What is Authentication?
Authentication is often confused with authorization in IT security, so first, a definition is in order. Authorization occurs when an information system grants an entity or actor access permissions to information based upon the entity or actor’s identity. Authentication occurs when an entity or actor provides proof of identity in the form of something they know, such as account name and/or password credentials); something they are, such as a fingerprint or retina pattern; or something they have, such as a smart card that contains certificates associated with a system account for which they have access.
There are several different forms of authentication, and each has its advantages. The process of authentication requires a form of identification presented to an information system (note that the entity being authenticated could also be another system, or a process, or an application, in addition to being a person) ownership verification for the identification presented. The simplest and most common form of authentication is the account name and password. This authentication process starts when an entity or actor attempts to access a system which manages information of interest. When attempted access occurs, the system prompts the entity or actor for two items as identification, the first being the name of an account with system access permissions. The second item required is account proof of “ownership” in the form of a secret (password or pass-phrase) associated with the identification account. The authenticating system grants access after verification of the credentials presented.
Account name and password authentication offers only minimal protection from unauthorized access. Account name and password credentials are easily stolen simply by looking over someone’s should as they log in to a system, or after an employee writes their credentials on paper as a “reminder.” In addition, there are many password cracking applications that are free to download for anyone with Internet access. To secure authentication and eliminate account name and password vulnerabilities requires multi-factor authentication.
Simple account name and password authentication provides only minimal protection from unauthorized access, especially when account names and passwords are easy to guess (such as using a person’s first and last name for the account name and the person’s birth date as the password). Techniques that increase account name and password authentication security include increasing the required length of the password, changing passwords frequently (such as every three months), and enforcing password complexity by requiring a lower case letter, upper case letter, number and special character in order for the password to meet system security requirements. Unfortunately, complex passwords are also difficult to remember, so users are more likely to write a reminder containing their password (a major security risk), forget their password (which disrupts business and increases IT administration cost), or save their password on a document within the computer system that others can use for privilege escalation.
“Strong” two-factor authentication overcomes account name and password security limitations by requiring presentation of both something you know (account name and password) and something you have (such as a smart card or magnetic strip card) to complete positive identification for authentication. Two-factor authentication adds another layer of authentication security rendering stolen account credentials useless if not accompanied by a second authentication piece (smart card, magnetic strip card, or other token). In addition, with system auditing enabled, unauthorized access attempts using stolen account name and password credentials can generate administrative alert messages that facilitate identification of the perpetrator. Certain two-factor authentication types, such as magnetic cards and card readers, are very cost-effective and well worth the investment to protect company and customer confidential information.
However, physical authentication tokens, such as smartcards or magnetic strip cards, are easily misplaced or stolen, increasing administrative overhead to replace cards, and disrupting the business day while employees work with IT security staff to restore the system access required for their jobs. The third type of authentication (biometrics) employs the use of “something you are” rather than “something you have” to effectively eliminate the risk of lost or stolen authentication tokens.
Strong two-factor authentication using “something you know” (such as account name and password) and “something you have” (e.g. a smart card), provides multi-layered authentication that is less susceptible to compromise. However, something in one’s possession does require additional management on the part of the user. For this reason, many organizations opt for authentication systems that require account name and password (something you know) combined with something you are (such as presenting the palm of a right hand for scanning). Since something you are (also called “biometrics”) cannot be lost or stolen and requires less management on the part of the user, biometrics is much more secure than account names and passwords, smart cards, and magnetic strip readers. The use of biometric systems involves the capture and storage of a unique individual attribute template (called “enrollment) used for authentication. Then, when an individual authenticates with the biometric system, a comparison of the second sample capture to the first sample (template) of that individual takes place. If the template and the current sample match, then the individual allowed access. If the template and current sample do not match, the individual is not authenticated and denied access. Biometrics systems, in general, are also designed to account for some individual variation over time which increases their authentication reliability.
Common Biometrics Use
Biometrics commonly in use today include fingerprints, finger vein, iris scan, and retina scan. All of these methods use characteristics that are universally unique to each individual. Biometric scans are generally slightly slower than magnetic cards and smart cards, and some forms of biometrics such as retina scan are less convenient for users than smart cards and magnetic stripe cards. However, the biometrics authentication advantages are substantial, hence biometrics is the authentication method of choice when the highest level of security is a requirement.
Of the many different types of biometric authentication methods, fingerprint scanning is the most widely used. Fingerprint biometric technology analyzes and records the properties of ridge lines and valleys in a fingerprint at global, local and micro levels. At the global level, places where ridge lines form high-curvature shapes (referred to as “singularities”) are the primary focus. At the local level, “minutiae” is the point at which ridge lines are discontinuous. At the micro level capture includes intra-ridge pores, pore density, position, shape and relative size. Capture occurs using either optical (employs light to capture the fingerprint) or solid-state (uses thermal, capacitive or electrical means for capture) sensors. Fingerprint biometrics are very reliable, and usually more cost-effective than other biometric technologies.
Finger vein biometrics is rapidly gaining popularity because finger vein biometrics do not require users to touch a scan pad during the process of authentication. Discovered while performing medical scanning techniques on patients, each has a universally unique network of veins. The capture and analysis of finger vein biometrics involves transmitting invisible near-infrared light through a finger. Hemoglobin in the blood absorbs light, producing a vein pattern for capture on the other side of the finger. Once capture takes place, a normalization process identifies the outline of the finger and rotating the image, and the finger vein pattern is then extracted from the rest of the image, creating a finger vein template of the individual. The authentication process compares the template to the vein pattern captured when an individual attempts authentication.
Which Authentication Type Is Right?
Determine the right authentication type for your organization’s IT security based upon the value of information, systems, and assets that require authentication system protection, regulatory requirements for access control, and organizational structure. Carefully consider every authentication type and combination of the same during the process of identifying the best authentication system.