What is Authentication?
When
we use the term “Access Control”, Authentication and Authorization are the two
main areas we come up with. Here, methods used for Authentication in
information systems are discussed.
Basically, Authentication
is determining whether a particular user is allowed to access system resources.
It decides whether the access is granted or not. A system requires the answer
for the question, “Are you who you say you are?” For this, you will have to
provide,
- Something
you know
- Something
you have
- Something
you are
“Something you know” can be
a password. “Something you have” can be an ATM card. “Something you are” can be
a fingerprint. First let us discuss about passwords.
An ideal password is
something that a computer can verify that you know and it should be something
others cannot guess even with unlimited computing resources. However, most of
the passwords do not meet these ideal conditions. Usually, users select bad
passwords for their own devices. This makes it easier to crack the passwords.
Using randomly generated cryptographic keys can be a solution for this. The problem
with that is, users should be able to remember their passwords, but it is
difficult to remember such randomly selected bits. Even though there are
various issues with passwords, authentication is mostly based on “Something
you know” than “Something you have” and “Something you are.” The reason
behind this is the cost and convenience. Issuing smartcards and biometric
devices costs more and passwords are free. Also, it is easier to reset a
password than to issue new smartcards and devices. Since this is the most
convenient way, system administrators should test the weak passwords through a
password-cracking tool so that the attackers cannot crack and access the
system. Changing passwords frequently is also a good practice but forcing the
users to set strong passwords is a difficult task. One weak password on an
entire network can make the whole system vulnerable.
Let us see how a system
verifies that the entered password is correct. To verify a password, the system
should have access to the correct password, so that it can be compared with the
entered password. Storing passwords in a file is a bad idea since an attacker
can easily target it. Cryptography can be a solution for this issue, but a
decryption key should be stored to decrypt the file and an intruder can easily
steal the key. So, the most secure solution is storing hashed passwords. Then,
when someone enters the password, it is hashed and compared, and then the user
is authenticated if it is correct. Even if an intruder gets the password file, only
the hashed passwords can be obtained.
Password cracking is the
smallest problem when it comes to problems with passwords. Most of the people
require multiple passwords and they tend to use the same password as they
cannot remember many passwords. This results in risking the security. If an
attacker can find one password, it can be tried in other places as well.
Another concern with passwords is social engineering. If someone calls you as a
system administrator and asks for your password to solve an issue in your
account, would you tell your password? Most of the users will tell because it
concerns your account and the person calling claims to be a system
administrator. This way, passwords lead to severe security issues. Let us look
at biometrics which is a more secure alternative to solve the problems related
with passwords.
Biometrics fall under “Something you are” method of authentication. Fingerprints, hand geometry, iris scan and speech recognition are included in this category. Cheap and convenient systems are needed to replace passwords by biometrics. Currently, there are laptops with fingerprint authentication and restricted facilities use fingerprint readers to unlock doors. However, the usage of biometrics is low compared to passwords, even though it possesses more potential than passwords. An ideal biometric should consist of the following properties.
- Universal – It should be able to apply to everyone, but it is not possible since a small percentage of people do not have readable fingerprints.
- Distinguishing – Should be able to distinguish with 100% certainty.
- Permanent – The physical characteristic should not change over a long period of time.
- Collectable – Should be able to collect without harming the user.
- Reliable –
Should be reliable, robust and user-friendly.
It is difficult to have a
biometric which satisfies all the properties mentioned above. In practice, it
is difficult to forge biometrics, but instating such a system is costly which
results in reducing the replacement of passwords with biometrics. Also, many
software-based attacks are happening on authentication. In case of such an
attack, it is easier to replace a broken cryptographic key or a password rather
than revoking a broken biometric. Therefore, despite all the pros in biometrics
over passwords, biometrics are not widely used compared to passwords. This will
change in the future when biometrics become inexpensive.
Now let us move on to “Something
you have.” Smartcards, ATM cards and other hardware tokens are used in this
method. It is able to store cryptographic keys and do some computations. The
key is used to authenticate the user. The keys are selected random which leads
to eliminate password guessing attacks. When using an ATM card, authentication
is happening based on both “Something you have” (ATM card) and “Something you
know” (PIN). If an authentication method requires two out of “Something”s
(Something you know, something you have, something you are), it is known
as Two Factor Authentication. This provides an extra layer of
protection. It can be a verification code received through a text message or a
code generated by an authentication application.
With the development of
technology, it has been increasing the number of devices used by people which
has given the intruders numerous possible ways to attack. It is crucial to
instate security since the tactics an attacker can use also improves with the
development of technology. Therefore, a proper mechanism of authentication is a
must in an Era of Technology.
Reference
Stamp M (2005) Information security: principles and practice.
Wiley, Hoboken

Using a password manager is a good option
ReplyDeleteYou are right. Password cracking is not a problem anymore due to server side monitoring & controlling of authentication attempts. The bigger threat of social engineering remains unless the software forces you to set a stronger & unguessable password. But that comes with a cost of inconvenience for the users.
ReplyDeleteThe properties of biometrics were new to me. Thanks for the comprehensive post.
ReplyDeleteYou have touched 360 degrees in authentication. Very informative post. Specially the "Biometrics" part.
ReplyDeleteYou have described nicely how authentication is different from authorisation. In this post you have given an in-depth look into what authentication is. I'd like to suggest you to analyse different authentication methods used by popular CSPs like AWS, GCP or Azure and write another post on it.
ReplyDeleteI will look into those areas too. Thank you!
DeleteAuthentication is a very crucial factor for applications in the modern world to prevent unauthorized access to confidential data. A very informative article.
ReplyDeleteWith the rapid growing of the technology, data security is very demanding. So Authentication is the one way to secure our data. You have well explained the properties of it.
ReplyDelete