Maybe it’s time to eliminate “something you know” as an authentication method

Something you know is the least secure method of authentication and the easiest to crack or compromise. It's time to stop relying on something you know for secure authentication.

Secure authentication is crucial to protect data and guard your identity from being stolen or hijacked. The vast majority of authentication used today is based simply on a username and password, which has proven time and time again to be inherently insecure. Perhaps it’s time to change our definition of authentication.

The All-in-One CISSP Exam Guide (a book I *highly* recommend if you’re studying for the CISSP exam) describes authentication like this: “Three general factors can be used for authentication: something a person knows, something a person has, and something a person is. They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic.”

Let’s use the front door of your home as an example scenario. Something you know can be a secret knock or secret password or possibly a PIN code used to unlock a door. Something you have would be a physical key required to unlock the door. Something you are would be a fingerprint or retinal scan or facial recognition. It doesn’t even have to be high-tech. It can be as simple as me knowing what my brother looks like and granting him access based on a cursory visual inspection of the person standing on my porch.

Now, let’s examine each of those a little closer. Something you are is difficult to replicate or steal. Your unique biometric characteristics are yours and yours alone. It is technically possible to clone a fingerprint or trick some facial recognition tools with a photo or mask, but even that is becoming less feasible. Microsoft recently revealed that Windows Hello can differentiate between two identical twins.

Something you have is easier to steal or copy but requires some physical access or possession of the authentication method in most cases. For example, someone can steal the key to your front door or make a copy of the key to your front door so it’s possible for someone else to be in possession of your authentication method or for there to be more than one copy of the authentication method in existence.

Then there’s something you know. Something you know is very easy to compromise or steal. Someone can eavesdrop on your secret knock or secret password. A password can be written down. It can be shared with others. It’s possible for five, fifty, or five thousand people to all know what your password is. It’s also possible to guess or crack something you know in most cases. It may take weeks, months, or years—but there is a finite number of possible things to know.

That is the problem.

There is only one you to be something you are. You only have one physical key, or USB device, or mobile device to be something you have—possibly a few in the case of a physical key. Something you know, however, can literally be something that everyone knows. There is no limit on how many people can know your special something. Something you know can be easily cracked or compromised. It is innately the least secure of the three authentication methods and it has been the direct cause of many—if not most—of the major security and data breaches in recent years.

We need more devices with fingerprint scanners and more PCs equipped with the Intel Real Sense 3D camera necessary for Windows Hello facial recognition because it’s time to stop using passwords, PINs, or anything else in the something you know category as a means of authentication.

Join the CSO newsletter!

Error: Please check your email address.

Tags data breachessecurity

More about IntelMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts