What is Authentication?


When we use the term “Access Control”, Authentication and Authorization are the two main areas we come up with. Here, methods used for Authentication in information systems are discussed.

Basically, Authentication is determining whether a particular user is allowed to access system resources. It decides whether the access is granted or not. A system requires the answer for the question, “Are you who you say you are?” For this, you will have to provide,

  •     Something you know
  •     Something you have
  •     Something you are

 

“Something you know” can be a password. “Something you have” can be an ATM card. “Something you are” can be a fingerprint. First let us discuss about passwords.

An ideal password is something that a computer can verify that you know and it should be something others cannot guess even with unlimited computing resources. However, most of the passwords do not meet these ideal conditions. Usually, users select bad passwords for their own devices. This makes it easier to crack the passwords. Using randomly generated cryptographic keys can be a solution for this. The problem with that is, users should be able to remember their passwords, but it is difficult to remember such randomly selected bits. Even though there are various issues with passwords, authentication is mostly based on “Something you know” than “Something you have” and “Something you are.” The reason behind this is the cost and convenience. Issuing smartcards and biometric devices costs more and passwords are free. Also, it is easier to reset a password than to issue new smartcards and devices. Since this is the most convenient way, system administrators should test the weak passwords through a password-cracking tool so that the attackers cannot crack and access the system. Changing passwords frequently is also a good practice but forcing the users to set strong passwords is a difficult task. One weak password on an entire network can make the whole system vulnerable.

Let us see how a system verifies that the entered password is correct. To verify a password, the system should have access to the correct password, so that it can be compared with the entered password. Storing passwords in a file is a bad idea since an attacker can easily target it. Cryptography can be a solution for this issue, but a decryption key should be stored to decrypt the file and an intruder can easily steal the key. So, the most secure solution is storing hashed passwords. Then, when someone enters the password, it is hashed and compared, and then the user is authenticated if it is correct. Even if an intruder gets the password file, only the hashed passwords can be obtained.

Password cracking is the smallest problem when it comes to problems with passwords. Most of the people require multiple passwords and they tend to use the same password as they cannot remember many passwords. This results in risking the security. If an attacker can find one password, it can be tried in other places as well. Another concern with passwords is social engineering. If someone calls you as a system administrator and asks for your password to solve an issue in your account, would you tell your password? Most of the users will tell because it concerns your account and the person calling claims to be a system administrator. This way, passwords lead to severe security issues. Let us look at biometrics which is a more secure alternative to solve the problems related with passwords.

Biometrics fall under “Something you are” method of authentication. Fingerprints, hand geometry, iris scan and speech recognition are included in this category. Cheap and convenient systems are needed to replace passwords by biometrics. Currently, there are laptops with fingerprint authentication and restricted facilities use fingerprint readers to unlock doors. However, the usage of biometrics is low compared to passwords, even though it possesses more potential than passwords. An ideal biometric should consist of the following properties.

  • Universal – It should be able to apply to everyone, but it is not possible since a small percentage of people do not have readable fingerprints.
  • Distinguishing – Should be able to distinguish with 100% certainty.
  • Permanent – The physical characteristic should not change over a long period of time.
  • Collectable – Should be able to collect without harming the user.
  • Reliable – Should be reliable, robust and user-friendly.

 

It is difficult to have a biometric which satisfies all the properties mentioned above. In practice, it is difficult to forge biometrics, but instating such a system is costly which results in reducing the replacement of passwords with biometrics. Also, many software-based attacks are happening on authentication. In case of such an attack, it is easier to replace a broken cryptographic key or a password rather than revoking a broken biometric. Therefore, despite all the pros in biometrics over passwords, biometrics are not widely used compared to passwords. This will change in the future when biometrics become inexpensive.

Now let us move on to “Something you have.” Smartcards, ATM cards and other hardware tokens are used in this method. It is able to store cryptographic keys and do some computations. The key is used to authenticate the user. The keys are selected random which leads to eliminate password guessing attacks. When using an ATM card, authentication is happening based on both “Something you have” (ATM card) and “Something you know” (PIN). If an authentication method requires two out of “Something”s (Something you know, something you have, something you are), it is known as Two Factor Authentication. This provides an extra layer of protection. It can be a verification code received through a text message or a code generated by an authentication application.

With the development of technology, it has been increasing the number of devices used by people which has given the intruders numerous possible ways to attack. It is crucial to instate security since the tactics an attacker can use also improves with the development of technology. Therefore, a proper mechanism of authentication is a must in an Era of Technology.

 

Reference

Stamp M (2005) Information security: principles and practice. Wiley, Hoboken

 


Comments

  1. Using a password manager is a good option

    ReplyDelete
  2. You are right. Password cracking is not a problem anymore due to server side monitoring & controlling of authentication attempts. The bigger threat of social engineering remains unless the software forces you to set a stronger & unguessable password. But that comes with a cost of inconvenience for the users.

    ReplyDelete
  3. The properties of biometrics were new to me. Thanks for the comprehensive post.

    ReplyDelete
  4. You have touched 360 degrees in authentication. Very informative post. Specially the "Biometrics" part.

    ReplyDelete
  5. You have described nicely how authentication is different from authorisation. In this post you have given an in-depth look into what authentication is. I'd like to suggest you to analyse different authentication methods used by popular CSPs like AWS, GCP or Azure and write another post on it.

    ReplyDelete
  6. Authentication is a very crucial factor for applications in the modern world to prevent unauthorized access to confidential data. A very informative article.

    ReplyDelete
  7. With the rapid growing of the technology, data security is very demanding. So Authentication is the one way to secure our data. You have well explained the properties of it.

    ReplyDelete

Post a Comment

Popular posts from this blog

Multi-Access Edge Computing