Information Security Concepts: Authenticity

What do we mean by authenticity in Information Security? Authenticity is assurance that a message, transaction, or other exchange of information is from the source it claims to be from. Authenticity involves proof of identity.

We can verify authenticity through authentication. The process of authentication usually involves more than one "proof" of identity (although one may be sufficient). The proof might be something a user knows, like a password. Or, a user might prove their identity with something they have, like a keycard. Modern (biometric) systems can also provide proof based on something a user is. Biometric authentication methods include things like fingerprint scans, hand geometry scans, or retinal scans.

For user interaction with systems, programs, and each other, authentication is critical. User ID and password input is the most prevalent method of authentication. It also seems to present the most problems. Passwords can be stolen or forgotten. Cracking passwords can be simple for hackers if the passwords aren't long enough or not complex enough. Remembering dozens of passwords for dozens of applications can be frustrating for home users and business users alike. Single Sign On (SSO) solutions

Two-factor or multi-factor authentication is more common in the enterprise for mission critical applications and systems. Mulit-factor authentication systems may use Key cards, smart cards, or USB tokens. Public Key Infrastructure (PKI) Authentication uses digital certificates issued by a central or 3rd party authority. Secure Socket Layer (SSL) connections to web sites provide not only encryption for the session, but also (usually) provide verification that the web site is authentically the site it claims to be.

Despite the prevalence of spam, and the ease of spoofing e-mail source addresses, e-mail is still one of the universal applications that rarely provides authenticity for the recipient. Ironically, almost all modern e-mail solutions include the capability to use digital certificates. Public PKI systems that are free or very inexpensive are available. Still, understanding and implementing user certificates in e-mail applications and browsers is difficult for the average Internet user. Of course, with the sheer volume of messaging on the Internet, it may seem unrealistic to expect the authenticity of every message sent and received to be verified or verifiable! But why? Is it too much to ask for all planned systems in development to include not just the option, but guarantee of message authenticity? Scams, cons, and identity theft seem to be important enough issues that this should be a selling point, and to justify the cost.

As an individual, consider options such as using stronger passwords that are easy for you to remember but hard for anyone else to guess. Take a second look before responding to unusual e-mails or entering personal or financial information on web sites. For businesses, look into multi-factor authentication for your critical business applications, PKI, and SSO. Educate users on security policy and practices to verify authenticity. Audit existing systems to ensure authentication is present, effective, and strong enough for the systems protected.