Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be.
Logically, authentication precedes authorization (although they may often seem to be combined). The two terms are often used synonymously but they are two different processes.
Authentication vs. authorization
Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access. The permissions and folders returned define both the environment the user sees and the way he can interact with it, including hours of access and other rights such as the amount of allocated storage space.
The process of an administrator granting rights and the process of checking user account permissions for access to resources are both referred to as authorization. The privileges and preferences granted for the authorized account depend on the user’s permissions, which are either stored locally or on the authentication server. The settings defined for all these environment variables are set by an administrator.
User authentication vs. machine authentication
User authentication occurs within most human-to-computer interactions other than guest accounts, automatically logged-in accounts and kiosk computer systems. Generally, a user has to enter or choose an ID and provide their password to begin using a system. User authentication authorizes human-to-machine interactions in operating systems and applications as well as both wired and wireless networks to enable access to networked and Internet-connected systems, applications and resources.
Machines need to authorize their automated actions within a network too. Online backup services, patching and updating systems and remote monitoring systems such as those used in telemedicine and smart grid technologies all need to securely authenticate to verify that it is the authorized system involved in any interaction and not a hacker.
Machine authentication can be carried out with machine credentials much like a users’ ID and password only submitted by the device in question. They can also use digital certificates issued and verified by a Certificate Authority (CA) as part of a public key infrastructure to prove identification while exchanging information over the Internet, like a type of digital password.
The importance of strong machine authentication
With the increasing number of Internet-enabled devices, reliable machine authentication is crucial to allow secure communication in home automation and other networked environments. In the Internet of things scenario, which is increasingly becoming a reality, almost any imaginable entity or object may be made addressable and able to exchange data over a network. It is important to realize that each access point is a potential intrusion point. Each networked device needs strong machine authentication and also, despite their normally limited activity, these devices must be configured for limited permissions access as well, to limit what can be done even if they are breached.
In private and public computer networks (including the Internet), authentication is commonly done through the use of login IDs (user names) and passwords. Knowledge of the login credentials is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else, such as a systems administrator), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. However, password-based authentication is not considered to provide adequately strong security for any system that contains sensitive data.
The problem with password-based authentication:
User names are frequently a combination of the individual’s first initial and last name, which makes them easy to guess. If constraints are not imposed, people often create weak passwords -- and even strong passwords may be stolen, accidentally revealed or forgotten. For this reason, Internet business and many other transactions require a more stringent authentication process.
Password-based authentication weaknesses can be addressed to some extent with smarter user names and password rules like minimum length and stipulations for complexity, such as including capitals and symbols. However, password-based authentication and knowledge-based authentication (KBA) are more vulnerable than systems that require multiple independent methods.
An authentication factor is a category of credential used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor) and something you are (the inherence factor).
- Knowledge factors -- a category of authentication credentials consisting of information that the user possesses, such as a personal identification number (PIN), a user name, a password or the answer to a secret question.
- Possession factors -- a category of credentials based on items that the user has with them, typically a hardware device such as a security token or a mobile phone used in conjunction with a software token.
- Inherence factors -- a category of user authentication credentials consisting of elements that are integral to the individual in question, in the form of biometric data.
User location and current time are sometimes considered the fourth factor and fifth factor for authentication. The ubiquity of smartphones can help ease the burdens of multifactor authentication for users. Most smartphones are equipped with GPS, enabling reasonable surety confirmation of the login location. Lower surety measures include the MAC address of the login point or physical presence verifications through cards and other possession factor elements.
Strong authentication vs. multifactor authentication (MFA)
Strong authentication is a commonly used term that is largely without a standardized definition. For general purposes, any method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects can be considered strong authentication.
The term strong authentication is often used to refer to two factor authentication (2FA) or multifactor authentication (MFA). That usage probably came about because MFA is a widely-applied approach to strengthen authentication. In cryptography, strong authentication is defined as a system involving multiple challenge/ response answers. Because such a system involves multiple instances from a single factor (the knowledge factor), it is an example of single-factor authentication (SFA), regardless of its strength.
Other definitions of strong verification:
In some environments, any system in which the password is not transmitted in the verification process is considered strong. As defined by the European Central Bank, strong security is any combination of at least two mutually-independent factors of authentication, which must also have one non-reusable element that is not easily reproduced or stolen from the Internet.
Although strong authentication is not necessarily multifactor, multifactor authentication processes have become commonplace for system logins and transactions within systems with high security requirements.
Two factor (2FA) and three factor authentication (3FA) are becoming common; four factor (4FA) and even five factor (5FA) authentication systems are used in some high-security installations. The use of multiple factors increases security due to the unlikelihood that an attacker could access all of the elements required for authentication. Each additional factor increases the security of the system and decreases the likelihood that it could be breached.
Be sure to read our comparison of popular MFA products as well as our in-depth profiles of Vasco IDENTIKEY Server v3.6 , Symantec Validation and ID Protection Service , SafeNet Authentication Service, Dell Defender and SecureAuth idP v8.0.
Continue Reading About authentication
- VeriSign is the leading certificate authority (certificate authority), providing over 125,000 Web sites with SSL (Secure Sockets Layer) server certificates, mainly for use in e-commerce.