Secondary account authentication on the site

    What is secondary authentication?
    When the site has user accounts, authentication or user authentication is applied.
    But for some time now they also began to use secondary authentication - passwords are stolen, they can be lost, often forgotten. And erroneous user actions or banal carelessness can lead to this.
    Secondary authentication will help identify and regain access to data.
    Various secondary authentication procedures are used:
    • sending the user an e-mail access key;
    • sending SMS with an access code;
    • answer to a specific security question;
    • enter the old password;
    • proof of identity from a third party (third parties).
    If hacking a site or system will be directed to a secondary authentication system (and not to bypass a more complex password-based access system), then the account may become less secure.
    For example, in 2008 in the USA, a hacker hacked the account of Sarah Palin (candidate for the presidency of the United States) only by guessing the answer to the secret question to her account: “Where did you meet your future spouse?” (i.e., a hacker imitated a known Morris virus).

    Problems of secondary authentication
    Problems of secondary authentication of a web resource are completely different than primary authentication:
    • there is no need to remember complex codes;
    • there is no need to master them for a long time;
    • the need for secondary authentication arises, as a rule, precisely because of problems with primary authentication (both for the user and the owner of the resource);
    • secondary authentication is used less frequently than primary;
    • unsuccessful secondary authentication leads to loss of access to the account.
    When solving the problem of secondary authentication, it is necessary to take into account not only the behavior of the “protected side”, but also the behavior of the “attacker”.

    The most important qualities of secondary authentication
    The most important qualities of secondary authentication include:
    • reliability (success of secondary authentication);
    • security (opposition to “false” authentication or authentication under the guise of an account holder);
    • efficiency (small required resources - material, energy, informational, organizational, human);
    • flexibility (readjustment);
    • minimum sufficiency (a small amount of confidential data disclosed by the account holder during authentication);
    • less profitability (if the secondary authentication mechanism were as beneficial as the primary one, then it would not be used at all).
    All mechanisms (procedures) of secondary authentication can be divided into two categories:
    • conceptual authentication (based on knowledge);
    • Outsourcing authentication (delegated to another system specializing, as a rule, in authentication, information security).

    Conceptual Secondary Authentication
    Conceptual authentication mechanisms (secondary) are relatively simple, do not require additional resources. These include:
    • a control (secret) question, which is difficult for an outsider to answer, just as it is impossible to forget it by the account owner, for example, “What is your mother’s maiden name?”;
    • printed shared secret data, for example, a set of keys printed on paper from which, during authentication, the system will require entering some random selection (by their numbers);
    • passwords used earlier (when changing passwords).

    Outsourcing secondary authentication Outsourcing secondary authentication
    mechanisms (also called transitive) are based on the following systems and processes:
    • email (sending the access code to the user's e-mail, which he returns when accessing the account);
    • mobile communications (telephone numbers sent via SMS or “voice”);
    • confirmation from third parties (relatives or acquaintances);
    • personal appearance (confirmation of identity by the bank, government structure).

    Pros and Cons of Secondary Authentication
    Mechanisms Each secondary authentication mechanism has its own pros and cons. It is important to strengthen the "pros" and weaken the "cons".
    For example, conceptual authentication procedures have a big plus - the complex authentication task is transferred to the email network provider, which usually solves security problems at a different, higher level of security requirements (encryption, encoding, transmission, logging).
    But she also has a big "minus" - you can make a mistake when typing a mailing address or even, with no less probability - lose your mail system account; and the address of the mail that got into the database of a third-party organization is an extra "headache" for the account owner and resource.

    How to strengthen the reliability of the secondary authentication system?
    There is a universal answer to this crucial question: combine various authentication mechanisms. Simple mathematical formulas indicate an increase in reliability when using two mechanisms. It is also good to strengthen the mechanisms in stages, as the site becomes more attractive to users, and their activity intensifies. It is important to consider that the user’s account would not only be hacked, but not even be compromised. If during the hacking, which is usually carried out by intercepting the account, and then applying the password, user login, use the delay ("lag") for any changes to the password and code information, to remind the changes to the account owner, user, then you can increase the reliability of secondary authentication .

    Also popular now: