Closed-loop authentication

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Closed-loop authentication, as applied to computer network communication, refers to a mechanism whereby one party verifies the purported identity of another party by requiring them to supply a copy of a token transmitted to the canonical or trusted point of contact for that identity. It is also sometimes used to refer to a system of mutual authentication whereby two parties authenticate one another by signing and passing back and forth a cryptographically signed nonce, each party demonstrating to the other that they control the secret key used to certify their identity.

E-mail Authentication[edit]

Main article: Opt in e-mail

Closed-loop email authentication is useful for simple situations where one party wants to demonstrate control of an email address to another, as a weak form of identity verification. It is not a strong form of authentication in the face of host- or network-based attacks (where an imposter, Chuck, is able to intercept Bob's email, intercepting the nonce and thus masquerading as Bob.)

A use of closed-loop email authentication is used by parties with a shared secret relationship (for example, a website and someone with a password to an account on that website), where one party has lost or forgotten the secret and needs to be reminded. The party still holding the secret sends it to the other party at a trusted point of contact. The most common instance of this usage is the "lost password" feature of many websites, where an untrusted party may request that a copy of an account's password be sent by email, but only to the email address already associated with that account. A problem associated with this variation is the tendency of a naïve or inexperienced user to click on a URL if an email encourages them to do so. Most website authentication systems mitigate this by permitting unauthenticated password reminders or resets only by email to the account holder, but never allowing a user who does not possess a password to log in or specify a new one.

In some instances in web authentication, closed-loop authentication is employed before any access is granted to an identified user that would not be granted to an anonymous user. This may be because the nature of the relationship between the user and the website is one that holds some long-term value for one or both parties (enough to justify the increased effort and decreased reliability of the registration process.) It is also used in some cases by websites attempting to impede programmatic registration as a prelude to spamming or other abusive activities.

Closed-loop authentication (like other types) is an attempt to establish identity. It is not, however, incompatible with anonymity, if combined with a pseudonymity system in which the authenticated party has adequate confidence.

See also[edit]

See Category:Computer security for a list of all computing and information-security related articles.