Managing Identity in Cyberspace: Authentication
Creating an identity results in its registration and generates credentials. Authentication is a transactional process which uses the credentials to access systems, applications, or data.
Credentials for online access are usually classified into three categories:
- Something you know (username, password, PIN)
- Something you have (card, fob or other device, or cryptographic key)
- Something you are (biometric measurement)
Depending on the sensitivity of the system or data, and on the risk of compromise, authentication may be single-factor, two-factor, or multi-factor. Credentials can be constructed from any combination of the above categories.
Entropy – that is, how often the credential changes—is one of the key measures of the strength of the authentication mechanism. NIST SP 800-63-1 defines entropy for authentication as a degree of uncertainty that an attacker faces as he tries to impersonate a legitimate user. Remember, the strength of authentication credentials is independent of the extent to which the enterprise is certain of the identity linked to the credentials.
Authentications can be simple or complex — a single step or several steps. At each step the user presents an alphanumeric ‘token‘ which is validated against a stored token or one generated as part of the authentication transaction. (By token we refer to a string of characters not a physical device.)
In some cases, such as username or password, the token may be a memorized character string; in other cases, such as a one-time pass code or biometric, it may be a result of computation, measurement, or a combination of the two. In cases where a token, such as a password or cryptographic key, is stored on the device and transmitted to the enterprise, the overall strength of the authentication is completely dependent on how a user authenticates him or herself to the device.
For example, if a password is stored in a browser, then anyone who has access to the browser can authenticate himself by transmitting the password. This is also true for browser-based Public Key Infrastructure (PKI) certificates. The certificate itself is not the authentication; it just communicates that the authentication was completed—which may be as simple as logging onto the computer with username and password.
Although most users have experience with authentication transactions that behave the same way every time, this need not be the case. The authentication process can be driven by rules that reflect the enterprise’s evaluation of risk presented by the identity associated with the credentials. Examples of risk which trigger such a process could be environmental — such as the location of the attempted login — or by the nature of a transaction, such as an electronic prescription for a particular type of drug, or the size of a financial transaction.
For example, a user may be challenged with single-factor authentication if he attempts to login from a known computer and a known IP address, but may face two-factor authentication if logging in from an unknown machine.
Credentials are usually captured by an access manager that then controls a session, transaction, or activity based on established business rules. When an individual authenticates successfully, the access manager controls their access to downstream resources, data, and business processes. Depending on business rules, it may invoke additional authentication during the course of a session. The access manager also redirects those who fail authentication to an alternative process.
A good authentication product should take a fully-integrated lifecycle view of the strong authentication process — integrating identity verification and proofing as part of the registration workflow. As we began in Part One of this series, identity management is a continuing competition between attack and defense, and deserves full integration into the enterprise risk management paradigm.
We hope you have found value in helping you understand the range of issues involved in identity management. Please contact us to speak to a specialist about how fully-integrated identity can assist you with security and fraud awareness. If you are interested in learning more about Equifax technologies and analytical services, sign up for our monthly newsletter.
Recommended For You
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]
Fraudulent account activity and identity fraud are both significant drains to today’s business resources. In the era of online and mobile commerce, […]
Fraudsters are a smart group. With each fraud prevention method that’s introduced, they figure out ways to work around it. […]