Authentication is the process of determining if a user or identity is who they claim to be. Authentication is accomplished using something the user knows (e.g. password), something the user has (e.g. security token) or something of the user (e.g. biometric).
The authentication process is based on a measure of risk. High risk systems, applications and information require different forms of authentication that more accurately confirm the user's digital identity as being who they claim to be than would a low risk application, where the confirmation of the digital identity is not as important from a risk perspective. This is commonly referred to as "stronger authentication".
Authentication processes are dependant upon identity verification and registration processes. For example, when Jane Doe is hired at an enterprise, she provides the enterprise with information and tokens of who she is (e.g. name, address, driver's license, birth certificate, a SSN number, a passport, etc.). The enterprise may choose to immediately accept this information or, it may instead chose to run background checks on Jane to see if she is who she claims to be and determine if she has any criminal record. When the checks come back favorably, the enterprise will accept her identity and enter her into their systems. The identity registration process will usually involve issuing Jane with enterprise authentication mechanisms such as id and password, security token, digital certificate and/or registering some of her biometrics.
The authentication process is totally dependant on the identity validation and registration process used for Jane. If Jane presents false tokens, which are accepted by the enterprise, then the person acting as Jane will be positively authenticated every time, even though she is not the real Jane Doe. Authentication security therefore is only as good as the weakest link in the chain.
Password authentication is the most common method of
authentication. It is also the least secure. Password authentication
requires the identity to input a user id and a password in order to
login. Password length, type of characters used and password duration
are password management are now critical concern in enterprises. The
ability to easily crack passwords has resulted in high levels of
identity theft. As a result, the high risk of passwords means most
enterprises now deploy a layered security strategy. A user enters in
their id and password for initial login to gain access to only low risk
information and applications with other forms of authentication
required for higher risk information and applications.
Single Sign On (SSO), Reduced Sign On (RSO), or Enterprise Single Sign On (ESSO) is the ability to reduce the number of id's and passwords a user has to remember. In most enterprises, a strong business case can be made to implement single sign on by reducing the number of password related help desk calls. SSO is also the architecture to require stronger forms of authentication for higher risk information and applications. Thus a user may login using their id and password to gain general low risk access to an enterprise. The SSO software enables them to not have to use multiple id's and passwords. However, when the user tries to access more sensitive information and applications, the single sign on software will require the identity to input stronger authentication such as a security token, a digital certificate and/or a biometric.
Most enterprises use Lightweight Directory Access Protocol (LDAP) directories to handle the centralized authentication. LDAP directories, such as Active Directory, Sun One Directory, Novel e-Directory and other vendors, provide a low cost way of doing fast identity look-ups and authentication as compared to traditional databases. Today it is also common to use virtual LDAP directories to quickly integrate the identity and authentication information contained in one or more databases and/or other LDAP directories. The use of these directories is a critical piece of identity infrastructure that leads to integrating access control.
Access control is the process of granting an identity the ability to physically or electronically access a facility or enterprise. By using LDAP directories and single sign on, many enterprises now integrate their building access control security cards, employee time keeping and other access control accessories into their LDAP identity management system. This reduces the number of identity database silos, since most access control systems use their own identity databases. It also reduces the number of access control accessory systems.
Network authentication is the process of granting an identity the ability authenticate to a network as well as their authorization. Almost all network authentication systems are now LDAP based. This includes Microsoft 2000, Linux, Solaris, AIX and HPUX. Many mainframe authentication systems such as RACF are now LDAP enabled.
Biometric authentication s is the process of taking a "piece of you", digitizing it and then using this to authenticate against an identity directory or database. Typical types of biometric authentications include finger scans, digital finger prints, hand scans, retina scans, digital signature scans and others. The use of DNA biometrics is increasingly used in identity verification (the initial identity registration step prior to authentication). Biometrics are commonly used as part of an array of authentication methods used in enterprises.
Strong authentication means higher trust of an authentication. For instance, the successful login using a id and password will be given a low level of trust by the enterprise since the id and password are easily obtained by social engineering or password cracking. Stronger authentication methods include digital certificates, security tokens and biometrics. Often, many enterprises use combinations of these including passwords, to place a higher degree of trust for higher risk applications or information access.
Transaction authentication is the process of using other authentication determinants to verify an identity. Often used by financial institutions for higher risk customers or transactions, the transaction software looks at the IP address the user is coming in on, the identity's computer hardware they're using, the time of day, the geo-location the identity is coming from, etc. If the identity successfully logs on using a id and password BUT the other components are not usual, the transaction authentication software may stop a process, flag in real time an administrator and/or ask the user more questions to have more confidence the identity is who they claim to be.
Federated authentication is the ability to trust an incoming electronic identity to the enterprise from a trusted partner or website. Protocols enabling this include SAML, Liberty Alliance, Web Services Federation and Shibboleth. When combined with enterprise single sign on systems, the user experience is improved since they no longer have to remember another id and password. Further, enterprise identity authentication standards can be automatically enforced on external identities using the enterprise systems. Identity authentication federation also works in reverse for enterprise employees who access there 401k, benefits, etc, to outside supplier websites. By using federatied authentication, the identity doesn't need to remember another separate id and password.
Public key infrastructure (PKI) authentication, is another way of doing identity authentication. An identity is given a digital certificate by an Certificate Authority (CA). This is then presented during the authentication process to verify an identity is who they say they are. The level of authentication trust varies for digital certificates depending on the level of identity verification done during the identity registration process as well as the digital certificate revocation process. Digital certificates are becoming more important to authenticate and verify an identity in single sign on systems, document management systems and in web services.
Security token authentication, such as RSA secureID tokens, are used to authenticate an identity (something that you have). During the login process, or if required by a single sign on system for a higher risk application, the identity is required to enter in the numbers appearing on the token screen along with their id. Since the numbers change randomly to the user viewing the screen (but is understood by the central authentication server), there is a higher degree of trust associated with this form of authentication. However, operating costs for security authentication tokens are higher than the use of password and id since they must be physically issued, replaced and recovered.
Smart cards are another form of authentication token (something you have). Often they contain a digital certificate as well as additional identity attribute information. Smart card authentication is becoming wide spread. The same smart cards used in an authentication process are now commonly used as well for access control mechanisms to enter physical facilities, buildings, floors and rooms.
Authentication management is the overall process of managing identities and their authentication mechanisms. In most enterprise authentication management involves authentication policies and processes to manage passwords, digital certificates, security tokens, access control, biometrics, smart cards, LDAP directories, transaction authentication, single sign on and identity authentication federation. Strong business cases can be made to lower authentication costs while at the same time strengthening overall enterprise security.
Authenticating wireless devices is today becoming a main enterprise security issue. Often, the authentication used is very insecure or easily breached. There are however ways to increase reliability that the user is who they claim to be by using multi-factor authentication.
Formely separate document authentication systems are now becoming intertwined with enterprise identity and authentication mechanisms. Gone are the days of relying upon mostly passwords to authenticate users trying to open document. Formely separate document authentication systems are now becoming intertwined with enterprise identity and authentication mechanisms. Gone are the days of relying upon mostly passwords to authenticate users trying to open documents.
Many modern enterprises have outsourced portions of their authentication development, maintenance and troubleshooting. If done well it can save the enterprise money. If done poorly, it can create security holes or, cause enterprise failures.
Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction