Digital Identity Blog

Using “What You Have” to Prove Your Identity

June 28, 2021
Andrew Gowasack

At its core, cybersecurity is a never-ending game of cat and mouse between cybersecurity professionals and cybercriminals. Information security professionals are constantly implementing new ways to ensure only the authorized party (you) can access sensitive data or accounts. Multi-factor authentication is one such significant advancement in locking criminals out of places they shouldn't be. However, no authentication process is fail-proof, and just as quickly as a new method is rolled out, hackers get to work on trying to exploit it. With this in mind, let's look at using "what you have" to prove your identity. Authenticating yourself using something you have can take many different forms.

In the physical world, this could be a card with a magnetic strip like a credit card or a document with an RFID chip, like the one in passports. One-time passwords (OTPs) are the most common example in the digital world.

The possibilities for “what you have” each have their own pros and cons

  • One-time passwords

    A one-time password (OTP), also known as a dynamic password or one-time PIN, is an automatically generated password that is only valid for one log-in session. An OTP is typically sent via SMS to the user's mobile phone. They generally are a minimum of six digits but can be longer.

    OTPs are usually used as a second layer of authentication after submitting your username and password on a website. This second layer of security reduces the risk that a criminal can access your account even if your credentials are compromised (your username and password were exposed in a data breach). Websites that use OTPs include ecommerce sites, social media sites, and even banks. However, there have been calls for the banking sector to move away from OTPs and towards other multi-factor authentication methods.

    There are several benefits of OTPs, particularly when compared with traditional passwords. Firstly, OTPs aren't vulnerable to replay attacks - where a hacker covertly intercepts data traveling over the network and takes note of your username and password to use later on. As the name suggests, OTPs can only be used once, so if a hacker discovers your password as you submit it, it instantly becomes redundant. Additionally, OTPs typically have time constraints on their use (the password will no longer be valid after 10 minutes, for example). This means that if a cybercriminal intercepts your password before you use it, they have to act fast.

    Secondly, OTPs are prohibitively difficult to guess due to their randomness, essentially eliminating any possibility that a hacker can brute force their way into your account. If you've ever asked someone to pick a number between one and 100, you'll know how unlikely it is that they land on the same number as you. Now imagine this on a much bigger scale (a string of several numbers). The random nature of OTPs makes them much more robust than traditional passwords, where users often incorporate whole words or names that have sentimental value.

    However, OTPs aren't without their drawbacks. The most common and increasingly controversial example of one-time passwords is a one-time password sent via SMS. OTP SMS-based verification suffers because phones can be cloned, hackers can reroute text messages, and social engineering schemes like SIM Swapping are increasingly common techniques used by criminals. Once a cell phone is compromised, it's no longer something only the genuine user has. In fact, the National Institute of Standards and Technology (NIST) recently downgraded SMS-based OTPs, now considering them a weak form of two-factor authentication (2FA) .

  • Magnetic Strips and RFID chips

    Magnetic stripe cards have long been used for access control everywhere from hotels, office buildings, apartments, credit cards, and public transport. These cards are typically encoded with a magnetic field that interacts with a receiver.

    However, magnetic stripe cards suffered from several drawbacks, including the fact that they aren't exceptionally durable and can be easily cloned. This paved the way for the similar but improved technology, cards with RFID chips. Instead of a magnetic field, RFID cards work by having a unique identifier embedded into the plastic card and an RFID reader that constantly emits a short-range radiofrequency. To gain access, the user taps the reader with the card or connects to the reader via a USB or embedded receiver in the case of computer access.

    The main benefits of magnetic stripe and RFID based-access are ease of use, fine-controlled access, and low cost. Since users typically just tap a receiver, there are no tech-literacy issues involved with this type of authentication compared with OTPs or electronic tokens. It's also possible to program the receiver to time-based entry, further restricting access. Lastly, these cards are cheap to make and can last a long time with proper care.

    However, there are some serious security concerns with magnetic strips and RFID chips. Particularly in the case of magnetic strips, although often with RFID too, the information held on the card is not encrypted. This makes it possible for criminals to skim magnetic stripe cards and create clones. The lack of encryption also makes them vulnerable to replay attacks. Lastly, since you must carry these cards, they are at risk of being lost or stolen.

  • Electronic tokens

    Like a physical key designed for a physical lock, token-based authentication generates an electronic token for access control in our digital world. For this purpose, the token needs to be transmitted via various interfaces such as USB, near-field communication (NFC), radio-frequency identification (RFID), or Bluetooth. Therefore, a token can be intercepted, stolen, copied, and then subsequently replayed. Moreover, if a token is stored in a smart card, the attacker can easily clone the smart card. If a token is printed on a QR code, the code can be easily photocopied and reprinted.

The verdict on “what you have” for authentication

In the case of passwords, it is difficult to balance security and convenience. Instead of protecting user accounts, authentication requirements can become a barrier to accessing services. Companies are increasingly implementing multi-factor authentication processes as the norm to add another layer of security and assurance to identity authentication. We see this happening with widespread adoption of biometric identity verification solutions in the financial services and healthcare industries for example, where privacy, security, and data protection are critical for regulatory compliance and user satisfaction.