Ways of authentication and authorization – can you defend yourself against hackers?

Passwords, codes, fingerprints – in the era of digitization our identity is confirmed in various ways. The goal is to best protect the data that cyber criminals are lurking on. How cyber intrusion prevention has evolved?

There are many examples of cyber attacks and scams based on interception of data. It is enough to mention the recent attempt to extort access data to MPs' mailboxes or the increasingly frequent phishing, i.e. impersonation of service providers and e.g. "spamming". request for payment of a supposedly overdue amount. Hackers do not idle, and we can only care about security. One thing is certain, in order to protect access to our data, a password alone is not enough.

Access protection

If we talk about securing valuable information, we distinguish three key concepts that are often mistakenly used: identification, authentication and authorization. Identification is the indication of identity, such as. providing a login or user name, authentication is its confirmation (e.g. authentication – authorization – granting access rights to data.

We go through this process many times in our daily life: using a smartphone, logging into various systems or performing payment transactions. In this way we protect access to data and money, we also secure change of password or account configuration. Ways of additional authentication have undergone considerable evolution – nowadays it is hard to imagine that while making transfers we used e.g. scratch cards (which could easily fall into the wrong hands). The first step towards the current state of affairs was GSM tokens, i.e. applications on the phone that generate codes. Soon, codes sent by SMS.

Secure SMS

Authentication by means of codes sent via SMS gained enormous popularity and today is a permanent element of e.g. using online banking. SMS are valued above all for their simplicity and universal availability. If we care about the security of our phone, the interception of data occurs very rarely. Of course, you should always read the message carefully before accepting a payment transaction or clicking on a link.

Interception of the SIM card that identifies and secures the phone's connection to the network is also a potential threat. It tells the mobile operator "Hi, here I am! Forward calls and text messages addressed to a specific number to that phone!"and at the same time ensures that even if someone eavesdropping on a mobile network intercepts a message or a call addressed to a certain number, he won't be able to decrypt it.

Is a fundamental component of the operator-subscriber relationship that rightly needs special protection. It is very rare for someone to try to impersonate someone they are not and get a duplicate of an old SIM card or a completely new SIM card registered to someone else. The scale of preparations for such a procedure and the effort put into getting to know the specific victim is considerable, the risk of detection is also high, the targets of fraud are mostly people with high decision-making power. This type of activities are therefore very sporadic.

Apart from payment transactions, SMS codes are widely used in many other areas where identity confirmation is required. They are used to verify access to accounts (e.g. Google) and applications (e.g. Authentication by means of codes sent via SMS (e.g. Booking, Tinder), changing passwords, activating services or signing documents electronically. An alternative way of authentication are special mobile applications developed increasingly often in electronic banking, access to which is secured by PIN or fingerprint.

Authentication and authorization methods

Authentication has taken on new meaning with the September 2019 effective date. The EU PSD2 Directive regulating the provision of digital payment services. An important element of this directive is the regulation concerning the so-called "personal data". strong authentication. It obliges banks to use it more often 2 Factor Authentication (2FA), therefore consisting of two parts. According to the regulations, these elements fall into three categories: knowledge (what I know? e.g. password), possession (what I have? e.g.,. SMS code) and customer characteristic (who I am? e.g. fingerprint). To complete an electronic transaction, a customer must use two of these to verify their identity. Importantly, violating one of these measures does not undermine the credibility of the others.

Although there are no such rules, it is definitely worth applying this principle also when using other electronic services, such as e-mail. This will significantly reduce the risk of cyber intrusion. In the case of logging into an account, as in banking, one of the most popular methods is SMS codes.

Another option are applications, e.g. Google Authenticator and Microsoft Authenticator generating codes. Yet another way to prevent the risk of e.g. phone number acquisition is the use of a special key U2F – a physical device plugged into the USB port of the computer (some models allow you to connect to a smartphone). It was decided to equip parliamentarians with such equipment after the recent scandal with an attack on their accounts.

An interesting area is biometrics. Fingerprint is now widely used. Apple in its phones develops Face ID, or face mapping, and Samsung – iris scanning. In addition to physical characteristics, a unique characteristic is our behavior. Behavioral biometrics takes advantage of this. The speed of typing, the way you scroll through pages or hold your phone – are analyzed by motion sensors and artificial intelligence. So a system monitoring smartphone activity can quickly identify any behaviour that deviates from 'our' pattern and block access.

The race against hackers is on and there are more and more authentication methods. Experts present various analyses of the level of their security, but one thing is certain – to best fulfill their task you need to use several at the same time. So the next step after two-factor authentication is MFA (Multifactor Authentication), which involves the use of more than two methods. In addition to the previously mentioned three criteria, there is also a fourth one concerning the user's location (GPS is helpful here). This gives the cyber burglar more obstacles to overcome, making his task much more difficult. According to Microsoft, using MFA can prevent nearly 100 percent of. potential attempts to get the password.