QuickStudy: Authentication

Computerworld - Who are you? Do you belong here? What rights do you have? And how do I know you're who you say you are?

Those are the essential questions that any effective security system must answer before a user can access a computer system, network or other protected resource. We think this is what a password system does, but passwords are only one part of an effective security system. That security system requires three separate elements - identification, authentication and authorization - that together make up what's called access control.

When you log into a computer or network, the first thing you're asked for is a user name or account name. But a user name offers little protection to the system. Therefore, the system also usually prompts you for a password, a form of authentication.

Authentication

The question, "How do I know you're who you say you are?," is in many ways, the most important one. Unless it's answered satisfactorily, identification is incomplete and no authorization can or should take place. But how does a system verify that a user is who he says he is? Simply entering your password doesn't prove it's you. Someone else could know your password.

The answer lies in a strong authentication process. Basically, the following three factors can be used to authenticate an individual:

1. Something the user knows. This is a reusable password, passphrase, personal identification number or a fact likely to be known only to the user, such as his mother's maiden name.

2. Something the user has. This could be a key, a magnetic-stripe card, a smart card or a specialized authentication device (called a token) that generates a one-time password or a specific response to a challenge presented by the server.

3. Something the user is. This depends on some inherent physical trait or characteristic. Often called biometrics, examples of this form of authentication include: fingerprints, retinal (eye) patterns, hand geometry, voice recognition, facial recognition, typing pattern recognition and signature dynamics (speed and pressure, not just the outline).

For more on biometrics, see "Give Your Computer the Finger" in this issue.

These authentication factors are listed here from weakest to strongest as determined by how difficult they are to forge or fake. By themselves, each of these methods offers some security. However, each has its own problems or weaknesses.

Anyone can enter a password and, historically, reusable passwords have been vulnerable to guessing, brute force and dictionary-based attacks.

The second means of authentication - something the user has - requires the user to possess an often difficult-to-replicate device. However this stronger protection also costs more (typically tens of dollars per device), and it requires contingency procedures in case a device is left at home, lost or stolen.