How does digital authentication work? And how can you implement it securely in your organisation?
In times of digital transformation, new innovations follow each other at lightning speed. For years, we saw improvement upon improvement in computers and components, and everything had to be faster and newer. More recently, attention has shifted to which technical components can contribute to a better overall solution to increase digital resilience. And authentication plays a crucial role in this. This blog explains the concept of authentication and how you can implement it securely in your organisation.
1. What is authentication?
Authentication is the way a system determines who a user is and whether or not they’re authorised to log in to that part of the environment. For example, when you log into your company network with a username and password.
But, as we know, this isn’t without risks. Someone can easily gain access to your username and password by looking over your shoulder, by phishing or by using another means of data theft. And, in doing so, break your organisation’s authentication mechanism.
So, to increase security, you can combine several factors for authentication. For example:
- Something you know (e.g. username and password)
- Something you have (e.g. smart card, token or one-time password)
- Something you are (a biometric characteristic such as a fingerprint, iris scan or vein pattern)
2. How is digital authentication applied in organisations, particularly within the EU?
The difficulty arises when developing an authentication mechanism for your organisation that’s in line with your digital strategy. Over the years, many different authentication methods have come onto the market. And departments don’t always use the same methods because of differences in security levels. You’re also working with a variety of, potentially sensitive, data sets, so you want to add a degree of classification. All in all, it’s a complex balance between people, process, technology and environment (social, physical and digital).
In practice, a username and password are often complemented with something you have to ensure two-factor authentication. It’s less common to see ‘something you are’ characteristics being used for digital authentication. This is because using biometrics for digital authentication has been seen as complex and can be less reliable.
When using two-factor authentication, you can achieve different levels of security. This also applies for digital transactions within the EU. You can combine various methods to comply with the EU Electronic Identification and Trust Services (eIDAS) legislation and, in particular, the Levels of Assurance (LoA). These are:
- Minimum requirements (LoA1): weaker authentication using password/pin
- Low requirements (LoA2): secure authentication using token/one-time password (OTP)
- Substantial requirements (LoA 3): strong authentication using token/OTP plus password
- Substantial requirements (LoA 3+): strong authentication using a secure device and a certified token with a secure element and integrated pin input
- High requirements (LoA 4): strong authentication using a secure device that is tamper proof — the token is issued according to public key infrastructure eID standards with a secure element and a secure chain of actors and user identification.
3. What does the new FIDO2 authentication method add to the current situation?
FIDO2 is an international standard for authentication without passwords. And this is what makes it both interesting and valuable. How often do we see passwords lost or leaked and offered in bulk on the dark web? With FIDO2 tokens, that’s a thing of the past. Authentications that use a token and the push of a button are a welcome change.
Thanks to the WebAuthn standard, there are many FIDO2 integrations with well-known browsers, such as Windows 10 and Android platforms. And also, with Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari web browsers. These FIDO2 tokens have a LoA3+ or LoA4 rating, according to the latest eIDas regulations.
“Ultimately, the strength of a password has only a limited impact on security. Most passwords are stolen through phishing attacks, and every password is defenceless against it. Two-factor authentication offers more protection against phishing attacks, and if you use the WebAuthn standard, phishing is virtually impossible at this point.” — Dutch National Cyber Security Center (NCSC).
4. How can I improve my organisation’s digital authentication?
We’re now in a situation where it’s possible to authenticate very securely without passwords. You can do this via PKI or via WebAuthn and FIDO2. It gives you the potential to further expand your organisation’s digital strategy, realise a high level of security and provide an even easier authentication experience.
To implement this properly, you need to be well aware of your organisation’s IT landscape and look at your authentication mechanism from a risk management perspective. Are you using the right factors for the right IT systems? Where do you need highly reliable resources? Where can you use FIDO2 for less sensitive data? And where are PKI-based solutions necessary?
There’s no one size fits all approach — your digital strategy must adopt the right authentication mechanisms for your specific IT system, data sets and requirements. And this may mean using different types of authentications in different situations.
So how will you ensure secure digital authentication going forward in your organisation? Rather than simply adding new solutions to existing ones, which can add unnecessary complexity, we recommend taking a step back and reviewing the situation and authentication methods you have in place. Then you can set a clear vision for your organisation’s digital authentication in the future and devise a streamlined strategy to achieve it.
Jordan van den Akker, Business Security Consultant at AET Europe
