6 Approaches to authentication

6.1 Methods of authentication

6.1.1 There are three main methods of authentication:-

• Something you know, (for example a PIN, password or pass phrase).

• Something you have, (for example a digital certificate). These fall into two main categories, namely those that are software-based and those which are held on a hardware 'token' carried by the user (for example a smart-card).

• Something you are, (for example a fingerprint or retinal scan).

These are discussed in more detail in following paragraphs.

6.1.2 These methods of authentication are often combined for additional security. For example. a smart card may be activated with a password. This is known as 'two-factor' authentication.

6.2 Something you know: passwords

6.2.1 Passwords and PINs are the most common examples of a "something you know" method of authentication to computer systems.

6.2.2 Left to them, most users will tend to select simple passwords that are easily guessed (such as car registration, their first name or date of birth). There are many freely available programs that can 'crack' any simple password very quickly, which makes this a major risk area in authentication.

6.2.3 To mitigate these risks, computer systems are often developed with mandatory password policies (for example requiring a minimum of eight characters including alphabetic and non-alphabetic characters, and checking that a password has not been used by that user before). However, users often handle these policies in a predictable and therefore insecure manner. For example, if there is a requirement for passwords to be changed regularly, many users will use a guessable variant on the previously used password (e.g. password1, password2, password3 and so on).

6.2.4 Systems using passwords will also typically 'lock' an account if an incorrect password is entered more than a defined number of times when trying to log in.

6.2.5 Advantages

• The great majority of systems support username/password-based access without further effort being required. There is thus no additional implementation cost for authentication.

• Passwords are readily revokable and replaceable in case of compromise.

• A user can have any number of different usernames and passwords for accessing different systems, which may reduce privacy concerns.

• A password can be stored in a secure container such as a locked safe, a 'token' such as some types of smart card, or the human brain.

• All users know how to use usernames and passwords.

• Roaming is easy: using a password, a user can log in from many places.

• Passwords are supported by technology that is already on every desktop (keyboards).

6.2.6 Disadvantages

• Passwords are highly susceptible to 'social engineering' attacks, for example by an attacker pretending to be the helpdesk and asking the user to confirm their password.

• Password change management introduces further potential for social engineering attacks, especially in an environment with multiple agencies where staff do not know each other.

• Users can and do share passwords. As a result it is not possible to rely on a password to provide 100% authentication. After sharing passwords for a particular purpose, users do not always change their password.

• Users have trouble remembering multiple usernames and passwords. This results in passwords being written down (often on post-it notes attached to the keyboard), and administrative overhead in handling password change requests.

• It is difficult to choose and remember 'strong' passwords that have been selected in order to be difficult to guess, resulting in the same problems with post-it notes and password change requests as above.

• Many password systems are simple to compromise. There are free cracking programs available via the Internet for most schemes.

• Many users use the same password to access multiple systems. This means that an attacker who obtains a password used for one system can easily gain access to other systems used by the same user.

• The security of a system accessible by multiple users is only as strong as the weakest password of all the users who have access.

6.3 Something you have: software-based keys

6.3.1 A software-based key is a unique computer record that typically uses cryptographic technology to provide a strong means of authenticating the identity of its holder.

6.3.2 The simplest example of this approach is a software-based digital certificate (whose private key is stored either in the registry or on the hard disc of the user's PC). Note that, in order to provide any reasonable degree of security, a software-based certificate must be configured to require a password to access the private key. This simple precaution is still the exception, rather than the norm.

6.3.3 Advantages

• This approach avoids or minimises many of the problems associated with passwords.

• The same key can be used to access multiple systems (thereby providing a single sign-on capability).

• Users can have multiple certificates to reduce privacy concerns.

• Certificates are easy to use, and in many applications their use can be made transparent to the user.

• No additional hardware is required in order to use software-based digital certificates.

6.3.4 Disadvantages

• Establishment costs are higher than for passwords. In addition to the software needed for validation, the keys themselves are moderately costly.

• Keys can be stolen, particularly if an attacker can gain access to the user's PC.

• Keys can be lost due to software or hardware problems.

• Keys are reliant on the protection of the computer system and password.

• Software-based keys can be shared without the system knowing.

• Most computer applications have no native support for authentication by keys such as those used in digital certificates.

6.4 Something you have (and can hold): hardware-based keys

6.4.1 This category of authentication mechanism covers a range of options, all based on the use of a physical device (generally called a 'token') to hold the secret authentication information such as an encryption key. Examples of this type of system are in two main categories:

• Proprietary products such as SecurID. These products use a variety of mechanisms such as 'time-based one-time passwords', and 'challenge-response' where the computer displays a challenge and the user uses the token as a calculator to produce the required response. Proprietary products are not suitable for S.E.E. and will not be considered further.

• Standards-based digital certificates stored in non-exportable format on physical devices such as smart tokens which can be carried on a key ring and plug into a standard port (e.g. USB) on a PC.

6.4.2 Advantages

• This approach avoids or minimises most of the problems associated with passwords.

• Using a digital certificate, the same key can be used to access multiple systems (thereby providing a single sign-on capability).

• Users can have multiple keys to reduce privacy concerns.

• Certificates are easy to use.

• Most hardware key based systems are readily supplemented with password-based authentication for activation (e.g. smart-card with PIN).

• The secret information is not stored on a PC that might be vulnerable to attack, but always travels with the user. It can therefore be used at any location that has an appropriate token reader.

6.4.3 Disadvantages

• Establishment costs are higher than for passwords. In addition to the software needed to validate digital certificates, the keys themselves are moderately costly.

• Some hardware-based devices such as smart cards require additional hardware on each user device (PC).

• Tokens can be lost, stolen or mislaid (for example, left at home).

• Token-based keys can be shared; although once the token has been given back to its owner the compromise no longer exists.

• Most computer applications have no native support for authentication by either proprietary hardware mechanisms or keys such as those used in digital certificates.

6.5 Something you are: biometrics

6.5.1 Biometrics is the use of unique human physical characteristics to provide unambiguous identification. Examples of biometrics-based authentication include fingerprint reading, facial recognition, voice recognition and retina scanning.

6.5.2 Biometrics typically need to be hybridised with a signature system in any document/message authentication application (i.e. biometrics can complement PKI)

6.5.3 Advantages

• Biometrics cannot be shared with another person.

• Biometrics cannot be lost (cf something you have) or forgotten (cf something you know).

• Roaming is easy; a biometric travels with its owner at all times.

6.5.4 Disadvantages

• Biometric authentication typically involves non-interoperable proprietary systems.

• Biometric authentication is typically expensive. The expense is incurred, not only in hardware at each point of authentication, but also in the effort required to 'train' the system to recognise each individual user.

• Without a secure infrastructure, there is a strong risk that the abstract representation of the biometric attribute (e.g. the digitised fingerprint used for comparison) can be stolen and replayed.

• Uniqueness to an individual introduces privacy issues.

• Most biometrics provide no persistent means to identify the originator of a document or message; that is, they do not provide any signature. The exception is the "signature dynamics" method.

• It requires a supporting infrastructure in order to be fully secure. This can be achieved either with a physically secure network or in conjunction with technologies such as digital certificates.

• Biometrics can give "false positives" and "false negatives", so are not 100% accurate.

• In some societies and cultures there may be resistance to biometrics because people do not wish to expose parts of their body to a machine, or women/men do not wish to use biometric sensors previously used by men/women, or they may be very concerned about hygiene.

• Once a biometric attribute has been compromised, it cannot be replaced (for example, a person only has one right thumb).

6.6 Digital certificates and keys

6.6.1 Digital certificates are an increasingly common mechanism for achieving authentication. They fall into the category of 'key-based/something you have' mechanisms and are generally difficult to compromise.

6.6.2 Digital certificates are issued by Certification Authorities (CAs) that carry out the initial identification of certificate holders and provide the bona fides of the certificates that they issue. Certificates may be issued by a public company or agency that has been established as a CA, or agencies may undertake the role of CA directly for their own staff. In either case, there is a requirement for appropriate recognition of a CA before certificates issued by it can (or should) be accepted by any given system.

6.6.3 CAs are responsible for publishing the currency of the certificates they have issued or revoked in electronic directories, which are shared between all participants in a system (or, in the case of E-government, across all agencies).

6.6.4 A digital certificate contains a public key that is mathematically related to the individual's private key. The private key must be kept securely. This may be achieved by software (in the registry or hard disc of the user's PC) or by using a hardware token.

6.6.5 In addition to authenticating the identity of the certificate holder, a digital certificate can also be used to provide the mechanisms for:

• Digital signatures, used for non-repudiation of message sending, by offering an assurance of the identity of the originator of a message or transaction.

• Integrity, by enabling participants in an electronic transaction to know if a message has been altered in transmission.

• Confidentiality, by also holding data encryption keys.

6.6.6 Digital certificates have already been adopted as the authentication mechanism of choice by governments in many APEC member countries including the US, Canada, Australia, Singapore, Japan, China Hong Kong, Malaysia and Korea, and a number of European countries such as the UK, Netherlands, Germany, Finland and Sweden. In APEC there is a number of pilot schemes already underway to establish interoperability between national certification systems.

6.7 Comparison table

6.7.1 The following graphic summarises the authentication mechanisms discussed above. (Note that both digital certificate options are assumed to require passwords for activation of the private key).

6.8 Combining authentication methods

6.8.1 Combining authentication mechanisms considerably increases overall confidence in authentication. In the case of digital certificates with secret keys stored in either software or hardware, the keys can be readily supplemented with passwords or PINs before they can be activated, thus creating a strong two-factor authentication.

6.8.2 The strongest and, at the same time, most usable authentication mechanism would be a combination of biometrics and key, for example a smart-card based digital certificate with a finger print reader integrated into the card for activation. However, this would also be expensive.

6.9 Authentication proxies

6.9.1 As noted above, a significant potential drawback to the use of digital certificates is the fact that most existing computer applications do not have the ability to recognise them for authentication purposes. This is also an inhibiting factor in developing single sign-on capability.

6.9.2 Authentication proxies constitute a potential way of resolving this problem. An authentication proxy is a means of translating one authentication mechanism into another; for example, an 'authentication proxy server' would require a digital certificate for authentication when a user initially signs on to his or her 'home' system, and would then pass the required username and password on to the actual application(s) that the user wishes to access.

6.9.3 This is a useful means of creating a single sign-on environment that takes into account the existence of systems which have not been developed to use digital certificates for authentication, and that enhances the security of legacy systems. It goes a long way towards overcoming major objections to the use of digital certificates on the grounds of cost and complexity.

[ Previous | Next ]