Using a username and password combination is a common, modern everyday activity. We use it to log into a desktop or laptop at work, we log into various application systems to perform business tasks or we log into Software-as-a-Service (SaaS) applications remotely. For personal endeavors we use username/password combinations for Facebook, Flickr or other social media websites. The username and password authentication is generally “good enough” for these scenarios.
If a password for a user account were to be compromised, which is a serious security incident, the master account or administrator account can always intervene and “freeze” the compromised account, or take some other type of security control action. But what happens if the master account password is compromised? What happens if the administrator account is now controlled by an intruder? A compromised user account is a serious matter, but a compromised administrator account is truly catastrophic. The damage that can be done with a compromised master account is just unacceptable.
For these more critical accounts the traditional username/password combination just is not enough. For such scenarios we need more than just one authentication technique to ensure strong security. For these special accounts Multi-Factor Authentication (MFA) must be used. MFA enhances the traditional username/password authentication by requiring the user to provide additional evidence that the user is authentic and not an imposter.
The additional “evidence” is what we call “factors” in authentication security. There are three main types of authentication factors. We will explain each one and provide several examples. We will focus on the authentication factor that is most common and relevant to cloud computing.
The three main authentication factors are:
- Knowledge factors – This is where the user has some piece of information that no one else has. A password is a typical example of a knowledge factor. A personal information number (PIN) is another example. Secret questions and answers such as, “What make was your first car” are another common technique for implementing knowledge factor authentication.
- Inheritance factors – These are personal biometric factors that only you can have. Fingerprints, facial recognition and eye scans are typical examples. DNA authentication is still a science-fiction technique (for now at least) but that would be another, and perhaps the ultimate, inheritance factor.
- Possession factors – For this authentication technique the user must “possess” something that is unique to him/her. This is a very old technique. The key to a lock is a simple example. For IT systems there are two versions of this factor: connected token authentication and disconnected token authentication. A connected token authentication is where the token factor is physically linked to the IT system you are trying to log into. Examples include a card reader, a bank ATM and credit card point-of-sale register. A disconnected token factor has no physical connection to the system you are trying to log into. This technique is a more common and appropriate authentication factor for a cloud environment.
MFA for Cloud Computing
In a cloud environment users and administrators must log into systems and applications remotely. Due to the criticality of the administrator account disconnect possession MFA is commonly used in addition to the username/password combination. The RSA SecurID token is one of the most well-known examples of this technique. The RSA token displays a six-digit number every 30 seconds. Once a user authenticates with his/her password, the user is queried to type in the six-digit number. If it is correct, then it proves that the user has the physical token. An intruder would have to know the username/password and possess the RSA token in order to impersonate the real user. The technology behind the RSS token ensures that the six-digit rotating number is unique and unpredictable. While this additional layer of authentication may seem inconvenient, it is considered to be a minor level of effort when compared to the cost and level of effort in dealing with a compromised administrator account.