Authentication is the process of verifying the identity of a person or device. In fact, Authentication technology provides access control for systems by checking to see if a user’s credentials match the credentials in a database of authorized users or in a data authentication server.

The authentication process always runs at the start of the application, before the permission and throttling checks occur, and before any other code is allowed to proceed.

A common example is entering a username and password when you log in to a website. Also, every time you check or send email, the mail server verifies your identity by matching your email address with the correct password.

Sources:  techterms.com  and  searchsecurity.techtarget.com  and  economictimes.indiatimes.com

 

 

How Authentication works? 

During authentication, credentials provided by the user are compared to those on file in a database of authorized users’ information either on the local operating system or through an authentication server. If the credentials match, and the authenticated entity is authorized to use the resource, the process is completed and the user is granted access. Rather than burden end users with that process for each interaction over the web, protected systems often rely on token-based authentication, in which authentication is performed once at the start of a session. The authenticating system issues a signed authentication token to the end-user application, and that token is appended to every request from the client.

To illustrate this, let’s take a look at the authentication mechanism in the Active Directory Service in Microsoft Windows. This service uses a variety of authentication mechanisms, but for years it has used Kerberos service to logon users into the active directory domain, and by Kerberos, it identifies users.

Kerberos authentication is currently the default authorization technology used by Microsoft Windows. Kerberos has also become a standard for websites and Single-Sign-On implementations across platforms.

Under Kerberos:

  1. A client (it can be a user or a service) sends a request for a ticket to the Key Distribution Center (KDC).
  2. The KDC verifies the credentials and sends back an encrypted TGT and session key.
  3. The TGT is encrypted using the Ticket Granting Service (TGS) secret key.
  4. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client’s identity.

However, Kerberos is a username and password authentication method. As we will see, these days other methods are used to verify your identity. For example, biometric authentication.

Source:  varonis.com  and  searchsecurity.techtarget.com

 

 

Single/Multi-Factor Authentication 

Single-factor authentication (SFA) is the process of using a single method to authenticate. (For example a username and password or a smart card) but Multi-factor authentication (MFA) needs two or more methods of the authentication process. (For example, the first method is a USB token from a security application and then entering the username and password)

In MFA should use methods from at least two of the five different factors:

  1. What you know (For example a password)
  2. What you have (For example a smart card or USB token)
  3. What you are (Such as biometrics authentication methods)
  4. Somewhere you are (For example location or IP address)
  5. Something you do

Of course, you may have seen Two-factor Authentication (2FA)’s phrase in many texts and articles on network security and cyber security. 2FA is a subset of MFA and it needs to be certified by a maximum of two factors in its. Most software, websites and services prefer to use Single-factor authentication or 2FA. MFA is used in very few places.

 

 

What Do You Know 

The something you know factor is the most common factor used and can be a password or a simple personal identification number (PIN).

 

Passwords 

  • When using passwords, it’s important to use strong passwords. A strong password has a mixture of upper case, lower case, numbers, and special characters.
  • Today, security professionals recommend that passwords should be at least 15 characters long.
  • Passwords should not include personal data like a user’s name or username. Additionally a password should not be a word that can be found in a dictionary. A dictionary attack uses a database of words similar to a dictionary, trying all the words in the database for a match.
  • Also, you should set maximum password aging to require password changes at regular intervals: 30-, 60-, or 90-day periods are common.
  • Password re-use settings allow a system to remember previously used passwords for a specific account. This security setting prevents users from circumventing maximum password expiration by alternating between two or three familiar passwords when they’re required to change their passwords.

Each of us in today’s world have passwords on websites, email services and various applications. This means that each of us must remember a large number of passwords. So it is very possible that we forget some our passwords. Security experts recommend using password managers to solve this problem. You can learn about password managers in here.

 

PIN

A personal identification number (PIN) is a numerical code. The core purpose of a PIN is to provide an additional layer of security to the electronic transaction process.

PIN is often entering while using ATM that is generally consist of 4-digit code, used for authentication. Also PIN using when inserting a SIM card into a mobile phone. PIN using when connect to a wireless network. Read more about PINs here.

Source: investopedia.com

 

Pattern 

These types of patterns are seen on the mobile phone lock screen nowadays commonly.

 

 

What You Have

This factor refers to information that you can (physically) carry with you such as Smart cards, USB token and etc.

 

Smart Card

The user can insert this card into a smart card reader (on a computer or ATM or many other devices) to authenticate. Usually these cards are combined with Personal Identification Number or PIN. So, User must have something (the smart card) and know something (the PIN). Credit-card is a type of these smart cards. Also Personal Identity Verification (PIV) card is a smart card used by the U.S federal agencies to identify the cardholder and grant them access to facilities and systems.

Source: commerce.gov

 

Hardware and Software Token 

Synchronized pseudo-random codes are generated by this token for the purpose of authentication. Tokens store static passwords (or digital certificates) or that generate dynamic passwords. The three general types of tokens are:

  • Static password tokens: These tokens store a static password or digital certificate.
  • Synchronous dynamic password tokens: These tokens continuously generate a new password or passcode at a fixed time interval (for example, 60 seconds) or in response to an event (such as every time you press a button). Typically, the passcode is valid only during a fixed time window (say, one minute) and only for a single logon.
  • Asynchronous dynamic password tokens: This type of tokens generates a new password or passcode asynchronously by calculating the correct response to a system-generated random challenge string that the owner manually enters.

USB Token is another way for authentication. A specialized certificate is stored on the USB and used for authentication when required. In other words, a USB token is a physical device that is used to establish personal identity without use of a password to access a network.

A soft token such as Google Authenticator and Microsoft Authenticator on a smartphone would provide adequate two-factor authentication, provided the user is not trying to log in to an application from a smartphone.

Source: searchsecurity.techtarget.com  and   quizlet.com

 

SMARTPHONE / SMS PASSWORDS 

Messages or codes are sent to the phone, and then those messages or codes are used for authentication purpose. When a user attempts to log on to a system:

  1. User logons with his/her normal credential.
  2. After that SMSPassword will automatically send a one-time/temporary password to that person cell phone by SMS.
  3. User enters this password, and is allowed access.

This password can be one-time or short-duration. A one-time password is a password that’s valid for one logon session only. After a single logon session, the password is no longer valid. Thus, if an attacker obtains a one-time password that someone has already used, that password has no value.

Source: en.wikipedia.org

 

DIGITAL CERTIFICATES 

In this authentication method, when the user attempts to logons to a system, the system will query the user’s device for the digital certificate to confirm the user’s identity. If the digital certificate can be obtained and if it is confirmed to be genuine, the user is permitted to log on.

 

 

What You Are 

Biometrics may also be used for authentication. Some of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris scans, handwriting, and voice analysis. For example, many smartphones have a fingerprint sensor that allows you to unlock your phone with a simple tap of your thumb or finger. Some facilities have retinal scanners, which require an eye scan to allow authorized individuals to access secure areas. Read this post about biometric methods.

 

 

Somewhere You Are 

This factor might not be as known as the ones already mentioned. Somewhere you are is related to your location.

 

IP Address

One of the most common methods of detecting a user’s location is via Internet Protocol (IP) addresses. Suppose a security software company intends to block accessing persons that live in countries that are subject to US federal sanctions to its website.

We know that each country has its own Public IP addresses. So the company can find out that the user who intends to access the company’s website resides in which country. It is now sufficient for the company to block any access through these addresses.

 

MAC Address 

It is also possible to use Media Access Control (MAC) addresses. An organization might set up its network so only specific computers can be used to log in (based on MAC addresses). If an employee is trying to access the network from a different computer, the access will be denied.

 

Mobile Device Location 

Mobile devices provide accurate geography as compared to others through GPS (Global Positioning System). When is this feature useful? It is a very helpful when your mobile phone has been stolen or you have lost it. This feature allows you to find out your smart phone. Of course, this mobile feature is also very, very popular with the security organizations of the countries! Men and women who are suspicious of their husbands are also interested in this feature.

 

 

What Do You Do 

Something you do is a type of authentication which proves identities by observing actions. These actions could be things like gestures or touches.

 

Handwriting Analysis 

Handwriting and signatures are another way to authenticate who the person is. Read about Handwriting Analysis here.

 

Password Picture 

Picture password is a feature introduced with Windows 8. The picture password is the combination of three gestures that you perform in a specific order on the picture that you chose for this task.

The picture password is associated with your user account and can be used as a replacement for your password. However, you cannot have a user account that logs into Windows 10 with a picture password and has no password associated with it.

Learn how to use the picture password feature in Windows 10 by clicking on this link.

Source: digitalcitizen.life

 

Typing Technique

Typing technique is also used to determine the person because every person has some kind of a typing pattern. Read about this.

 

 

Sources:

economictimes.indiatimes.com

searchsecurity.techtarget.com

digitalcitizen.life

varonis.com

commerce.gov

techterms.com

investopedia.com

quizlet.com