Post on 16-Aug-2015
0 | P a g e
Authentication”, “Two factor Authentication”, “Multifactor Authentication” and “Authorization”.
By
Asad Zaman Sales Engineer –Candidate
Cellphone: 443 929 5793
1 | P a g e
Table of Contents
Introduction ………………………………………………………………………………2
Authentication…………………………………………………………………………….3
A. Password……………………………….….………………………………………….4
B. Biometrics.…………………………………………………………………….………5
C. Token………………………………………………………………………………….8
Two-factor Authentication…………………………….…….…………………….……..9
Multi-factor Authentication………………………………………………………….….11
Authorization………………………………………………….…………………………13
Summary…………………………………………………………………………………14
References……………………………………………………………………………….15
Figure & Tables
Figure-1: A Sample of the biometric trail captured……………………………………..6
Table 1: Authenticators and their Levels of Assurance……………………………….10
Table 2: Authentication Protocols and Levels of Assurance…………………………11
2 | P a g e
Introduction
Authentication is the process of verifying the identity of a user, process, or device, often
as a prerequisite to allowing access to resources in an information system (Dempsey, et
al., 2011). Authentication is typically based on one of more of the following factors
(Vacca, 2009, pp. 59, 67, 87, 568):
a. Something the user knows, such as a password or PIN;
b. Something the user has, such as a smart card or token;
c. Something personal about the user, such as a finger-print, retinal pattern, or
other biometric identifier.
Use of a single factor, such as password only is considered a weak authentication. A
combination of two factors, such as password and smart card is considered strong
authentication. Although, two factors is one type of multifactor, but sometimes, multi
factor for stronger authentication means more than two factors, such as a
combination of password, smart card or token, and a biometric factor. Strong
authentication can also be implemented using Public Key Infrastructure (PKI),
especially used for Web sites.
Authorization is the process of enforcing policies: determining what type of activities,
resources, or services an authenticated user is permitted. Authorization is applied to
put up safeguards against unlawful access.
3 | P a g e
Authentication
Vulnerability in authentication continues to be one of the primary targets of attackers.
Security personnel can work hard to ensure that the latest patches are applied to
systems and that firewalls are running at peak efficiency, but when it comes to
authentication, it is sometimes harder to achieve strong security. This is because end
users often compromise authentication by creating weak password or write them
down. Nevertheless, because users have multiple passwords in now days, they often
write them down exposing the passwords to others. However, authentication is
becoming stronger. New technologies are being implemented that make difficult for
attackers to steal user’s authentication and impersonate them. Industry regulations
and typical corporate policies require that IT, security and compliance groups create
audit trails of all the activity on network. Knowing the IP address of the access device
isn't enough to definitively identify the behavior of a specific user. Anyone could be
using the device associated with a given address if they discover the valid user's
username/password information.
According to CompTIA security+ book “Authentication access control is the process
by which resources or services are granted or denied. There are four basic steps:
Identification is the presentation of credentials or identification, typically performed
when logging on to a system. Authentication is the verification of the credentials to
ensure that they are genuine and not fabricated. Authorization is granting permission
4 | P a g e
for admittance. Access is the right to use specific resources. Another way
authentication can also viewed as one of three elements in security:
Authentication- Something you know; such as password
Authorization –Something you have, such as token
Accounting –Something you are, such as a fingerprint or a voiceprint.
These three elements help control access to network resources, enforce security
policies, and audit usage.
Authentication credentials
A. Password
Passwords are used in many ways to protect data, systems, and networks. For
example, passwords are used to authenticate users of operating systems and
applications such as email, and remote access. Passwords are also used to protect
files and other stored information, such as password-protecting a single compressed
file, a cryptographic key, or an encrypted hard drive. A comprehensive provide
password management policy to all employees, which is the process of defining,
implementing, and maintaining and monitors password enforcement policies.
Effective password management reduces the risk of compromise of password-based
authentication systems. We need to protect the confidentiality, integrity, and
availability (CIA) of passwords so that all authorized users—and no unauthorized
users—can use passwords successfully as needed. Integrity and availability should
be ensured by typical data security controls, such as using access control lists to
5 | P a g e
prevent attackers from overwriting passwords and having secured backups of
password files. Ensuring the confidentiality of passwords is considerably more
challenging and involves a number of security controls along with decisions involving
the characteristics of the passwords themselves. For example, requiring that
password long and complex makes it less likely that attackers will guess or crack
them, but it also makes the password harder for users to remember, and thus more
likely to be stored insecurely. Authentication policy implements password
construction, expiration, privacy, reset, reuse, and password lifetime. An example of
create password: all passwords must be 8-16 character long, with one number, one
symbol, and one character capitalized. This increases the likelihood that users will
store their passwords insecurely and expose them to attackers.
C. Biometrics
Biometrics (or biometric authentication) consists of methods for uniquely recognizing
humans based upon one or more intrinsic physical or behavioral traits. In computer
science, in particular, biometrics is used as a form of identity access management and
access control. It is also used to identify individuals in groups that are under
surveillance (Wikipedia 2010). This technology is an automated method of identifying a
person based on a physical characteristic, an example a thumbprint or retina pattern.
Using this type of authentication requires comparing a registered sample of against a
captured biometric sample, such as a fingerprint captured during a logon. Biometric
authentication requires comparing a registered or enrolled biometric sample (biometric
template or identifier) against a newly captured biometric sample (for example, a
fingerprint captured during a login).
6 | P a g e
During Enrollment, as shown in the picture below, a sample of the biometric trait is
captured, processed by a computer, and stored for later comparison. Biometric
recognition can be used in Identification mode, where the biometric system identifies a
person from the entire enrolled population by searching a database for a match based
solely on the biometric. For example, an entire database can be searched to verify a
person has not applied for entitlement benefits under two different names. This is
sometimes called “one-to-many” matching.
A system can also be used in Verification mode, where the biometric system
authenticates a person’s claimed identity from their previously enrolled pattern. This is
also called “one-to-one” matching. In most computer access or network access
environments, verification mode would be used. A user enters an account, user name,
or inserts a token such as a smart card, but instead of entering a password, a simple
touch with a finger or a glance at a camera is enough to authenticate the user.
Enrollment:
Present Biometric C No match
Verification:
Present Biometric Match
Figure 1: A sample of the biometric trait is captured
The biometric authentication mechanism typically consists of two processes:
physical/standard biometrics and Behavioral biometric (Wettern, 2005).
Capture Process Store
Capture
Process
Compare
7 | P a g e
(1) Physical uses a person’s unique characteristics for authentication another word (what
he/or she is). Examples include, but are not limited to fingerprint, face recognition,
DNA, Palm print, hand geometry, iris recognition, which has largely replaced retina,
and odor/scent. There are two types of fingerprint scanners:
i) A static fingerprint scanner requires the user to place his entire thumb or finger on a
small oval window on the scanner.
ii) Dynamic fingerprint scanners work on the same principle as stud finders that
carpenters use to locate wood studs behind drywall.
(2) Behavioral Biometrics is related to the behavior of a person. To address the issue
and concerns in physical/standard biometrics behavioral has been developed. An
example of typing rhythm, voice recognition, and computer foot-printing.
Below is a brief discussion of some considerations needed to examine before
implementation a biometric authentication method but not limited to
a) Performance and reliability issue - Biometric readers are not always foolproof and can
reject authorized users while accepting unauthorized users called false negative and
false positive.
b) Privacy and decimation - It is possible that data obtained during biometric enrollment
may be used in ways for which the enrolled individual has not consented. For
example, biometric security that utilizes an employee's DNA profile could also be
used to screen for various genetic diseases or other 'undesirable' traits (Wikipedia
2010).
c) Costly - Biometric readers (hardware scanning devices) must be installed at each
location or PC where authentication is required.
8 | P a g e
d) Availability - A dial up connection will not work on remote computer, given biometric
device might be available on all computer in the organization.
C. Tokens
A token is a device that can be issued to a user for use in the authentication process
(Wattern, 2004). Token are often small handheld devices, with or without keypads,
which range in size from a credit card to a small pocket calculator. One increasingly
common type of token is a smart card, which is a card the size of a credit card that
has a small computer chip in it. For example one common token system sync with a
server. Each minute the numbers on the server and on the device is working. For a
user to authenticate, he must type in the number on the display, which must match
the number on the server for the user to be authenticated. SecurID, manufactured by
RSA Security, is one of the most commonly used token-based authentication
products. The goals are to have an adaptive authentication framework that can
authenticate a user using a variety of authentication tokens and protocols. These
various authentication tokens and protocols provide different levels of assurance in
identifying a user. Access privileges granted to the user should be linked to the
assurance level of the authentication token/protocol used in the particular
authentication instance. Such a linkage is necessary for the provision of fine-grained
access control and privilege allocation in environments in which the same or different
applications may have dissimilar authentication requirements as dictated by varying
levels of resource sensitivity and access mode towards different groups of users. For
9 | P a g e
example, services such as e-journal subscription or e-learning services may have a
relatively low sensitivity level and therefore can be accessible to everybody who can
be identified by the IP address of his/her machine (Zhang, 2006). An example of
Tutors/examiners may need to use a stronger form of authentication than that used
by students in order to access, say, exam papers, as the former bear more
responsibility with regards to the confidentiality and integrity of the data resource.
Similarly, in a health Grid context, electronic patient records (EPRs) and electronic
health records (EHRs) are shared among GPs, clinicians, and clinical and biomedical
researchers across different institutions and organizations. EPRs/EHRs have high
levels of privacy requirements due to legal and ethical reasons. Therefore, it is
usually expected that EPRs/EHRs are de-personalized and sensitive information that
can be used to identify the owner of a record are removed, before being released to
entities outside hospital premises or before researchers are allowed to access them
(Haken, 2004). Password-based authentication methods may be sufficient to identify
researchers when accessing these de-personalized records. However, the suppliers
of the records, e.g. GPs and hospitals, should use a stronger form of authenticators
when uploading new records into the de-personalized data repository due to privacy
and accountability concerns. Therefore, there is clearly a need for a fine-grained
access-control framework to satisfy the complex access-control requirements, and
one important element of the access-control decision making is the authentication
strength of the authenticator used by the user. Although tokens offer reliable security,
it can be costly and difficult to deploy in enterprise environment.
Two- factor Authentication
10 | P a g e
Two-factor authentication is an approach to authentication which requires the
presentation of two different kinds of evidence that someone is who they say they
are. It is a part of the broader family of multi-factor authentication, which is a defense
in depth approach to security (Wikipedia, 2010). A combination of:
Something you have, such as token
Something you are, such as a fingerprint.
Two factor authentications are grouped into two categories: token-based, such as
memory or smart tokens; and ID-based, such as biometrics. These authentication
factors have different strengths providing different levels of assurance (LoA) in
identifying a user. For example, a smart token equipped with a cryptographic key
because the former is normally easier to guess. Although biometrics is more difficult
to forge, alone they cannot be used for remote electronic authentication due to the
lack of secrets. To achieve a higher LoA, two or more authentication factors can be
combined together to identify a user. A smart token locked with a fingerprint or a
personal identification number (PIN), which is a two-factor authenticator, is a better
choice than using an unlocked token alone as it is more susceptible to theft or loss.
Table I. Authenticators and their levels of assurance
Authenticators Level 1 Level 2 Level 3 Level 4
Hard token X X X X
Soft token X X X
One-time password device X X X
Strong passwords X X
11 | P a g e
Passwords and PINs X
Table II. Authentication protocols and their levels of assurance.
Authentication protocols Level 1 Level 2 Level 3 Level 4
Private key proof-of-possession
protocol
X X X X
Symmetric key proof-of-possession
protocol
X X X
Zero-knowledge password protocol X X
Tunneled password protocol (e.g.
password over SSL)
X X
Challenge-response password
protocol
X
Authenticators and their associated LoAs have been classified into four levels in a
specification published by the NIST (U.S. National Institute of Standards and
Technology), According to the likely consequences of an authentication error when
using each of them. As shown in Table I, Level 1 authenticators have the lowest LoA,
whilst Level 4 have the highest. To compromise a Level 4 authenticator, say a smart
card token locked with a PIN number, the perpetrator would first have to obtain the
card and, then work out the PIN number. It therefore provides a higher LoA than a
soft token such as a cryptographic key stored in a file. System is aimed at integrating
all of the authenticators shown in Table I and protocols from Table II.
12 | P a g e
Multi-factor Authentication
Multi-factor authentication, sometimes called strong authentication, is an extension of
two-factor authentication. This is the Defense in depth approach of "Security In Layers"
applied to authentication. While two-factor authentication only involves exactly two
factors, multi-factor authentication involves two or more factors. Thus, every two-factor
authentication is a multi-factor authentication, but not vice versa (Wikipedia, 2010). RSA
provide Seamless Migration from Passwords to Multi-factor Authentication. According to
RSA website, RSA Authentication Manager Express delivers a seamless, strong
authentication solution for users through risk-based authentication – providing invisible,
behind-the-scenes protection of web-based resources (SSL VPNs and web
applications) against unauthorized access. Users continue to use their standard
username and password, while the RSA Risk Engine evaluates dozens of factors
associated with the authentication in each of these three categories below.
Multi-factor authentication most often combines two of the following three elements to
establish the identity:
• Something you know, such as a PIN
• Something you have, such as ATM card
• Something you are, biometric characteristic, such as a fingerprint or a voiceprint
Password-based or PIN authentication, biometrics fingerprint, and token or ATM card
all have their respective advantage and disadvantages. One thing that they have in
common is that a dedicated attacker can circumvent any of these authentication
methods. Authentication methods that depend on more than one factor are more
13 | P a g e
difficult to compromise than single-factor methods. Accordingly, properly designed and
implemented multifactor authentication methods are more reliable and stronger fraud
deterrents. For example, the use of a logon ID/password is single-factor authentication
(i.e., something the user knows); whereas, an ATM transaction requires multifactor
authentication: something the user possesses (i.e., the card) combined with something
the user knows (i.e., PIN). A multifactor authentication methodology may also include
controls for risk mitigation. The success of a particular authentication method depends
on more than the technology. It also depends on appropriate policies, procedures, and
controls. An effective authentication method should have customer acceptance,
reliable performance, scalability to accommodate growth, and interoperability with
existing systems and future plans.
Authorization
Authorization, by contrast, is the mechanism by which a system determines what level
of access a particular authenticated user should have to secured resources controlled
by the system. For example, a database management system might be designed so as
to provide certain specified individuals with the ability to retrieve information from a
database but not the ability to change data stored in the database, while giving other
individuals the ability to change data. Authorization systems provide answers to the
questions:
• Is user X authorized to access resource R?
• Is user X authorized to perform operation P?
• Is user X authorized to perform operation P on resource R?
14 | P a g e
Authentication and authorization are somewhat tightly-coupled mechanisms --
authorization systems depend on secure authentication systems to ensure that users
are who they claim to be and thus prevent unauthorized users from gaining access to
secured resources. RSA Authentication Manager Express delivers strong, multi-factor
authentication optimized for the unique security, convenience and budget requirements
of your organization. A stronger and more secure alternative to password-only
protection, RSA Authentication Manager Express helps organizations to extend
anytime, anywhere access confidently to remote employees, partners, contractors and
clients. It delivers strong authentication that can be tailored to an organization’s
resource constraints, risk tolerance and user profile (RSA Authentication, 2011).
Summary
Strong authentication is a must before any authorization can happen. Organizations are
providing their services through electronic means in a rapidly developing digital world,
but such services are usually accessible only to those who have the required privileges.
In order to authorize a person, a group, or even software to access a service, the
recipients must first be authenticated, i.e. their identities must be verified before allowing
them access according to their assigned privileges (Almagwashi & Gray, 2009).
15 | P a g e
References
Almagwashi, H. & Gray, A. (2009, January 1). E-Government Authentication Frameworks: A
gap analysis. Retrieved October 1, 2011 from
http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?vid=4&hid=23&si
d=036aa1d8-576f-40f5-979d-20fc6d4c48e0%40sessionmgr11
Bishop, M. (2003) Computer security: Art and science. Pearson Education
Chen, T. & Walsh, P. J. (2009). Guarding against network intrusions. In J. R. Vacca (Ed.),
Computer and information security (p. 59). Burlington, MA: Morgan Kaufmann
Ciampa, M. (2008). CompTIA Security +. Boston, MA: Course Technology.
Dempsey, K., Chawla, N. S., Johnson, A., Jones, A. C., Orebaugh, A., Scholl, M., & Stine, K.
(2011). Information security continuous monitoring (ISCM) for federal information
systems and organizations. National Institute of Standards and Technology (NIST) of
U.S. Department of Commerce. Retrieved October 1, 2011 from
http://csrc.nist.gov/publications/PubsSPs.html
Harris, S. (2002). All-In-One CISSP Certification Exam Guide. McGraw-Hill/Osborne
Dunn, J. S., & Podio, F. L. (2008). Biometric Authentication Technology: From the Movies to
Your Desktop. Retrieved from National Institute of Standards and Technology web site:
http://www.nist.gov
16 | P a g e
Federal Financial Institutions Examination Council, Authentication in an Electronic Banking
Environment. (2001). Retrieved from
http://www.ffiec.gov/pdf/authentication_guidance.pdf
Helken, H. (August 2004). De-identification framework. White paper, IBM Haifa Labs, Isreal.
Retrieved from Library Computer Science database.
Rsa authentication (2011). Rsa Authentication Manager Express. Retrieved on October 2,
2011 from http://www.rsa.com/products/AMX/ds/11241_h9006-amx-ds-0711.pdf
Unknown Author (2011). Authentication versus Authorization. Retrieved from
http://www.duke.edu/~rob/kerberos/authvauth.html
.
Zhang, N. C., Goble, C., Rector, A., & Chadwich, D. ( Oct, 2006). Achieving Fine-grained
Access Control in Virtual Organizations. CONCURRENCY AND COMPUTATION
PRACTICE AND EXPERIENCE. 19:1333–1352. Retrieved from Wiley InterScience
(www.interscience.wiley.com). DOI: 10.1002/cpe.1099.
Wettern, J. (2005). Security+ certification. Academic Learning Series, Redmond, WA: McGraw-
Hill.
Wikipedia (2010). Multi-factor Authentication. Retrieved from http://en.wikipedia.org/wiki/Multi-
factor_authentication#References