AuthenticationWorld.com

User Authentication

What is user authentication?

User authentication is the process of building trust that a digital identity presenting themselves to a system, application or data store is who they claim to be. 

How is user authentication done?

Authenticating a user is normally done on of three ways or combinations thereof:

• Something the user knows - i.e. a user id and password
• Something the user has - a security token, smartcard, or a digital certificate
• Something the user is -  a biometric

The most common form of user authentication is the user id and password.  It is also the least secure.  Today, the ability to steal a user id and password through hardware or software means is easy, cheap and readily available (review the Authentication -Password section of this website for more information).  As a result, a growing number of enterprises and regulators are beginning to require multi-factor authentication or "strong authentication".

Multi-factor authentication is the use of more than one authentication method in order to build identity trust.  For instance, a user may be required to provide not only an id and password but also a security token in order to be authenticated.

What's involved in user authentication?

In many older systems, user authentication is done from a database.  In these systems, the user normally provides their id and password which is then checked against the database.  If it matches, then oftentimes, an "access control list" or ACL is checked.  The access control list determines the authorization privileges for the user.

Today, most enterprises are collapsing their independent silos of authentication by abstracting their authentication out of applications and databases.  The reason for this are:

• Create enterprise authentication systems where the user has fewer ids and passwords to remember
• Strengthen existing authentication methods
• Lower help desk password reset costs
• Enforce enterprise security standards uniformly across the enterprise
• Ensure developers of new applications are not responsible for understanding authentication security

As part of this enterprise effort, normally LDAP directories are used. 

Why use LDAP directories?

As the enterprise unifies its identity infrastructure the number of identity "lookups" rises substantially per second.  Particularly with single sign on, the performance hits are high since with every change in the browser url, there is traffic between the web browser and the security server asking whether or not the resource is protected, what the authentication strength is for the resource and what the authorization policy is.  Further, if the user has not already authenticated, the security server is responsible for doing the authentication. In medium to large enterprises, the number of identity look-ups per second can be in the thousands or tens of thousands per second.

Normal databases are not tuned for such frequent lookups.  More than a decade ago, Lightwieght Directory Access Protocol (LDAP) directories were created to meet this need.  They are databases that are hierarchical rather than relational and able to do extremely fast identity lookups per second very inexpensively.

Today there are free LDAP directories as well as those commercially available from the main vendors including Sun, Novell, Microsoft, IBM and others.

Federated Authentication

Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing