FRAMINGHAM (03/27/2000) - Who are you? Do you belong here? What rights do you have? And how do I know you're who you say you are?
Those are the essential questions that any effective security system must answer before a user can access a computer system, network or other protected resource. We think this is what a password system does, but passwords are only one part of an effective security system. That security system requires three separate elements - identification, authentication and authorization - that together make up what's called access control.
When you log into a computer or network, the first thing you're asked for is a user name or account name. But a user name offers little protection to the system. Therefore, the system also usually prompts you for a password, a form of authentication.
The question, "How do I know you're who you say you are?," is in many ways, the most important one. Unless it's answered satisfactorily, identification is incomplete and no authorization can or should take place. But how does a system verify that a user is who he says he is? Simply entering your password doesn't prove it's you. Someone else could know your password.
The answer lies in a strong authentication process. Basically, the following three factors can be used to authenticate an individual:
1. Something the user knows. This is a reusable password, passphrase, personal identification number or a fact likely to be known only to the user, such as his mother's maiden name.
2. Something the user has. This could be a key, a magnetic-stripe card, a smart card or a specialized authentication device (called a token) that generates a one-time password or a specific response to a challenge presented by the server.
3. Something the user is. This depends on some inherent physical trait or characteristic. Often called biometrics, examples of this form of authentication include: fingerprints, retinal (eye) patterns, hand geometry, voice recognition, facial recognition, typing pattern recognition and signature dynamics (speed and pressure, not just the outline).
These authentication factors are listed here from weakest to strongest as determined by how difficult they are to forge or fake. By themselves, each of these methods offers some security. However, each has its own problems or weaknesses.
Anyone can enter a password and, historically, reusable passwords have been vulnerable to guessing, brute force and dictionary-based attacks.
The second means of authentication - something the user has - requires the user to possess an often difficult-to-replicate device. However this stronger protection also costs more (typically tens of dollars per device), and it requires contingency procedures in case a device is left at home, lost or stolen.
The third type of authentication - something the user is - is the most difficult to defeat, but it has other problems. Biometric identification methods are subject to two types of errors: false positives and false negatives. The first erroneously authenticates an individual who shouldn't be authenticated; the second denies an individual who should be authenticated.
Neither error is desirable, and it's important to know and verify error rates when considering such a system.
Another problem is that permanent physical changes or temporary ailments or accidents can alter or render unreadable the measured characteristic. If you cut part of your fingertip, you've changed what the fingerprint reader sees.
Put on a Band-Aid, and the reader can't see the fingerprint at all.
Finally, if the method is compromised, there's no way to give an individual a new identifying characteristic. You can issue a new password or security token, but you can't change his fingerprints or eye pattern.
For greatly increased security, the approach preferred by experts is to use two of the three methods in combination - a process called two-factor authentication. For example, to use a security token that generates a one-time password, you may need to enter a personal identification number into the token itself. Similarly, a card-key can be used in combination with a biometric system.
This is essentially what happens when you check in at an airport ticket counter. You hand over your ticket, which identifies you. Then you show a photo ID of some kind. This is something you have with you, and it's biometric (something you are) in that the clerk has to determine that the photo on the card matches you.
Once a user has been identified and authenticated, what remains is to grant him access to whatever specific system resources have been approved. This authorization is usually accomplished by looking up that user's entry in an access control list that delineates specific rights and permissions. These can be based, among other things, on an individual's identity or job function, membership in a workgroup or other classification or time of day or day of week.
Authentication via Security Token
A hardware authentication device, or security token, provides greatly increased protection against spoofing or brute-force attacks. The time-synchronized SecurID card from RSA Security Inc. in Bedford, Massachusetts, has an LCD screen that shows a string of numbers that changes every minute. The user types in his user name at log in, then the number shown on the card. The host system knows what that number is supposed to be for that user at that particular time.
Some tokens don't show a number continuously but require the user to enter a PIN on the card itself before the number is displayed, thus providing two-factor authentication.
With a token-based Challenge-Response system, the system displays a number (the challenge) when you log in. The user types this number into his token, which encrypts that to produce a second number (the response). The user enters the response into the computer. The host performs the same operation on the challenge, then compares its result to the user's response. If they match, the user is authenticated.
Authentication is the process through which the identity of a computer or network user is verified; it's the system that ensures that an individual is, in fact, who he claims to be. It's distinct from identification - determining whether an individual is known to the system - and from authorization - granting the user access to specific system resources based on his identity.