What is Strong Authentication? | One Identity (2024)

Strong authentication is a mechanism to verify user identities that is robust enough to endure targeted attacks and prevent unauthorized access. Now keep in mind, that ‘strong’ is a relative term, and depending on who you ask, you may get wildly varying definitions of strong authentication.

Some may regard a typical login screen with multi-factor authentication (MFA) as strong authentication. Others may achieve it through biometric verification and adaptive MFA. Still others may use a hardware token and RSA-encrypted user passwords to bolster their authentication process.

How one perceives, defines or implements strong authentication depends on their security awareness, risk profile and regulatory requirements.

As we indicated above, strong authentication is an abstract term. Its implementations may differ from organization to organization, but its essence and purpose remains the same. Strong authentication makes it more difficult for malicious actors to access your internal systems. The objective though, is to keep the sign-on process convenient and quick for genuine users, while protecting their credentials and the organization’s infrastructure.

The universal way to strengthen authentication is by making it a multi-step process. Strong authentication uses more than just user credentials for login. Secondary authentication steps may include MFA code, one-time password (OTP) sent via text message, RSA SecurID, smart card or biometrics.

Strong authentication is often complemented by granular, role-based authorization. Authorization ensures that users get access only to services and systems for which they need to do their job tasks.

Authentication plays a crucial role in protecting the sensitive resources ofan organization. If it’s not strong enough, malicious actors may succeedin gaining unauthorized access to your systems.Let’s look at a few ways that weak authentication can make yourorganization susceptible to compromise:

• Adversaries execute brute-force or dictionary attacks on your login page.In such an attack, a threat actor uses trial-and-error techniques to guessuser credentials. If your authentication process only uses passwords andcan’t detect brute-force login attempts, the attack is likely tosucceed.
• Password-based authentication processes are highly susceptible to socialengineering attacks. To breach your system, a threat actor can do this in anumber of ways, such as phishing, spoofing or spamming. Typically, thisinvolves sending an email to a distribution list of unsuspecting recipientsasking them to click a link and convincing them to login to a bogus resourcewith their password – and the threat actor now has their password andaccess to your systems.
• You are either storing your passwords as plain text, or using a weakencryption algorithm. If an attacker manages to access your credentialdatabase, they can use the passwords to potentially take over the wholesystem.

Using strong authentication techniques protects your organization from suchsituations, and enhances cybersecurity. In other words, if you use OneLoginMFA, or the OneLogin Protect app, attackers would need much more than anexposed password to launch an attack.

Here are a few best practices that can strengthen an authentication process:

1. Adapt or transition to passwordless authentication. However, if you mustuse passwords:
1. Define strict policies for setting and resetting of passwords.
2. Use cryptographically secure encryption and hashing algorithms to protectyour passwords, both at rest and in transit.
3. Don’t use default passwords for any application.
2. Deploy an access management system to enforce authentication andauthorization policies, for all your environments, from a central place.
3. Use modern multi-step authentication techniques, like adaptive MFA,biometric authentication, or token-based authentication to strengthen yourlogin.
4. Secure your account-recovery process. For example, you can require asecondary authentication factor as part of your account recovery process.
5. Implement mutual authentication – verify the identity of both theclient and the server. This ensures that authorized users only interact withlegitimate systems.
6. Use rate limiting techniques to prevent attackers from running brute-forceattacks on your system. With this in your cybersecurity and authenticationstrategy, you can blacklist a source IP or user account after X number offailed attempts.

The terms “strong authentication” and “multi-factor authentication” are often used interchangeably. However, not all multi-factor authentication approaches can be deemed strong. The strength of MFA is dependent on the robustness of the authentication factors.

For example, if you are using a weak secondary authentication factor (e.g., codes via text messages, emails), then your MFA strategy can’t be considered strong. Conversely, if you are using stronger factors (e.g. hardware tokens or facial recognition) for secondary or tertiary authentication, then your MFAcan be regarded as strong.

There are different techniques to achieve strong authentication. Here are afew:

1. Physical security key

A physical authentication key is one of the strongest ways to implementmultifactor authentication. A private key, stored on a physical device, isused to authenticate a user, such as a USB device that a user plugs into theircomputer while logging in. This device serves as the secondary authenticationfactor for the user.

2. Biometrics

Biometrics are another tool to implement strong authentication. Biometricauthentication verifies a user by checking their biological or behavioralcharacteristics, such as using facial recognition, vein scanning, retinascanning – or behavioral data, like keyboard cadence, screen usage,mouse movement etc.

3. Push notifications on authentication apps

Push notifications can be used as a secondary authentication factor. Afterthe user enters the correct credentials, they receive a push notification on aspecialized application installed on their smartphone. This notificationallows the user to approve or deny the login request.

4. One-time passcodes

One-time passcodes, generated by authenticator applications, like theOneLogin Protect, can also be used to strengthen authentication. In thisapproach, the user enters auto-generated codes from these applications tocomplete the sign-in process.

Learn More