Definition of Authentication
Authentication is the process of ensuring that an entity, person or object is what it claims to be. It is used as the first step towards access control, by establishing identity against a database of stored users.
It is important to note that although authentication is always present in security applications, it does not actually have anything to do with the actual access control. The rules that make up access control policies are in fact authorization. Authentication is commonly assumed to encompass the whole process, where in fact it is solely to establish identity.
Factors of Authentication
Factors of authentication are simply the tokens that are used to establish identity conclusively. There are a number of considerations when determining whether something becomes a good factor of authentication. For instance, a particular token can only be considered if each of its instances is completely unique. Therefore, fingerprints make excellent factors, whereas names do not make good factors. Tokens can also be used in tandem, where the combination becomes unique.
There are three types of factors of authentication: ‘known’ factors, ‘have’ factors, or ‘are’ factors. As evident by the names, factors are divided into categories based on whether the user knows them, has them, or is them.
All the scenarios described above are considered single-factor authentication, because there is only one unique factor used. When more than one factor is used in the authentication process, it is known as either a two-factor or multi-factor authentication strategy.
Using more than one factor for authentication makes it more difficult for identity theft, therefore it is more secure. This is where types of factors come into the picture. A multi-factor authentication strategy is based on a mix of two or more types of factors. A mix of two factors from the same category does not count as a valid multi-factor strategy.
Problems with Authentication
Authentication, by itself, is not a secure means of protecting data. It is very simple for a savvy identity thief to retrieve login and password details from any website.
For example, when a user logs into a website, they send their username and password across to the server for authentication. When the server authenticates the user, it responds appropriately. Subsequently, all transactions back and forth from the user and the server contain the username and the password in unencrypted form. Therefore, any person with a packet sniffer, who is monitoring ports, can view user details without any trouble.
Therefore more stringent security policies are adopted across enterprises, or with more sensitive data, like banking information.
AAA: Authentication, Authorization and Accounting
Authorization defines access control policies which specify what exactly an authenticated user is allowed to view. It is important to note that authorization only works if authentication has successfully been performed. AAA is a protocol used primarily for computer security in enterprises to regulate the use of computing resources. As mentioned earlier, authentication is rarely enough to protect data in a sustained manner. It usually leaves the system vulnerable to attacks. Therefore authorization and accounting comes into the picture.
Accounting is used to analyze which resources that have been used by the authenticated user, and whether or not the authorization process has worked. Accounting is also a way of determining whether there has been any unusual activity from a particular user account; an indicator for identity theft.
Authentication essentially boils down to a series of tests that a user must undergo. It is impossible for a computer user to be authenticated without a trace of a doubt, even with stringent authentication methods, like biometrics. The key to a good security policy is to determine an adequate mix of tests that ensure a high degree of impenetrability.