James Hanback You have secured your devices, your Internet accounts, as well as the combination in your locker at the gym using the strongest and most secure combination of characters that you could think of. They are impossible to guess. They are impossible to crack with brute force. You’re gold, right?
Wrong.
Password reset or password recovery is a weakness in your password-protected security. Most companies offer a way for users to reset or recover their passwords so they can continue using the company’s services. The purpose of an organization’s online presence should be to make it easy to access the information or services it offers, not to create obstacles that frustrate you or prevent you from getting those services. (“Hey, buddy! Do you want to buy ebooks? Ooooh, sorry. You must walk barefoot across all these hot coals, while simultaneously juggling three lit sticks with dynamite.
Password recovery techniques can be used maliciously, too. Others can use simple password recovery methods to exploit them. They can do this by using any number if tactics that don’t require you to guess or crack your password. Social engineering is another option. For example, you can call a customer service center pretending to be a victim and then call them back. Ask the NSA, and you will find personal information online. It’s easy to make someone pretend to be you by correctly answering password recovery security question like “What’s your dog name?” You’re likely to have already posted this personal information on Facebook or another social media outlet.
Companies like Google, Apple and PayPal now offer, although not requiring, a form of security known to be called two-factor (or multifactor) authentication to counter such threats. Two-factor authentication, which combines two of the three most common authentication types, is the simplest form of two-factor authentication. These are the authentication types:
Type 1, or knowledge factor. This is something you are familiar with.
Type 2, or ownership factor. This is something you have.
Type 3, or the inherence factor, is what you are.
Two-factor authentications today use a combination ownership and knowledge. An online service, for example, can send a message to your mobile phone. This is because the person begins the authentication process by entering your username (or e mail address) and correct password. This is something you know. The token is the mobile device. It can be used to receive a voice or text message with a unique verification code. This code is usually a unique series of digits that you must provide to the online service along with your password. Only you should be able enter the correct verification code because you only should have received it on your mobile device. Other than mobile devices, smartcards and security keys are also ownership factors. These small devices can either receive or calculate valid authentication code.
Inherence factor authentication is usually biometric. This includes the use of retinal scanners or fingerprint scanners to confirm you are who you claim to be. Biometric technology isn’t as common as smart phones or passwords. We don’t see two-factor authentication that combines inherence factor authentication and either knowledge factor, or ownership factor every day. If you want to get a security certificate, such as CompTIA Security+, or the Internet Security Cons, it is important that you are familiar with all three types of authentication.
