SoftRoots - Security Challenges Part II

Home > Library > Security Challenges Part 2

Protecting Your Data in Today's World

Part 2 - Authentication Methods

This is Part 2 of the series Protecting Your Data in Today's World. The following articles discuss related topics on how to protect your data in today's world:

Part 1 - Secure Systems and their Architecture
Part 3 - Application Data and its Value
Part 4 - Encryption and the Internet

The objective is to provide a simple and secure process for users to login to your system or application. The problem is that there are many different ways to authenticate users, and who's to say — which the best way is. What should be considered when deciding on an authentication process for end-users?

Is something that claims to be authentic genuine? In the world of information technology, authentication is the process of how you prove your claimed identity. This is usually done by verifying that the digital identities of computers, along with the physical identities of the people using the computers are authentic.

Just as there are several methods to authenticate people used in face-to-face commerce, there are also a variety of methods for authentication that are available in the e-commerce world. Overall, the majority of these methods are more trustworthy and reliable than the conventional methods used in face-to-face commerce.

In an on-line environment, the identity of a user should be authenticated prior to any rights being granted to the identifying party. Identification of a user by itself offers little or no value, and should always be backed up and supported by some method to verify related credentials.

In general, there are three ways to authenticate the identity of an on-line user: 1) Authentication can be based on something that the user knows or remembers, such as a password. 2) Authentication can be based on something that the user has in their possession, such as a key or a token. 3) Authentication can be based on some personal physical attribute of the user, such as a fingerprint or a retinal scan.

Authentication based on knowledge or memory

The use of passwords is the most common method of authentication — that is when you can remember them. Aside from being simple to implement, password systems can be expensive to maintain, are inconvenient, and only provide a modest level of security.

The inherent problem of password complexity presents additional burdens. If passwords are kept simple to make them easy to remember, they can be easy for others to either guess or crack, and thus compromise a system's security. On the other hand, if they are made more complex, they are easily forgotten and/or written down in various places, which also can jeopardize security policies. Passwords also never guarantee that the identity of a user is who they claim to be. Passwords can be shared, passed around, and/or abused to no end. Needless to say, with the inconvenience of passwords, users have become accustom to using similar or identical passwords over-and-over again on various systems. This means that once this method of authentication is breached on one system, chances are high that security on other systems may be in jeopardy. Implementation of password rules can help to prevent security breaches! However, this too adds additional inconvenience for the end-user to routinely change their passwords.

If password authentication is used over an http connection (without the use of SSL), the problem of transferring passwords as plain text over an open network, including the Internet, exists. This opens a 'big' door for any hacker that is capturing the contents of data packets to obtain usernames and passwords with little effort. Even though the use of passwords, by themselves is viewed as a weak authentication method, it still can add value in high-security applications when they are combined with other authentication methods.

Authentication based on a possession

Public key authentication is much more powerful than simple passwords. Encryption and decryption of data via a SSL session is accomplished by using public-key/private-key cryptography. In a public key system, each user has two keys: a private key and a public key. The private key lives on the user's (client) system and does not get transmitted at any time, while the matching public key is available to anyone (e.g. a web site) wishing to communicate and/or do business with the user. The matching public key is transmitted when a secure session (HTTPS) is invoked. This method enables the transmission between a client and the server only to be decoded by the respective server or client key. In a Public Key Infrastructure (PKI), keys and certificates are managed transparently and are generally protected by a password or PIN number.

Two major benefits of using public key systems are: First, the web server does not need to store or verify user information. A user can maintain the same private/public key pair for all of e-commerce activity since the private key is always kept a secret no matter how many partners know the public key. Second, the digital signature is recognized in a Court of Law as being valid and plays a similar role to a handwritten signature on a contract. Since the user, and only the user, knows the private key, the merchant and/or business partner has a means to prove that only a specific user could have generated the related digital signature.

Public key technology is widely available today. The private and public keys are typically generated and stored on the client's PC. However, they may also be stored on a "smart card", which is similar to a credit card, but requires a password or PIN number to access. Smart cards add an additional level of security and will no doubt be used more frequently in business-to-business and/or e-commerce transactions as e-business evolves.

Digital certificates (based on the PKI technology) are also available to establish secure communications over the Internet. These are basically unique electronic files that identify a particular user. Digital certificates do not authenticate users. Digital certificates are issued by a Certification Authority (CA) who initially validate a users' credentials when a SSL session is established. These are generally used in conjunction with other authentication processes to establish a secure method for accessing information.

Authentication based on personal physical attributes

Probably the most secure approach to authenticating a user involves what has been termed 'biometrics'. This is where a personal physical attribute of a user is analyzed to determine their identity. Specific methods used in this capacity include; fingerprint scans, retinal scans, voice recognition systems, facial recognition systems signature analysis, DNA analysis, etc., Each of these methods presents its' own complexities and problems. The different technologies that make up biometrics have already proven their value and offer significant advantages over other forms of authentication such as passwords, PKI, etc.

When considering the right authentication mechanism for a system or application, it is important to understand where the security mechanism will reside in the overall system architecture. Important also is a clear understanding of the different authentication methods available and how they can be combined to provide a more secure environment. Fortunately, there are many methods to authenticate users over the Internet today. Each has their own strengths and weaknesses. We can expect widespread deployment and use of public key systems, as well as advancements in technologies to support biometrics for those applications or systems that require stronger user authentication.