Most cloud service requires authentication. The Merriam-Webster dictionary provides us the definition: “an act, process, or method of showing something (such as an identity, a piece of art, or a financial transaction) to be real, true, or genuine.” So in the case of user authentication, it’s all in the identity of the user and the verification that he or she is well that he or she claims to be.
The most natural authentication mechanism is the username-password pair. However, these elements are easily hacked and are no longer a guarantee of user authentication. It’s currently the more traditional and thus form the sole bulwark against identity theft for a large number of services.
We often hear about strong passwords. Some systems force you to use a password of at least eight characters that contains lowercase, uppercase, digits, and punctuation characters. But is it enough to protect yourself?
Let’s compare your password to the front door of your home (we will assume that there is only one possible opening). If your door is made of light wood and you do not lock it when leaving, you have an extremely low password. On the other hand, if you have an armored door, with multiple locks, and an aperture detector connected to a monitoring site, you have a robust password. In both cases, you are not protected at 100%. What differentiates the two systems described here is the time and means it will take for a burglar to enter your home. A few seconds in the first case, several minutes or even hours in the second.
The same goes for your password. If you choose your date of birth, write it down on a sticky note and paste it on your screen, you are in the first case. If you have a password of 16 characters made of lowercase, uppercase, numbers and special characters, you are in the second case. We speak of a very weak password in the first case, strong in the second.
The following website provides an estimate of the strength of a password: Calculate the “strength” of a password. It also explains how to interpret the results and what strategy to follow to create strong passwords.
By doing some tests on this page and realizing the risks associated with a weak password, You deduce the following four rules for choosing a password to access any information system:
- A minimum of 16 characters
- Possible use of all the letters, numbers and symbols available on your keyboard
- Never note it down in clear on any electronic medium
- Unique for each application (never reuse the same password)
A 20-characters using the full available alphabet, you have an equal strength of 128-bit encryption, which corresponds to the smallest serious encryption key size.
I know what you need to think: you canNOT create AND remember 16-character passwords for all Internet sites or cloud services to which you need to identify yourself. There are techniques for creating strong passwords and retaining them. This topic is not addressed here, but you will find some additional information on the above website.
Now, if you have a super strong password and you’re using a clear connection, it’s like you’re yelling your credit card PIN at the ATM, and then handing your card to the person behind you. I know, I’m exaggerating, but barely. There are lots of ways to get passwords on a non-encrypted line, within reach of any beginner hacker. If you can, use a security layer with multifactor authentication.
Multi-factor authentication? What is that? Another expression created by IT professionals to complicate your life? Not quite. It is “simply” to add a layer of security to ensure to the system that you are you, with a means that only you possesses. For example, a smart card, your mobile phone or information that you are the only one to know (the place of birth of your paternal grandmother or the name of your first pet for instance).
There is a multitude of ways to prove that the person seeking to be authenticated is you and not somebody trying to impersonate your identity. There are three authentication “factors” :
- Knowledge Factor. Your password of course or a series of questions of which you are the only one, typically, to know the answer. The system then asks you to answer one or more items to ensure that it is you. It can also call you on a defined phone line to get the answers.
- Possession Factor. You have an object or software that the potential impersonator does not possess. For example, the service you are trying to authenticate to will send a short message code to your mobile phone and ask you to enter it to ensure authentication. You can also use authentication software like Google or Microsoft Authenticator, or a smart card.
- Inherent Factor. Here we refer to biometric characteristics: your face, your iris, your fingerprint.
Research in this area is booming, and new multi-factor authentication modes appear, more automated, involving less user. Sensors such as infra-red cameras or microphones allow verifying the identity of the user without being directly involved for example. It seems evident that these methods will multiply for our utmost security.
As part of a hybrid cloud in which users connect to your information systems from an Internet connection that is potentially not fully secured (a Hotel, an airport, in fact, any public connection is intrinsically unsecured), it is appropriate to set up any of the additional factors.
This multi-factor authentication (MFA) helps to ensure the identity of the user with greater certainty and to prevent the theft of a password from being transformed into identity theft. All suppliers of public and hybrid clouds are proposing a multi-factor authentication solution. There is no need to procrastinate; it is mandatory for any authentication on a public or hybrid cloud.
What did you choose? Feel free to share your experiences in the comments below. Thank you!