Multi-Step Authentication and Why You Should Use It
Authentication is one of the essential components of security. It is one part of the concept known as authentication, authorization, and accounting (AAA). Authentication is the process of claiming an identity the proving that you are that claimed identity. Authorization is the mechanism to control what you can access or do. Accounting is the recording of events into a log to review the activities against the rules and policies in order to detect violations or confirm compliance. All three of these should be addressed when constructing a system in order to have a reasonable foundation for reliable security.
As users of online sites and services, we have no control over the security policies and technologies implemented on those sites and services. At best, we may be offered a few authentication options. If any authentication mechanisms are available in addition to a standard password, you need to take full advantage of those benefits.
When a site or service offers authentication options, those options are usually one of the following:
OAuth single sign-on
Certificate authentication is the process of verifying identity, which involves the use of a digital certificate. A digital certificate is produced by a certificate authority (CA) using asymmetric public key cryptography. The digital certificate itself is the subject's public key signed (i.e., encrypted) the CA's private key. A digital certificate is a form of trusted third-party authentication. Its most common use is by servers (i.e., web sites) on the Internet. A web site with a digital certificate is the first party. The second party is the visiting end-user. The third party is the CA that issued the certificate to the web site. If the end-user already knows and trusts in the CA, then the enduser can trust in the identity of the web site by validating the digital certificate.
Unfortunately, most end-users do not have a digital certificate. And, even if users obtained a digital certificate from a public and respected certificate authority, most online sites and services are not configured to accept client-side certificates. When it becomes common or standard for servers to accept client-side certificates, this will be the most secure authentication option. Until then, you will likely have to use one of the other options (assuming one of them is offered/supported by a particular site).
OAuth Single Sign-On
OAuth is a type of single sign-on solution that is gaining popularity online. Single sign-on is the concept of authentication when a single logon event can be used to allow access into a collection of systems. This is different than traditional authentication where each system would require its own unique and local authentication. Single sign-on has been a standard element in company networks for decades. There have been many attempts to duplicate this concept on the Internet, but only now with the adoption of OAuth is that actually becoming a reality.
OAuth is a way to share or borrow the authentication from one site to grant access to another site. Let's call the first site a primary site. The primary site must support OAuth and allow its authentication to be shared by other secondary sites. Secondary sites must also support OAuth and then select which primary site's authentications they will accept. The way OAuth works is:
1. You visit a secondary site and click on an offering to use a primary site's authentication to access the secondary site.
2. This takes you to the primary site. If you do not have a current active session with the primary site, you are prompted to authenticate to the primary site.
3. With an active session to the primary site, you are prompted to confirm or accept the secondary site's request to link to your account on the primary site.
4. Clicking to confirm this returns you to the secondary site where you now have access to that site.
Once OAuth has been confirmed on a secondary site, all future visits to that site will automatically log you in as long as you have a current active session with the primary site. The three most common or popular sites used as primaries are Facebook, Twitter, and Google, but there are dozens of other potential primary sites as well, including Amazon, Dropbox, Evernote, Flickr, LinkedIn, Microsoft, Netflix, PayPal, Tumblr, and Yahoo. Plus, there are numerous sites supporting OAuth to function as secondary sites.
OAuth is a huge convenience for users as it reduces the number of unique logon credential sets that you must keep track of. However, this is not necessarily a good security option. If the primary site's authentication is a basic password only, then when your account is compromised on the primary site, the intruder automatically gains access to all the linked secondary sites as well.
By the way, the primary site will maintain a list of secondary sites that have been linked. This list is for your convenience when you want to disconnect an OAuth link, but an intruder can use it to follow your links to those secondary sites.
ONLY use OAuth to link sites back to a primary site if you have configured multi-factor or multi-step authentication on the primary site. Otherwise, you would be better served setting a long and complicated password for each site and putting up with the hassle of managing multiple difficult credential sets (see my whitepaper Ten Steps to Better, Stronger Passwords for guidance on this).