Authentication
Authentication (from Greek: αὐθεντικός authentikos, "real, genuine", from αὐθέντης authentes, "author") is the act of confirming the truth of an attribute of a single piece of data (a datum) claimed true by an entity. In contrast with identification which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually confirming that identity. It might involve confirming the identity of a person by validating their identity documents, verifying the authenticity of a website with a digital certificate,[1] determining the age of an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim to be. In other words, authentication often involves verifying the validity of at least one form of identification.
Methods
Authentication is relevant to multiple fields. In art, antiques and anthropology, a common problem is verifying that a given artifact was produced by a certain person or in a certain place or period of history. In computer science, verifying a person's identity is often required to allow access to confidential data or systems.
Authentication can be considered to be of three types:
The first type of authentication is accepting proof of identity given by a credible person who has first-hand evidence that the identity is genuine. When authentication is required of art or physical objects, this proof could be a friend, family member or colleague attesting to the item's provenance, perhaps by having witnessed the item in its creator's possession. With autographed sports memorabilia, this could involve someone attesting that they witnessed the object being signed. A vendor selling branded items implies authenticity, while he or she may not have evidence that every step in the supply chain was authenticated. Centralized authority-based trust relationships back most secure internet communication through known public certificate authorities; decentralized peer-based trust, also known as a web of trust, is used for personal services such as email or files (pretty good privacy, GNU Privacy Guard) and trust is established by known individuals signing each other's cryptographic key at Key signing parties, for instance.
The second type of authentication is comparing the attributes of the object itself to what is known about objects of that origin. For example, an art expert might look for similarities in the style of painting, check the location and form of a signature, or compare the object to an old photograph. An archaeologist, on the other hand, might use carbon dating to verify the age of an artifact, do a chemical and spectroscopic analysis of the materials used, or compare the style of construction or decoration to other artifacts of similar origin. The physics of sound and light, and comparison with a known physical environment, can be used to examine the authenticity of audio recordings, photographs, or videos. Documents can be verified as being created on ink or paper readily available at the time of the item's implied creation.
Attribute comparison may be vulnerable to forgery. In general, it relies on the facts that creating a forgery indistinguishable from a genuine artifact requires expert knowledge, that mistakes are easily made, and that the amount of effort required to do so is considerably greater than the amount of profit that can be gained from the forgery.
In art and antiques, certificates are of great importance for authenticating an object of interest and value. Certificates can, however, also be forged, and the authentication of these poses a problem. For instance, the son of Han van Meegeren, the well-known art-forger, forged the work of his father and provided a certificate for its provenance as well; see the article Jacques van Meegeren.
Criminal and civil penalties for fraud, forgery, and counterfeiting can reduce the incentive for falsification, depending on the risk of getting caught.
Currency and other financial instruments commonly use this second type of authentication method. Bills, coins, and cheques incorporate hard-to-duplicate physical features, such as fine printing or engraving, distinctive feel, watermarks, and holographic imagery, which are easy for trained receivers to verify.
The third type of authentication relies on documentation or other external affirmations. In criminal courts, the rules of evidence often require establishing the chain of custody of evidence presented. This can be accomplished through a written evidence log, or by testimony from the police detectives and forensics staff that handled it. Some antiques are accompanied by certificates attesting to their authenticity. Signed sports memorabilia is usually accompanied by a certificate of authenticity. These external records have their own problems of forgery and perjury, and are also vulnerable to being separated from the artifact and lost.
In computer science, a user can be given access to secure systems based on user credentials that imply authenticity. A network administrator can give a user a password, or provide the user with a key card or other access device to allow system access. In this case, authenticity is implied but not guaranteed.
Consumer goods such as pharmaceuticals, perfume, fashion clothing can use all three forms of authentication to prevent counterfeit goods from taking advantage of a popular brand's reputation (damaging the brand owner's sales and reputation). As mentioned above, having an item for sale in a reputable store implicitly attests to it being genuine, the first type of authentication. The second type of authentication might involve comparing the quality and craftsmanship of an item, such as an expensive handbag, to genuine articles. The third type of authentication could be the presence of a trademark on the item, which is a legally protected marking, or any other identifying feature which aids consumers in the identification of genuine brand-name goods. With software, companies have taken great steps to protect from counterfeiters, including adding holograms, security rings, security threads and color shifting ink.[3]
Factors and identity
The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something the user knows, something the user has, and something the user is. Each authentication factor covers a range of elements used to authenticate or verify a person's identity prior to being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.
Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified.[4] The three factors (classes) and some of elements of each factor are:
- the knowledge factors: Something the user knows (e.g., a password, Partial Password, pass phrase, or personal identification number (PIN), challenge response (the user must answer a question, or pattern), Security question
- the ownership factors: Something the user has (e.g., wrist band, ID card, security token, cell phone with built-in hardware token, software token, or cell phone holding a software token)
- the inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifier).
Types of Authentication
The most frequent types of authentication available in use for authenticating online users differ in the level of security provided by combining factors from the one or more of the three categories of factors for authentication:
Single-factor authentication
As the weakest level of authentication, only a single component from one of the three categories of factors is used to authenticate an individual’s identity. The use of only one factor does not offer much protection from misuse or malicious intrusion. This type of authentication is not recommended for financial or personally relevant transactions that warrant a higher level of security.[1]
Two-factor authentication
When elements representing two factors are required for authentication, the term two-factor authentication is applied — e.g. a bankcard (something the user has) and a PIN (something the user knows). Business networks may require users to provide a password (knowledge factor) and a pseudorandom number from a security token (ownership factor). Access to a very-high-security system might require a mantrap screening of height, weight, facial, and fingerprint checks (several inherence factor elements) plus a PIN and a day code (knowledge factor elements), but this is still a two-factor authentication.
Multi-factor authentication
Instead of using two factors as used in 2FA, multiple authentication factors are used to enhance security. This enhances the security of a transaction in comparison to the 2FA authentication process.[1]
Strong authentication
The U.S. Government's National Information Assurance Glossary defines strong authentication as
layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information.
The European Central Bank (ECB) has defined strong authentication as “a procedure based on two or more of the three authentication factors.” The factors that are used must be mutually independent and at least one factor must be “non-reusable and non-replicable”, except in the case of an inherence factor and must also be incapable of being stolen of the Internet. In the European, as well as in the US-American understanding, strong authentication is very similar to multi-factor authentication or 2FA, but exceeding those with more rigorous requirements.[1][6]
The Fast IDentity Online (FIDO) Alliance has been striving to establish technical specifications for strong authentication.[7]
Digital authentication
The authentication of information can pose special problems with electronic communication, such as vulnerability to man-in-the-middle attacks, whereby a third party taps into the communication stream, and poses as each of the two other communicating parties, in order to intercept information from each. Extra identity factors can be required to authenticate each party's identity.
The term digital authentication refers to a group of processes where the confidence for user identities is established and presented via electronic methods to an information system. It is also referred to as e-authentication. The digital authentication process creates technical challenges because of the need to authenticate individuals or entities remotely over a network. The American National Institute of Standards and Technology (NIST) has created a generic model for digital authentication that describes the processes that are used to accomplish secure authentication:
- Enrollment – an individual applies to a credential service provider (CSP) to initiate the enrollment process. After successfully proving the applicant’s identity, the CSP allows the applicant to become a subscriber.
- Authentication – After becoming a subscriber, the user receives an authenticator e.g., a token and credentials, such as a user name. He or she is then permitted to perform online transactions within an authenticated session with a relying party, where they must provide proof that he or she possesses one or more authenticators.
- Life-Cycle maintenance – the CSP is charged with the task of maintaining the user’s credential of the course of its lifetime, while the subscriber is responsible for maintaining his or her authenticator(s).[1][8]
Product authentication
Counterfeit products are often offered to consumers as being authentic. Counterfeit consumer goods such as electronics, music, apparel, and counterfeit medications have been sold as being legitimate. Efforts to control the supply chain and educate consumers help ensure that authentic products are sold and used. Even security printing on packages, labels, and nameplates, however, is subject to counterfeiting.
A secure key storage device can be used for authentication in consumer electronics, network authentication, license management, supply chain management, etc. Generally the device to be authenticated needs some sort of wireless or wired digital connection to either a host system or a network. Nonetheless, the component being authenticated need not be electronic in nature as an authentication chip can be mechanically attached and read through a connector to the host e.g. an authenticated ink tank for use with a printer. For products and services that these Secure Coprocessors can be applied to, they can offer a solution that can be much more difficult to counterfeit than most other options while at the same time being more easily verified.
Packaging
Packaging and labeling can be engineered to help reduce the risks of counterfeit consumer goods or the theft and resale of products.[9][10] Some package constructions are more difficult to copy and some have pilfer indicating seals. Counterfeit goods, unauthorized sales (diversion), material substitution and tampering can all be reduced with these anti-counterfeiting technologies. Packages may include authentication seals and use security printing to help indicate that the package and contents are not counterfeit; these too are subject to counterfeiting. Packages also can include anti-theft devices, such as dye-packs, RFID tags, or electronic article surveillance[11] tags that can be activated or detected by devices at exit points and require specialized tools to deactivate. Anti-counterfeiting technologies that can be used with packaging include:
- Taggant fingerprinting – uniquely coded microscopic materials that are verified from a database
- Encrypted micro-particles – unpredictably placed markings (numbers, layers and colors) not visible to the human eye
- Holograms – graphics printed on seals, patches, foils or labels and used at point of sale for visual verification
- Micro-printing – second line authentication often used on currencies
- Serialized barcodes
- UV printing – marks only visible under UV light
- Track and trace systems – use codes to link products to database tracking system
- Water indicators – become visible when contacted with water
- DNA tracking – genes embedded onto labels that can be traced
- Color shifting ink or film – visible marks that switch colors or texture when tilted
- Tamper evident seals and tapes – destructible or graphically verifiable at point of sale
- 2d barcodes – data codes that can be tracked
- RFID chips
Information content
Literary forgery can involve imitating the style of a famous author. If an original manuscript, typewritten text, or recording is available, then the medium itself (or its packaging — anything from a box to e-mail headers) can help prove or disprove the authenticity of the document. However, text, audio, and video can be copied into new media, possibly leaving only the informational content itself to use in authentication. Various systems have been invented to allow authors to provide a means for readers to reliably authenticate that a given message originated from or was relayed by them. These involve authentication factors like:
- A difficult-to-reproduce physical artifact, such as a seal, signature, watermark, special stationery, or fingerprint.
- A shared secret, such as a passphrase, in the content of the message.
- An electronic signature; public-key infrastructure is often used to cryptographically guarantee that a message has been signed by the holder of a particular private key.
The opposite problem is detection of plagiarism, where information from a different author is passed off as a person's own work. A common technique for proving plagiarism is the discovery of another copy of the same or very similar text, which has different attribution. In some cases, excessively high quality or a style mismatch may raise suspicion of plagiarism.
Factual verification
Determining the truth or factual accuracy of information in a message is generally considered a separate problem from authentication. A wide range of techniques, from detective work, to fact checking in journalism, to scientific experiment might be employed.
Video authentication
It is sometimes necessary to authenticate the veracity of video recordings used as evidence in judicial proceedings. Proper chain-of-custody records and secure storage facilities can help ensure the admissibility of digital or analog recordings by the Court.
Literacy & Literature authentication
In literacy, authentication is a readers’ process of questioning the veracity of an aspect of literature and then verifying those questions via research. The fundamental question for authentication of literature is - Do you believe it? Related to that, an authentication project is therefore a reading and writing activity which students documents the relevant research process ([12]). It builds students' critical literacy. The documentation materials for literature go beyond narrative texts and likely include informational texts, primary sources, and multimedia. The process typically involves both internet and hands-on library research. When authenticating historical fiction in particular, readers considers the extent that the major historical events, as well as the culture portrayed (e.g., the language, clothing, food, gender roles), are believable for the time period. ([13]).
History and state-of-the-art
Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability.[citation needed] Outside of the legal system as well, fingerprints have been shown to be easily spoofable, with British Telecom's top computer-security official noting that "few" fingerprint readers have not already been tricked by one spoof or another.[14] Hybrid or two-tiered authentication methods offer a compelling solution, such as private keys encrypted by fingerprint inside of a USB device.
In a computer data context, cryptographic methods have been developed (see digital signature and challenge-response authentication) which are currently not spoofable if and only if the originator's key has not been compromised. That the originator (or anyone other than an attacker) knows (or doesn't know) about a compromise is irrelevant. It is not known whether these cryptographically based authentication methods are provably secure, since unanticipated mathematical developments may make them vulnerable to attack in future. If that were to occur, it may call into question much of the authentication in the past. In particular, a digitally signed contract may be questioned when a new attack on the cryptography underlying the signature is discovered.
Authorization
The process of authorization is distinct from that of authentication. Whereas authentication is the process of verifying that "you are who you say you are", authorization is the process of verifying that "you are permitted to do what you are trying to do". Authorization thus presupposes authentication.
For example, a client showing proper identification credentials to a bank teller is asking to be authenticated that he really is the one whose identification he is showing. A client whose authentication request is approved becomes authorized to access the accounts of that account holder, but no others.
However note that if a stranger tries to access someone else's account with his own identification credentials, the stranger's identification credentials will still be successfully authenticated because they are genuine and not counterfeit, however the stranger will not be successfully authorized to access the account, as the stranger's identification credentials had not been previously set to be eligible to access the account, even if valid (i.e. authentic).
Similarly when someone tries to log on a computer, they are usually first requested to identify themselves with a login name and support that with a password. Afterwards, this combination is checked against an existing login-password validity record to check if the combination is authentic. If so, the user becomes authenticated (i.e. the identification he supplied in step 1 is valid, or authentic). Finally, a set of pre-defined permissions and restrictions for that particular login name is assigned to this user, which completes the final step, authorization.
Even though authorization cannot occur without authentication, the former term is sometimes used to mean the combination of both.
To distinguish "authentication" from the closely related "authorization", the shorthand notations A1 (authentication), A2 (authorization) as well as AuthN / AuthZ (AuthR) or Au / Az are used in some communities.[15]
Normally delegation was considered to be a part of authorization domain. Recently authentication is also used for various type of delegation tasks. Delegation in IT network is also a new but evolving field.[16]
Access control
One familiar use of authentication and authorization is access control. A computer system that is supposed to be used only by those authorized must attempt to detect and exclude the unauthorized. Access to it is therefore usually controlled by insisting on an authentication procedure to establish with some degree of confidence the identity of the user, granting privileges established for that identity. One such procedure involves the usage of Layer 8 which allows IT administrators to identify users, control Internet activity of users in the network, set user based policies and generate reports by username. Common examples of access control involving authentication include:
- Asking for photoID when a contractor first arrives at a house to perform work.
- Using captcha as a means of asserting that a user is a human being and not a computer program.
- By using One Time Password (OTP), received on a tele-network enabled device like mobile phone, as an authentication password/PIN
- A computer program using a blind credential to authenticate to another
- Entering a country with a passport
- Logging in to a computer
- Using a confirmation E-mail to verify ownership of an e-mail address
- Using an Internet banking system
- Withdrawing cash from an ATM
In some cases, ease of access is balanced against the strictness of access checks. For example, the credit card network does not require a personal identification number for authentication of the claimed identity; and a small transaction usually does not even require a signature of the authenticated person for proof of authorization of the transaction. The security of the system is maintained by limiting distribution of credit card numbers, and by the threat of punishment for fraud.
Security experts argue that it is impossible to prove the identity of a computer user with absolute certainty. It is only possible to apply one or more tests which, if passed, have been previously declared to be sufficient to proceed. The problem is to determine which tests are sufficient, and many such are inadequate. Any given test can be spoofed one way or another, with varying degrees of difficulty.
Computer security experts are now also recognising that despite extensive efforts, as a business, research and network community, we still do not have a secure understanding of the requirements for authentication, in a range of circumstances. Lacking this understanding is a significant barrier to identifying optimum methods of authentication. major questions are:
- What is authentication for?
- Who benefits from authentication/who is disadvantaged by authentication failures?
- What disadvantages can effective authentication actually guard against?
See also
- Access Control Service
- Atomic authorization
- Authentication Open Service Interface Definition
- Authenticity in art
- Authorization
- Basic access authentication
- Biometrics
- CAPTCHA
- Chip Authentication Program
- Closed-loop authentication
- Diameter (protocol)
- Digital identity
- EAP
- Electronic authentication
- Encrypted key exchange (EKE)
- Fingerprint Verification Competition
- Geolocation
- Global Trust Center
- Hash-based message authentication code
- Identification (information)
- Java Authentication and Authorization Service
- Kantara Initiative
- Kerberos
- Multi-factor authentication
- Needham–Schroeder protocol
- OAuth - an open standard for authorization
- OpenAthens
- OpenID Connect – an authentication method for the web
- OpenID – an authentication method for the web
- Provenance
- Public-key cryptography
- RADIUS
- Reliance authentication
- Secret sharing
- Secure Remote Password protocol (SRP)
- Secure Shell
- Security printing
- SQRL
- Strong authentication
- Tamper-evident technology
- TCP Wrapper
- Time-based authentication
- Two-factor authentication
- Usability of web authentication systems
- Woo–Lam
References
- ^ a b c d e Turner, Dawn M. "Digital Authentication: The Basics". Cryptomathic. Retrieved 9 August 2016.
- ^ Ahi, Kiarash (May 26, 2016). "Advanced terahertz techniques for quality control and counterfeit detection". Proc. SPIE 9856, Terahertz Physics, Devices, and Systems X: Advanced Applications in Industry and Defense, 98560G. doi:10.1117/12.2228684. Retrieved May 26, 2016.
- ^ http://www.microsoft.com/en-us/howtotell/Software.aspx
- ^ Federal Financial Institutions Examination Council (2008). "Authentication in an Internet Banking Environment" (PDF). Retrieved 2009-12-31.
- ^ Committee on National Security Systems. "National Information Assurance (IA) Glossary" (PDF). National Counterintelligence and Security Center. Retrieved 9 August 2016.
- ^ European Central Bank. "Recommendations for the Security of Internet Payments" (PDF). European Central Bank. Retrieved 9 August 2016.
- ^ "FIDO Alliance Passes 150 Post-Password Certified Products". InfoSecurity Magazine. 2016-04-05. Retrieved 2016-06-13.
- ^ "Draft NIST Special Publication 800-63-3: Digital Authentication Guideline". National Institute of Standards and Technology, USA. Retrieved 9 August 2016.
- ^ Eliasson, C; Matousek (2007). "Noninvasive Authentication of Pharmaceutical Products through Packaging Using Spatially Offset Raman Spectroscopy". Analytical Chemistry. 79 (4): 1696–1701. doi:10.1021/ac062223z. PMID 17297975. Retrieved 9 Nov 2014.
- ^ Li, Ling (March 2013). "Technology designed to combat fakes in the global supply chain". Business Horizons. 56 (2): 167–177. doi:10.1016/j.bushor.2012.11.010. Retrieved 9 Nov 2014.
- ^ How Anti-shoplifting Devices Work", HowStuffWorks.com
- ^ Norton, D. E. (2004). The effective teaching of language arts. New York: Pearson/Merrill/Prentice Hall.
- ^ McTigue, E.; Thornton, E.; Wiese, P. (2013). "Authentication Projects for Historical Fiction: Do you believe it?". The Reading Teacher. 66: 495–505. doi:10.1002/trtr.1132.
- ^ The Register, UK; Dan Goodin; 30/3/08; Get your German Interior Minister's fingerprint, here. Compared to other solutions, "It's basically like leaving the password to your computer everywhere you go, without you being able to control it anymore", one of the hackers comments.
- ^ http://www.cloudave.com/472/authn-authz-and-gluecon/
- ^ A mechanism for identity delegation at authentication level, N Ahmed, C Jensen - Identity and Privacy in the Internet Age - Springer 2009