Why Authentication Matters Most

Most websites and remote access tools use encryption as a way to imply security. The more encryption - measured in bits (i.e. 256 bit is better than 128 bit) - the better. Statements like "128-bit encryption, as strong as online banking" are common across the industry. While encryption is important, and such statements are true, they are also misleading.

Encryption strength only tells part of the story - the less important part, in my opinion. That's because no matter how strong your encryption is, your overall security is only as strong as the authentication used to begin the user's session.

Think about it this way: thick walls, barred windows, and barbed wire fences don't keep prisoners in jail if they can just walk out the front door without someone checking their ID. Similarly, you can have the best encryption, firewalls, and network intrusion detection tools in the world, but if your systems don't properly validate users, those measures won't keep attackers out. Poor authentication is the weak link in the chain, the wide-open door in an otherwise impenetrable fortress.

The problem is that if someone can defeat your authentication, the rest of the defensive systems don't know they're the bad guy. In fact, the rest of the systems - firewalls, etc - think they're actually one of the good guys. Once through the door and inside the walls, the attacker can act as if he or she were a real employee, and your perimeter defenses are rendered useless.

So, what can you do about it?

The answer is simple: implement 2-factor authentication (or 3-factor or more). 2-factor authentication - or multi-factor authentication in the general case - is achieved when a user's identity must be validated by two distinct types ("factors") of authentication. Typically, this means combining something you know, something you have, and (optionally) something you are.

The best real-world example is an ATM. The machine requires you to present both your ATM Card (something only you should have) and a PIN (something only you should know). If one is presented without the other, no money is dispensed. So, a stolen card or a stolen PIN is useless on its own. A retina or fingerprint scan may be added for additional security.

In the case of computer logon, the elements are typically a password (something you know), a USB authentication device (something you have), and an optional fingerprint or retina scan (something you are).

A good multi-factor authentication system thwarts most common break-in attempts, which are based on attacking passwords. Even if your password is lost, stolen, purchased, phished, or otherwise obtained by someone with bad intentions, they won't have your USB device or your finger (hopefully!), so the password does them no good. And passwords are compromised all the time. I've personally run across dozens of documents and pages on the web with passwords for the world to see, and those with more nefarious goals have access to thousands more. With passwords getting weaker and less reliable all the time, it is more important than ever to implement multi-factor authentication.

In the case of remote access, more so than almost any other application, it is absolutely critical to use multi-factor authentication, because compromised remote access systems open your entire network to attackers.