School of Information Systems

Authentication

❖ Definition of authentication Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing’s identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

❖ Type of authentication

• Knowledge

Something you know, such as a password, passphrase, or personal identification number (PIN). The most common form of type one authentication is a password. Password is simply a code or random string that we memorize. Pass phrases are longer strings, and are typically converted to a virtual password before sending to the authentication server for validation. There is also something called cognitive passwords, which are actually multiple questions given to the user that only that users should know the answers to. Next, we have composition passwords, which are created automatically by a system. Also, there are one-time passwords, which are intended to be used only one time. Passwords should be strong enough to prevent easy guessing and easy cracking, but on the other hand, easy to remember so users won’t write them down.

• Ownership

Something you have, such as a smart card, key, badge, or token. There are many types of tokens. We have a static password token, which owner possesses and he authenticates to the token. This is done by typing in a short PIN, password or a by a biometric scan on a token itself. The token

then authenticates information given to it by an owner, and then gives him a long password. This long and hard to remember password is what is used to log in to the security system. A static password token is the least secure token, and is the only form of token that is not considered to be a digital form of a one time password. The two other types of tokens are much more secure. We have a synchronous dynamic token, which generates unique password at fixed time intervals. We have a limited time in which we can use generated password. • Characteristics

Some attribute that is unique to you. Since the characteristics involved are often physical, this type of authentication is sometimes defined as something you are. Biometric authentication methods include retina, iris, fingerprint and finger vein scans, facial and voice recognition, and hand or even earlobe geometry. The latest phones are adding hardware support for biometrics, such as TouchID on the iPhone. Biometric factors may demand an explicit operation by the user (e.g., scanning a fingerprint), or they may be implicit (e.g., analyzing the user’s voice as they interact with the help desk).

• Location

Increasingly, a fourth factor is coming into play involving the physical location of the user. While hard wired to the corporate network, a user could be allowed to login utilizing only a pin code while off the network entering a code from a soft token as well could be required. This could be seen as an acceptable standard where access into the office is controlled.

Systems for network admission control work in similar ways where your level of network access can be contingent on the specific network your device is connected to, such as wifi vs wired connectivity. This also allows a user to move between offices and dynamically receive the same level of network access in each.

• Action

Something you do or how you do it, such as the way you type on a keyboard, hacker usually see search history, website that has been opened or other history on the devices. The hacker can find out all the activities carried out by the user of the device, so that user actions can be known easily by analyzing user activities on the device.

Vimal Mani, CISA, CISM, Six Sigma Black Belt