What is strong authentication in cybersecurity?

Strong authentication is a mechanism to verify user identities that is robust enough to endure targeted attacks and prevent unauthorized access. Now keep in mind, that ‘strong’ is a relative term, and depending on who you ask, you may get wildly varying definitions of strong authentication.

Some may regard a typical login screen with multi-factor authentication (MFA) as strong authentication. Others may achieve it through biometric verification and adaptive MFA. Still others may use a hardware token and RSA-encrypted user passwords to bolster their authentication process.

How one perceives, defines or implements strong authentication depends on their security awareness, risk profile and regulatory requirements.

As we indicated above, strong authentication is an abstract term. Its implementations may differ from organization to organization, but its essence and purpose remains the same. Strong authentication makes it more difficult for malicious actors to access your internal systems. The objective though, is to keep the sign-on process convenient and quick for genuine users, while protecting their credentials and the organization’s infrastructure.

The universal way to strengthen authentication is by making it a multi-step process. Strong authentication uses more than just user credentials for login. Secondary authentication steps may include MFA code, one-time password (OTP) sent via text message, RSA SecurID, smart card or biometrics.

Strong authentication is often complemented by granular, role-based authorization. Authorization ensures that users get access only to services and systems for which they need to do their job tasks.

Authentication plays a crucial role in protecting the sensitive resources of an organization. If it’s not strong enough, malicious actors may succeed in gaining unauthorized access to your systems. Let’s look at a few ways that weak authentication can make your organization susceptible to compromise:

• Adversaries execute brute-force or dictionary attacks on your login page. In such an attack, a threat actor uses trial-and-error techniques to guess user credentials. If your authentication process only uses passwords and can’t detect brute-force login attempts, the attack is likely to succeed.
• Password-based authentication processes are highly susceptible to social engineering attacks. To breach your system, a threat actor can do this in a number of ways, such as phishing, spoofing or spamming. Typically, this involves sending an email to a distribution list of unsuspecting recipients asking them to click a link and convincing them to login to a bogus resource with their password – and the threat actor now has their password and access to your systems.
• You are either storing your passwords as plain text, or using a weak encryption algorithm. If an attacker manages to access your credential database, they can use the passwords to potentially take over the whole system.

Using strong authentication techniques protects your organization from such situations, and enhances cybersecurity. In other words, if you use OneLogin MFA, or the OneLogin Protect app, attackers would need much more than an exposed password to launch an attack.

Here are a few best practices that can strengthen an authentication process:

1. Adapt or transition to passwordless authentication. However, if you must use passwords:
1. Define strict policies for setting and resetting of passwords.
2. Use cryptographically secure encryption and hashing algorithms to protect your passwords, both at rest and in transit.
3. Don’t use default passwords for any application.
2. Deploy an access management system to enforce authentication and authorization policies, for all your environments, from a central place.
3. Use modern multi-step authentication techniques, like adaptive MFA, biometric authentication, or token-based authentication to strengthen your login.
4. Secure your account-recovery process. For example, you can require a secondary authentication factor as part of your account recovery process.
5. Implement mutual authentication – verify the identity of both the client and the server. This ensures that authorized users only interact with legitimate systems.
6. Use rate limiting techniques to prevent attackers from running brute-force attacks on your system. With this in your cybersecurity and authentication strategy, you can blacklist a source IP or user account after X number of failed attempts.

The terms “strong authentication” and “multi-factor authentication” are often used interchangeably. However, not all multi-factor authentication approaches can be deemed strong. The strength of MFA is dependent on the robustness of the authentication factors.

For example, if you are using a weak secondary authentication factor (e.g., codes via text messages, emails), then your MFA strategy can’t be considered strong. Conversely, if you are using stronger factors (e.g. hardware tokens or facial recognition) for secondary or tertiary authentication, then your MFA can be regarded as strong.

There are different techniques to achieve strong authentication. Here are a few:

1. Physical security key

A physical authentication key is one of the strongest ways to implement multifactor authentication. A private key, stored on a physical device, is used to authenticate a user, such as a USB device that a user plugs into their computer while logging in. This device serves as the secondary authentication factor for the user.

2. Biometrics

Biometrics are another tool to implement strong authentication. Biometric authentication verifies a user by checking their biological or behavioral characteristics, such as using facial recognition, vein scanning, retina scanning – or behavioral data, like keyboard cadence, screen usage, mouse movement etc.

3. Push notifications on authentication apps

Push notifications can be used as a secondary authentication factor. After the user enters the correct credentials, they receive a push notification on a specialized application installed on their smartphone. This notification allows the user to approve or deny the login request.

4. One-time passcodes

One-time passcodes, generated by authenticator applications, like the OneLogin Protect, can also be used to strengthen authentication. In this approach, the user enters auto-generated codes from these applications to complete the sign-in process.