Manage Identification and Authentication of People, Devices, and Services
In this part of this tutorial, we’ll take a look at Manage Identification and Authentication of People, Devices, and Services to help you understand the different aspects of authentication.
Identity Management Implementation
The core activity within identity and access management (IAM) is the management of identities (including people, devices, and services).
Identity management techniques fall into one of two categories:
- Centralized Access Controls
- Decentralized Access Controls
Centralized Access Control
In this technique, all authorization verification is performed by a single entity within a system, and also one change affects the entire system simultaneously. Therefore, this technique has little administrative overhead .An individual or a small team can manage centralized access control.
SSO and LDP are two examples of this technique.
- Single Sign-On (SSO): This technique allows a user to be authenticated only once on a system and to access multiple resources without authenticating again. For example, users can authenticate once on a network and then access resources throughout the network without being prompted to authenticate again. If attackers compromise a user’s credentials, they can sign into the computer and then seamlessly gain access to all apps using SSO. So, in SSO Every account that exists in a system, network, or application is a potential point of unauthorized access. Multiple accounts that belong to a single user, even are more risk. Today, most SSO systems include methods to protect user credentials.
- Lightweight Directory Access Protocol (LDAP): An LDAP directory stores information about users, groups, computers, and sometimes-other objects such as printers and shared folders. LDAP is is both an IP protocol and a data model. LDAP is used to support authentication and directory functions for both people and resources. The most common LDAP system is Microsoft Active Directory that it uses Kerberos by default for authentication purpose.
Decentralized Access Control
Decentralized access control systems keep user account information in separate locations, maintained by the same or different administrators, throughout an organization or enterprise.
In Decentralized access control:
1- Various entities located throughout a system perform authorization verification.
2- It usually requires several teams or multiple entities.
3- In this technique, administrative overhead is higher because changes must be implemented across several locations.
4- Because there are so many access control points, it’s very difficult to maintain systems consistency
This type of system makes sense in extremely large organizations or in situations where very granular control of complex user access rights and relationships is necessary.
Authentication is a two-step process:
- Identification: Identification is the means by which a user or system (subject) presents a specific identity (such as a username) to a system (object).
- Authentication: The process of verifying that identity
Single-factor authentication: It is the process of using a single method to authenticate. For example, a username and password, a smart card is a single factor authentication.
Multifactor authentication: It is a system that needs two or more methods of the authentication process. For example, the first method is to enter the username and password; if they are valid, and then proceeds to the second method of authentication, which is usually a soft token from a security application.
Multifactor authentication should use methods from at least two of the five different factors:
- Something you know: such as a password, a pattern or a personal identification number (PIN). Username and password combinations are the simplest, least expensive, most common and of course weakest authentication mechanism. PINs are usually consist of 4-digit code, used for authentication. And finally Pattern. Today patterns are seen on the mobile phone lock screen.
- Something you have: such as mobile phone, USB token, or smart card. This concept is based on the assumption that only the owner of the account has the necessary key to unlock the account. Smart cards usually combined with PIN. Also, a specialized certificate is stored on the USB token and used for authentication when required. And finally, messages or codes are sent to the phone, and then those messages or codes are used for authentication purpose.
- Something you are: such as fingerprint, face, voice, retina, or iris characteristics and biometrics. This mechanism has two drawback. First, acceptance, because people are sometimes uneasy about using these systems. Second, the issue of spoofing, because some biometric systems are not immune to spoofing attacks.
- Where you are: It includes Location (a method of authentication that is based on geographical location), IP Address (a way to authenticate where the person is—is through IP address), and Mobile Device Location (Mobile devices provide accurate geography through GPS).
- What do you do: For Example Handwriting and signatures are another way to authenticate who the person is. Also typing technique is used to determine the person because every person has some kind of a typing pattern.
Anyway, multiple factors could be demanded when the person is requests authentication into the AAA framework who you are, what you have, what do you know, what you do, etc. These additional items may have a cost associated with them.
Accountability is the ability to track users’ actions (like track the user identity on the system, track the time to access the system and track the actions on the system) in when they access systems and data. This audit data must be captured, logged for later analysis, and troubleshooting. An important security concept that’s closely related to accountability is non-repudiation. Non-repudiation means that a user (username [email protected]) can’t deny an action because her identity is positively associated with her actions.
So it is very important that each user log in to systems only with his/ her own user account. Why? Because If a system permits users to log in using a common user account, or a user account that has a widely known password, then you can’t absolutely associate any user with a given (malicious) action or (unauthorized) access on that system.
A session is a formal term referring to an individual user’s dialogue, or series of interactions, with an information system. When using any type of authentication system, it is important to manage sessions to prevent unauthorized access. Information systems need to track individual users’ sessions in order to properly distinguish one user’s actions from another’s.
Two primary means of session timeouts are utilized:
- Screen saver: It is actually one of the features of the operating system. A screen saver locks the workstation or mobile device itself, and requires the user to log in into the system after a period of inactivity again. Desktop PCs and laptops include screensavers. Screensavers have a time-period that can be configured. If you set it for 20 minutes, it will activate after 20 minutes. Of course, screensavers have a password-protect feature that can be enabled. This feature displays the login screen and forces the user to authenticate again prior to exiting the screen saver.
- Inactivity timeouts: Individual software applications may utilize an auto locking or auto-logout feature if a user has been inactive for a specific period of time. Secure online sessions will normally terminate after a period of time too. For example, if you establish a secure session with your bank account, if you don’t do anything for ten minutes, system may automatically terminated your session.
Registration and Proofing of Identity
Formal user registration processes are very important for secure account provisioning, particularly in large organizations. So, users must register and provide proof of their identity. Registration and Proofing of Identity is particularly critical in SSO, Federated, and PKI environments. Proof of identity often begins at the time of Recruitment. Within an organization, new employees prove their identity with appropriate documentation during the hiring process. Then, human Resource department then creates their user IDs. Today, for registration, some organizations uses variety biometric methods for authentication.
Proof of user identity on online financial transactions or banking websites is much stricter and more complex. Users are often asked for a lot of identity information.
Federated Identity Management (FIM)
Federated identity is a portable identity and a form of SSO, that its associated rights can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises. In fact, federated identity management extends Identity management outside a single organization. Multiple organizations can join a federation, or group, and agree on a method to share identities between them. At result, federation of identity Management (FIM) comprises the standards, technologies, and tools used to facilitate the portability of identity across separately managed organizations.
Users in each organization can log on once in their own organization, and then they can then use this federated identity to access resources in any other organization within the group. A challenge with multiple companies communicating in a federation is finding a common language. Federated identity systems often use the Security Assertion Mark-up Language (SAML) and Service Provisioning Mark-up Language (SPML) to meet this requirement.
Credential Management Systems
Credential management systems enable an organization to centrally organize and control use rids and passwords for users. Such systems typically extend the functionality of the default features available in a typical directory service (such as LDAP or Microsoft Active Directory). In fact, credential management systems are available as commercial software products that can be implemented either on-premises or in the cloud.
The management system secures the credentials with encryption to prevent unauthorized access. For example, Windows OS include the Credential Manager tool. So, users enter their credentials into the Credential Manager, and the operating system retrieves the user’s credentials and automatically submits them when necessary.