0  |  P a g e    

 

Authentication”, “Two factor Authentication”, “Multifactor Authentication” and “Authorization”.

By

Asad Zaman Sales Engineer –Candidate

Cellphone: 443 929 5793

1  |  P a g e    

Table of Contents

Introduction ………………………………………………………………………………2

Authentication…………………………………………………………………………….3

A. Password……………………………….….………………………………………….4

B. Biometrics.…………………………………………………………………….………5

C. Token………………………………………………………………………………….8

Two-factor Authentication…………………………….…….…………………….……..9

Multi-factor Authentication………………………………………………………….….11

Authorization………………………………………………….…………………………13

Summary…………………………………………………………………………………14

References……………………………………………………………………………….15

Figure & Tables

Figure-1: A Sample of the biometric trail captured……………………………………..6

Table 1: Authenticators and their Levels of Assurance……………………………….10

Table 2: Authentication Protocols and Levels of Assurance…………………………11

2  |  P a g e    

Introduction

Authentication is the process of verifying the identity of a user, process, or device, often

as a prerequisite to allowing access to resources in an information system (Dempsey, et

al., 2011). Authentication is typically based on one of more of the following factors

(Vacca, 2009, pp. 59, 67, 87, 568):

a. Something the user knows, such as a password or PIN;

b. Something the user has, such as a smart card or token;

c. Something personal about the user, such as a finger-print, retinal pattern, or

other biometric identifier.

Use of a single factor, such as password only is considered a weak authentication. A

combination of two factors, such as password and smart card is considered strong

authentication. Although, two factors is one type of multifactor, but sometimes, multi

factor for stronger authentication means more than two factors, such as a

combination of password, smart card or token, and a biometric factor. Strong

authentication can also be implemented using Public Key Infrastructure (PKI),

especially used for Web sites.

Authorization is the process of enforcing policies: determining what type of activities,

resources, or services an authenticated user is permitted. Authorization is applied to

put up safeguards against unlawful access.

3  |  P a g e    

Authentication

Vulnerability in authentication continues to be one of the primary targets of attackers.

Security personnel can work hard to ensure that the latest patches are applied to

systems and that firewalls are running at peak efficiency, but when it comes to

authentication, it is sometimes harder to achieve strong security. This is because end

users often compromise authentication by creating weak password or write them

down. Nevertheless, because users have multiple passwords in now days, they often

write them down exposing the passwords to others. However, authentication is

becoming stronger. New technologies are being implemented that make difficult for

attackers to steal user’s authentication and impersonate them. Industry regulations

and typical corporate policies require that IT, security and compliance groups create

audit trails of all the activity on network. Knowing the IP address of the access device

isn't enough to definitively identify the behavior of a specific user. Anyone could be

using the device associated with a given address if they discover the valid user's

username/password information.

According to CompTIA security+ book “Authentication access control is the process

by which resources or services are granted or denied. There are four basic steps:

Identification is the presentation of credentials or identification, typically performed

when logging on to a system. Authentication is the verification of the credentials to

ensure that they are genuine and not fabricated. Authorization is granting permission

4  |  P a g e    

for admittance. Access is the right to use specific resources. Another way

authentication can also viewed as one of three elements in security:

Authentication- Something you know; such as password

Authorization –Something you have, such as token

Accounting –Something you are, such as a fingerprint or a voiceprint.

These three elements help control access to network resources, enforce security

policies, and audit usage.

Authentication credentials

A. Password

Passwords are used in many ways to protect data, systems, and networks. For

example, passwords are used to authenticate users of operating systems and

applications such as email, and remote access. Passwords are also used to protect

files and other stored information, such as password-protecting a single compressed

file, a cryptographic key, or an encrypted hard drive. A comprehensive provide

password management policy to all employees, which is the process of defining,

implementing, and maintaining and monitors password enforcement policies.

Effective password management reduces the risk of compromise of password-based

authentication systems. We need to protect the confidentiality, integrity, and

availability (CIA) of passwords so that all authorized users—and no unauthorized

users—can use passwords successfully as needed. Integrity and availability should

be ensured by typical data security controls, such as using access control lists to

5  |  P a g e    

prevent attackers from overwriting passwords and having secured backups of

password files. Ensuring the confidentiality of passwords is considerably more

challenging and involves a number of security controls along with decisions involving

the characteristics of the passwords themselves. For example, requiring that

password long and complex makes it less likely that attackers will guess or crack

them, but it also makes the password harder for users to remember, and thus more

likely to be stored insecurely. Authentication policy implements password

construction, expiration, privacy, reset, reuse, and password lifetime. An example of

create password: all passwords must be 8-16 character long, with one number, one

symbol, and one character capitalized. This increases the likelihood that users will

store their passwords insecurely and expose them to attackers.

C. Biometrics

Biometrics (or biometric authentication) consists of methods for uniquely recognizing

humans based upon one or more intrinsic physical or behavioral traits. In computer

science, in particular, biometrics is used as a form of identity access management and

access control. It is also used to identify individuals in groups that are under

surveillance (Wikipedia 2010). This technology is an automated method of identifying a

person based on a physical characteristic, an example a thumbprint or retina pattern.

Using this type of authentication requires comparing a registered sample of against a

captured biometric sample, such as a fingerprint captured during a logon. Biometric

authentication requires comparing a registered or enrolled biometric sample (biometric

template or identifier) against a newly captured biometric sample (for example, a

fingerprint captured during a login).

6  |  P a g e    

During Enrollment, as shown in the picture below, a sample of the biometric trait is

captured, processed by a computer, and stored for later comparison. Biometric

recognition can be used in Identification mode, where the biometric system identifies a

person from the entire enrolled population by searching a database for a match based

solely on the biometric. For example, an entire database can be searched to verify a

person has not applied for entitlement benefits under two different names. This is

sometimes called “one-to-many” matching.

A system can also be used in Verification mode, where the biometric system

authenticates a person’s claimed identity from their previously enrolled pattern. This is

also called “one-to-one” matching. In most computer access or network access

environments, verification mode would be used. A user enters an account, user name,

or inserts a token such as a smart card, but instead of entering a password, a simple

touch with a finger or a glance at a camera is enough to authenticate the user.

Enrollment:

Present Biometric C No match

Verification:

Present Biometric Match

Figure 1: A sample of the biometric trait is captured

The biometric authentication mechanism typically consists of two processes:

physical/standard biometrics and Behavioral biometric (Wettern, 2005).

Capture   Process  Store  

Capture  

 

Process  

 

Compare  

7  |  P a g e    

(1) Physical uses a person’s unique characteristics for authentication another word (what

he/or she is). Examples include, but are not limited to fingerprint, face recognition,

DNA, Palm print, hand geometry, iris recognition, which has largely replaced retina,

and odor/scent. There are two types of fingerprint scanners:

i) A static fingerprint scanner requires the user to place his entire thumb or finger on a

small oval window on the scanner.

ii) Dynamic fingerprint scanners work on the same principle as stud finders that

carpenters use to locate wood studs behind drywall.

(2) Behavioral Biometrics is related to the behavior of a person. To address the issue

and concerns in physical/standard biometrics behavioral has been developed. An

example of typing rhythm, voice recognition, and computer foot-printing.

Below is a brief discussion of some considerations needed to examine before

implementation a biometric authentication method but not limited to

a) Performance and reliability issue - Biometric readers are not always foolproof and can

reject authorized users while accepting unauthorized users called false negative and

false positive.

b) Privacy and decimation - It is possible that data obtained during biometric enrollment

may be used in ways for which the enrolled individual has not consented. For

example, biometric security that utilizes an employee's DNA profile could also be

used to screen for various genetic diseases or other 'undesirable' traits (Wikipedia

2010).

c) Costly - Biometric readers (hardware scanning devices) must be installed at each

location or PC where authentication is required.

8  |  P a g e    

d) Availability - A dial up connection will not work on remote computer, given biometric

device might be available on all computer in the organization.

C. Tokens

A token is a device that can be issued to a user for use in the authentication process

(Wattern, 2004). Token are often small handheld devices, with or without keypads,

which range in size from a credit card to a small pocket calculator. One increasingly

common type of token is a smart card, which is a card the size of a credit card that

has a small computer chip in it. For example one common token system sync with a

server. Each minute the numbers on the server and on the device is working. For a

user to authenticate, he must type in the number on the display, which must match

the number on the server for the user to be authenticated. SecurID, manufactured by

RSA Security, is one of the most commonly used token-based authentication

products. The goals are to have an adaptive authentication framework that can

authenticate a user using a variety of authentication tokens and protocols. These

various authentication tokens and protocols provide different levels of assurance in

identifying a user. Access privileges granted to the user should be linked to the

assurance level of the authentication token/protocol used in the particular

authentication instance. Such a linkage is necessary for the provision of fine-grained

access control and privilege allocation in environments in which the same or different

applications may have dissimilar authentication requirements as dictated by varying

levels of resource sensitivity and access mode towards different groups of users. For

9  |  P a g e    

example, services such as e-journal subscription or e-learning services may have a

relatively low sensitivity level and therefore can be accessible to everybody who can

be identified by the IP address of his/her machine (Zhang, 2006). An example of

Tutors/examiners may need to use a stronger form of authentication than that used

by students in order to access, say, exam papers, as the former bear more

responsibility with regards to the confidentiality and integrity of the data resource.

Similarly, in a health Grid context, electronic patient records (EPRs) and electronic

health records (EHRs) are shared among GPs, clinicians, and clinical and biomedical

researchers across different institutions and organizations. EPRs/EHRs have high

levels of privacy requirements due to legal and ethical reasons. Therefore, it is

usually expected that EPRs/EHRs are de-personalized and sensitive information that

can be used to identify the owner of a record are removed, before being released to

entities outside hospital premises or before researchers are allowed to access them

(Haken, 2004). Password-based authentication methods may be sufficient to identify

researchers when accessing these de-personalized records. However, the suppliers

of the records, e.g. GPs and hospitals, should use a stronger form of authenticators

when uploading new records into the de-personalized data repository due to privacy

and accountability concerns. Therefore, there is clearly a need for a fine-grained

access-control framework to satisfy the complex access-control requirements, and

one important element of the access-control decision making is the authentication

strength of the authenticator used by the user. Although tokens offer reliable security,

it can be costly and difficult to deploy in enterprise environment.

Two- factor Authentication

10  |  P a g e    

Two-factor authentication is an approach to authentication which requires the

presentation of two different kinds of evidence that someone is who they say they

are. It is a part of the broader family of multi-factor authentication, which is a defense

in depth approach to security (Wikipedia, 2010). A combination of:

Something you have, such as token

Something you are, such as a fingerprint.

Two factor authentications are grouped into two categories: token-based, such as

memory or smart tokens; and ID-based, such as biometrics. These authentication

factors have different strengths providing different levels of assurance (LoA) in

identifying a user. For example, a smart token equipped with a cryptographic key

because the former is normally easier to guess. Although biometrics is more difficult

to forge, alone they cannot be used for remote electronic authentication due to the

lack of secrets. To achieve a higher LoA, two or more authentication factors can be

combined together to identify a user. A smart token locked with a fingerprint or a

personal identification number (PIN), which is a two-factor authenticator, is a better

choice than using an unlocked token alone as it is more susceptible to theft or loss.

Table I. Authenticators and their levels of assurance

Authenticators Level 1 Level 2 Level 3 Level 4

Hard token X X X X

Soft token X X X

One-time password device X X X

Strong passwords X X

11  |  P a g e    

Passwords and PINs X

Table II. Authentication protocols and their levels of assurance.

Authentication protocols Level 1 Level 2 Level 3 Level 4

Private key proof-of-possession

protocol

X X X X

Symmetric key proof-of-possession

protocol

X X X

Zero-knowledge password protocol X X

Tunneled password protocol (e.g.

password over SSL)

X X

Challenge-response password

protocol

X

Authenticators and their associated LoAs have been classified into four levels in a

specification published by the NIST (U.S. National Institute of Standards and

Technology), According to the likely consequences of an authentication error when

using each of them. As shown in Table I, Level 1 authenticators have the lowest LoA,

whilst Level 4 have the highest. To compromise a Level 4 authenticator, say a smart

card token locked with a PIN number, the perpetrator would first have to obtain the

card and, then work out the PIN number. It therefore provides a higher LoA than a

soft token such as a cryptographic key stored in a file. System is aimed at integrating

all of the authenticators shown in Table I and protocols from Table II.

12  |  P a g e    

Multi-factor Authentication

Multi-factor authentication, sometimes called strong authentication, is an extension of

two-factor authentication. This is the Defense in depth approach of "Security In Layers"

applied to authentication. While two-factor authentication only involves exactly two

factors, multi-factor authentication involves two or more factors. Thus, every two-factor

authentication is a multi-factor authentication, but not vice versa (Wikipedia, 2010). RSA

provide Seamless Migration from Passwords to Multi-factor Authentication. According to

RSA website, RSA Authentication Manager Express delivers a seamless, strong

authentication solution for users through risk-based authentication – providing invisible,

behind-the-scenes protection of web-based resources (SSL VPNs and web

applications) against unauthorized access. Users continue to use their standard

username and password, while the RSA Risk Engine evaluates dozens of factors

associated with the authentication in each of these three categories below.

Multi-factor authentication most often combines two of the following three elements to

establish the identity:

• Something you know, such as a PIN

• Something you have, such as ATM card

• Something you are, biometric characteristic, such as a fingerprint or a voiceprint

Password-based or PIN authentication, biometrics fingerprint, and token or ATM card

all have their respective advantage and disadvantages. One thing that they have in

common is that a dedicated attacker can circumvent any of these authentication

methods. Authentication methods that depend on more than one factor are more

13  |  P a g e    

difficult to compromise than single-factor methods. Accordingly, properly designed and

implemented multifactor authentication methods are more reliable and stronger fraud

deterrents. For example, the use of a logon ID/password is single-factor authentication

(i.e., something the user knows); whereas, an ATM transaction requires multifactor

authentication: something the user possesses (i.e., the card) combined with something

the user knows (i.e., PIN). A multifactor authentication methodology may also include

controls for risk mitigation. The success of a particular authentication method depends

on more than the technology. It also depends on appropriate policies, procedures, and

controls. An effective authentication method should have customer acceptance,

reliable performance, scalability to accommodate growth, and interoperability with

existing systems and future plans.

Authorization

Authorization, by contrast, is the mechanism by which a system determines what level

of access a particular authenticated user should have to secured resources controlled

by the system. For example, a database management system might be designed so as

to provide certain specified individuals with the ability to retrieve information from a

database but not the ability to change data stored in the database, while giving other

individuals the ability to change data. Authorization systems provide answers to the

questions:

• Is user X authorized to access resource R?

• Is user X authorized to perform operation P?

• Is user X authorized to perform operation P on resource R?

14  |  P a g e    

Authentication and authorization are somewhat tightly-coupled mechanisms --

authorization systems depend on secure authentication systems to ensure that users

are who they claim to be and thus prevent unauthorized users from gaining access to

secured resources. RSA Authentication Manager Express delivers strong, multi-factor

authentication optimized for the unique security, convenience and budget requirements

of your organization. A stronger and more secure alternative to password-only

protection, RSA Authentication Manager Express helps organizations to extend

anytime, anywhere access confidently to remote employees, partners, contractors and

clients. It delivers strong authentication that can be tailored to an organization’s

resource constraints, risk tolerance and user profile (RSA Authentication, 2011).

Summary

Strong authentication is a must before any authorization can happen. Organizations are

providing their services through electronic means in a rapidly developing digital world,

but such services are usually accessible only to those who have the required privileges.

In order to authorize a person, a group, or even software to access a service, the

recipients must first be authenticated, i.e. their identities must be verified before allowing

them access according to their assigned privileges (Almagwashi & Gray, 2009).

15  |  P a g e    

References

Almagwashi, H. & Gray, A. (2009, January 1). E-Government Authentication Frameworks: A

gap analysis. Retrieved October 1, 2011 from

http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?vid=4&hid=23&si

d=036aa1d8-576f-40f5-979d-20fc6d4c48e0%40sessionmgr11

Bishop, M. (2003) Computer security: Art and science. Pearson Education

Chen, T. & Walsh, P. J. (2009). Guarding against network intrusions. In J. R. Vacca (Ed.),

Computer and information security (p. 59). Burlington, MA: Morgan Kaufmann

Ciampa, M. (2008). CompTIA Security +. Boston, MA: Course Technology.

Dempsey, K., Chawla, N. S., Johnson, A., Jones, A. C., Orebaugh, A., Scholl, M., & Stine, K.

(2011). Information security continuous monitoring (ISCM) for federal information

systems and organizations. National Institute of Standards and Technology (NIST) of

U.S. Department of Commerce. Retrieved October 1, 2011 from

http://csrc.nist.gov/publications/PubsSPs.html

Harris, S. (2002). All-In-One CISSP Certification Exam Guide. McGraw-Hill/Osborne

Dunn, J. S., & Podio, F. L. (2008). Biometric Authentication Technology: From the Movies to

Your Desktop. Retrieved from National Institute of Standards and Technology web site:

http://www.nist.gov

16  |  P a g e    

Federal Financial Institutions Examination Council, Authentication in an Electronic Banking

Environment. (2001). Retrieved from

http://www.ffiec.gov/pdf/authentication_guidance.pdf

Helken, H. (August 2004). De-identification framework. White paper, IBM Haifa Labs, Isreal.

Retrieved from Library Computer Science database.

Rsa authentication (2011). Rsa Authentication Manager Express. Retrieved on October 2,

2011 from http://www.rsa.com/products/AMX/ds/11241_h9006-amx-ds-0711.pdf

Unknown Author (2011). Authentication versus Authorization. Retrieved from

http://www.duke.edu/~rob/kerberos/authvauth.html

.

Zhang, N. C., Goble, C., Rector, A., & Chadwich, D. ( Oct, 2006). Achieving Fine-grained

Access Control in Virtual Organizations. CONCURRENCY AND COMPUTATION

PRACTICE AND EXPERIENCE. 19:1333–1352. Retrieved from Wiley InterScience

(www.interscience.wiley.com). DOI: 10.1002/cpe.1099.

Wettern, J. (2005). Security+ certification. Academic Learning Series, Redmond, WA: McGraw-

Hill.

Wikipedia (2010). Multi-factor Authentication. Retrieved from http://en.wikipedia.org/wiki/Multi-

factor_authentication#References