|Authentication is the process of identifying an individual based on some identification.
Authentication only ensures that the identity of the individual is who he or she claims to be,
but says nothing about the access rights of the user. |
Authentication (From Greek: 'authentes'='author')
The individual authenticated may be a person, a computer or a computer program.
|Authentication of a person is the process of verifying their identity.|
|Authentication of an object or program may mean confirming its provenance. |
For example in computer security a simple authentication scheme is based on a username and password. Other example is authenticate the origin of a product like wine or coffe to ensure some quality or special features.
Common examples involving authentication are:
|login to read your email.|
|withdrawing cash from an ATM.|
|controlling a remote computer over the Internet .|
|using an Internet banking system.|
|Authentication and Authorization|
|Authentication is distinct from authorization ,
Authorization is the process of verifying that a known person or program
has the authority to perform a certain operation or access system objects based on their identity. |
Authentication, therefore, must precede authorization. Since authorization cannot occur without authentication, the former term is sometimes used to mean the combination of authentication and authorization. To distinguish authentication from the closely related term authorization, the short-hand notations A1 (authentication) and A2 (authorization) are occasionally used.
For example, when you show proper identification to a bank teller, you could be authenticated by the teller, and you would be authorized to access information about your bank acccounts. But you would not be authorized to access accounts that are not your own.
|Authentication is a process where a person or a computer program
proves their identity in order to access information.
Proof is the most important part of the concept. |
The proof is generally known as identification or ID and can be something that the individual knows like a password or something that he possessed, like a passport; or something that is unique for this person, like a fingerprint.
Strong authentication systems will require at least two of these proofs.
People authenticate themselves are using this methods:
|Something the user is . Examples are: DNA sequence, unique voice pattern, fingerprint or retinal pattern, signature recognition or other biometric identifier as the face.|
|Something the user has . Examples are ID card, passport, cell phone, security token or software token|
|Something the user knows Like a password , a pass phrase or a personal identification number (PIN)
Sometimes a combination of methods is used for example the ATM card and the PIN number.
in which case the term 'two-factor authentication ' is used.
|Authentication and Biometrics|
Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability. Other biometric methods are promising (retinal and fingerprint scans are an example), but have shown themselves to be easily spoofable in practice.
|Authentication and Cryptography|
|Authentication processes are linked with encryption or crypto systems.
For example in the internet the sites and programs that wants to authenticate you
but the password is your proof and must be sent encrypted or it’s no longer a secret. |
Cryptographic methods have been developed which are currently not spoofable if (and only if) the originator's key has not been compromised. (For example the digital signature and challenge-response authentication).
It is not known whether these cryptographically based authentication methods are provably secure since unanticipated mathematical developments may make them vulnerable to attack in future. If that were to occur, it may call into question much of the authentication in the past. In particular, a contract may be questioned when a new attack on the cryptography underlying the signature is discovered.
|Authentication and Trust|
In a Web of trust "authentication" is a way to ensure users are who they say they are and the user who attempts to perform functions in a system is in fact the one authorized to do so.
A common case is the internet is the process of confirmation email which must be replied to in order to activate an online account of some kind. Since email can easily be arranged to go to or come from bogus and untraceable addresses, this is a week authentication method that only proves that the email exists but have no idea about the real identity of an individual.
|Authentication Sites and Links|
|BioPassword - A software-based technology that learns and verifies unique typing patterns. Includes an introduction to biometrics and keyboard dynamics.|
|Blockade Systems - Password synchronization and enterprise-wide access control management software. Includes a return-on-investment calculator.|
|Dos and Don'ts of Client Authentication on the Web - Paper by Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster. In the Proceedings of the 10th USENIX Security Symposium, Washington, D.C., August 2001. [PDF]|
|Finally Software - Enterprise security solutions based on PKI and Kerberos. Also offer a secure terminal emulator for connecting to Unix servers from Windows. Product information and downloadable evaluation software.|
|Flicks Software - Software password protects web content (Windows NT / 2000). Free trial downloads available.|
|iDEX Systems, Inc. - Java-powered iButton based personal identity management security services and digital certificate authentication for secure logon, secure messaging, and digital signatures.|
|IIS User Authentication Tutorial - Information on various methods for WWW password protection using Internet Information Server (IIS). Text-based tutorial with some screenshots.|
|iisPROTECT - Functions with Internet Information Server to secure web sites. Includes live demo.|
|Intertrust Technologies Corporation - Develops general purpose digital rights management platform which serves as foundation for providers of digital information, technology and commerce services to participate in a global system for digital commerce. (Nasdaq: ITRU).|
|I/O Software - Provider of software solutions, including biometric solutions. Site includes product descriptions and technology licensing terms.|
|M-Tech Information Technology, Inc. - ID-Synch, identity management software for managing user administration processes. Product information, customers, press releases and contact details.|
|NMA, Inc. - ZSentry two-factor authentication solution. Product information, white papers and contact details.|
|Open Systems Management - Password synchronization and role based access control across UNIX, Windows NT and resident applications. Site contains FAQs.|
|Password Management - Paper by M. Bishop, 1991. Discusses problems of password selection and password management, and identifies relevant techniques. [PDF]|
|Pluggable Authentication Modules - Sun's official PAM documentation. Programmer documentation and source code.|
|A Proactive Password Checker - Paper by M. Bishop, 1991. The author describes a technique, and a mechanism, to allow users to select passwords which to them are easy to remember but to others would be very difficult to guess. [Postscript]|
|Remote User Authentication in Libraries - Comprehensive collection of resources for libraries and universities. Includes links to software and some links of interest to non-librarians.|
|RSA Security - Products include token-based one time password systems and single sign on systems. Site contains information on security.|
|SAFLINK - Offer a range of identity management solutions based on tokens, smartcards and biometrics. Headquarters in Bellevue, WA.|
|Secure Remote Passwords - Software integrates into existing networked applications. Secure telnet and FTP available. Open source. User and technical documentation as well as source code.|
|SecureUser.net - Providers of tools to e-commerce developers. Site includes a technology explanation and case studies.|
|Theory of Identification and Authentication - History and development of mechanisms and techniques.|
|Unisys - Makers of several related products. Site includes rationale as well as comprehensive usage information.|
|Vasco - Makers of both software and hardware systems. Demos, case studies and product information.|
|Public key cryptography|
|Encrypted key exchange (EKE)|
|Secure remote password protocol (SRP)|
|Two-factor / strong authentication|