Strong authentication (generally based on a single factor) is authentication based on a cryptographic mechanism whose parameters and security are considered to be robust (the secret element is generally a cryptographic key).
Authentication protocols that can be considered strong are often based on challenge-response protocols.
The message sent by the prover to authenticate himself depends on both a secret key and a variable challenge sent by the verifier.
When a prover wishes to prove his identity to a verifier, the latter sends him a challenge (a random value for example) and the prover must send him a response calculated from this specific challenge (a signature of this challenge for example).
In order to be considered as strong, authentication must be based on a cryptographic protocol which is able to resist certain attacks such as :
- eavesdropping, in which an attacker passively eavesdrops on the communication channel between the prover and the verifier;
- replay attacks, which consist of an attacker recovering authentication information (such as a password or its fingerprint) and using this information to replay it in order to usurp the target's identity;
- man-in-the-middle attacks, in which an attacker intercepts and modifies communications between the prover and the verifier during authentication without being detected;
- non-forgeability: if an attacker observes several authentication exchanges with a prover, he must not be able to usurp the prover's identity in a new authentication exchange.
Examples of strong authentication based on a possession factor include :
- certificate-based authentication (stored on smart cards, for example) ;
- the FIDO2 and FIDO U2F protocols ;
- OTP** (One-Time Password) protocols such as HOTP (HMAC-based OTP ), TOTP (Time- based OTP ) or OCRA (OATH Challenge-Response Algorithm ).
In each of these cases, the prover proves his identity to the verifier by indirectly demonstrating possession of a cryptographic key which must remain secret.
Examples of strong authentication based on a knowledge factor include :
- the Kerberos protocol  ;
- PAKE (Password-Authenticated Key Agreement) protocols such as SPAKE2  or OPAQUE .
Dastra helps you comply with the GDPR, request a demo to find out more.