We stated that
authentication is one of the most durable and reliable forms of access control.
It is one of the best security protocols we have in use today and it is applied
in a variety of ways. Authenticating a user requires the authenticating agent
to verify the user and then confirm the identity provided by the user is valid.
There are several techniques that can be applied for verifying and confirming a
user's identity. They can be broadly classified as below:
- Something the
user knows: Among
the things sought here are things the user can remember like passwords,
pass phrases, and PINs. In this category, passwords are the most widely
and frequently used, followed by PINs. Passwords are popular because they
are more convenient to use than any other methods of authentication.
Remember, the stronger the authentication regime, the more inconvenient it
is for the users. Although passwords are convenient for the users, they
are also weak. However much you protect the password, somebody can always
lose, forget, or be forced to surrender it. One way to strengthen the
password is to base it on a strong security policy with a strong password
policy. A strong password policy states what a password must have and be,
including minimum character length, types of characters, repetition of
characters, and number of use. If a password does not follow the stringent
password policy, then it is considered to be a weak password. Weak
passwords should be avoided at all costs. But passwords, in whatever form,
present an interesting paradox. As we started early, by hardening up the
password policy, user convenience drops and vise versa.
- Something the
user has: These
are all unique things that the user is supposed to present to the
authenticating agent that verifies and validates the user. Such items in
common use today may include tokens that include all types of cards that
store information about the user. These are referred to as storage cards.
Upon an authentication request, the user presents a storage card to the
authentication agent. The agent may be a token reader like an ATM reader
or a pass access reader. The reader reads the information off the card and
compares it to similar stored information about the user. If the
information on the card matches the stored information, the user is then
verified as legitimate; otherwise the request is denied.
- Something that
is part of the user: These
are the user's physical traits, called the biometrics. Human traits used
in authentication as biometrics include fingerprint, palm prints, retina,
iris, face, voice, and DNA. We are going to discuss these in detail in the
coming section.
No comments:
Post a Comment