficial as the primary one, then it would not be used at all).
All mechanisms (procedures) of secondary authentication can be divided into two categories:
• conceptual authentication (based on knowledge);
• outsourcing authentication (delegated to another system that specializes in authentication and information security, as a rule).
Conceptual secondary authentication
The mechanisms of conceptual authentication (secondary) are relatively simple, do not require additional resources. These include:
• a control (secret) question that is difficult for an outsider to answer, as well as it is impossible to forget his account holder, for example, “What is your mother's maiden name?”;
• printed shared secret data, for example, a set of keys printed on paper, from which the system will require some random selection (by their numbers) during authentication;
• passwords used previously (when changing passwords).
')
Outsourcing secondary authentication
The mechanisms of outsourcing secondary authentication (also called transitive) are based on the following systems and processes:
• e-mail (sending the access code to the user's e-mail, which he returns when accessing the account);
• mobile communication (phone numbers sent via SMS or “voice”);
• confirmation from third parties (relatives or friends);
• personal appearance (confirmation of the identity of the bank, the power structure).
Pros and cons of secondary authentication mechanisms
Each secondary authentication mechanism has its own “pluses” and its own “minuses”. It is important to strengthen the "pros" and weaken the "cons."
For example, conceptual authentication procedures have a big “plus” - the difficult authentication task is shifted to the email network provider, which usually solves security problems on a different, higher level of security requirements (encryption, encoding, sending and receiving, logging).
But she also has a big “minus” - you can make a mistake when typing your mailing address or even, with no less probability, lose your mail system account; Yes, and the address of the mail that entered the database of a third-party organization is an extra “headache” for the account owner and resource.
How to strengthen the reliability of the secondary authentication system?
There is a universal answer to this crucial question: to combine different authentication mechanisms. Simple mathematical formulas indicate an increase in reliability with the use of two mechanisms already. It is also good to strengthen the mechanisms in stages, as the site becomes more attractive to users and their activity increases. It is important to consider that the user account would not be not only hacked, but would not even be compromised. If a burglary, which is usually carried out by intercepting an account, and then applying a password, user login, use deferral (“lag”) to implement any changes in password-code information, remind the changes to the account owner, the user, then you can improve the reliability of secondary authentication . Always the security policy was and is the policy of choice and during authentication it is necessary to solve the problem of choice: reliability or security?
When the site has user accounts, authentication or user authentication is applied.
But for some time they began to use secondary authentication - passwords are stolen, they can be lost, often forgotten. Yes, and erroneous user actions or trivial inattention can lead to this.
Secondary authentication helps identify and return data access.
Various secondary authentication procedures are used:
• sending an access key to the user via e-mail;
• sending SMS with access code;
• answer to a specific security question;
• enter the old password;
• proof of identity from a third party (third parties).
If the site is hacked, the system will be directed to a secondary authentication system (and not to bypass a more complex access system with a password), then the account may become less secure.
For example, in 2008 in the United States, a hacker hacked Sarah Palin's account (presidential candidate) only by guessing the answer to a secret question for her account: “Where did you meet your future spouse?” (I.e., the hacker imitated the famous Morris virus) .
Secondary Authentication Issues
The problems of secondary authentication of a web resource are completely different than primary authentication:
• there is no need to memorize complex codes;
• there is no need to master them for a long time;
• the need for secondary authentication arises, as a rule, precisely because of problems with primary authentication (both for the user and the owner of the resource);
• secondary authentication is used less frequently than primary authentication;
• Failed secondary authentication leads to loss of account access.
When solving the problem of secondary authentication, it is necessary to take into account not only the behavior of the “protected side”, but also the behavior of the “attacker”.
The most important qualities of secondary authentication
The most important qualities of secondary authentication include:
• reliability (success of secondary authentication);
• security (opposition to “false” authentication or authentication under the guise of the account holder);
• efficiency (small required resources - material, energy, informational, organizational, human);
• flexibility (readability);
• minimum sufficiency (a small amount of confidential data disclosed by the account owner during authentication);
• less profitable (if the secondary authentication mechanism would be as beneficial as the primary one, then it would not be used at all).
All mechanisms (procedures) of secondary authentication can be divided into two categories:
• conceptual authentication (based on knowledge);
• outsourcing authentication (delegated to another system that specializes in authentication and information security, as a rule).
Conceptual secondary authentication
The mechanisms of conceptual authentication (secondary) are relatively simple, do not require additional resources. These include:
• a control (secret) question that is difficult for an outsider to answer, as well as it is impossible to forget his account holder, for example, “What is your mother's maiden name?”;
• printed shared secret data, for example, a set of keys printed on paper, from which the system will require some random selection (by their numbers) during authentication;
• passwords used previously (when changing passwords).
')
Outsourcing secondary authentication
The mechanisms of outsourcing secondary authentication (also called transitive) are based on the following systems and processes:
• e-mail (sending the access code to the user's e-mail, which he returns when accessing the account);
• mobile communication (phone numbers sent via SMS or “voice”);
• confirmation from third parties (relatives or friends);
• personal appearance (confirmation of the identity of the bank, the power structure).
Pros and cons of secondary authentication mechanisms
Each secondary authentication mechanism has its own “pluses” and its own “minuses”. It is important to strengthen the "pros" and weaken the "cons."
For example, conceptual authentication procedures have a big “plus” - the difficult authentication task is shifted to the email network provider, which usually solves security problems on a different, higher level of security requirements (encryption, encoding, sending and receiving, logging).
But she also has a big “minus” - you can make a mistake when typing your mailing address or even, with no less probability, lose your mail system account; Yes, and the address of the mail that entered the database of a third-party organization is an extra “headache” for the account owner and resource.
How to strengthen the reliability of the secondary authentication system?
There is a universal answer to this crucial question: to combine different authentication mechanisms. Simple mathematical formulas indicate an increase in reliability with the use of two mechanisms already. It is also good to strengthen the mechanisms in stages, as the site becomes more attractive to users and their activity increases. It is important to consider that the user account would not be not only hacked, but would not even be compromised. If a burglary, which is usually carried out by intercepting an account, and then applying a password, user login, use deferral (“lag”) to implement any changes in password-code information, remind the changes to the account owner, the user, then you can improve the reliability of secondary authentication . Always the security policy was and is the policy of choice and during authentication it is necessary to solve the problem of choice: reliability or security?
Source: https://habr.com/ru/post/130117/
All Articles