Authentication

- [Instructor] Before a user gains rights to use a particular resource, they should have to prove their identity. In access control, we use the concepts of identification and authentication to secure resources from unknown users. When a user first requests to access a resource, they must provide their identity. This process is called identification. Next, their identity must be verified. This process of validating the identity of the user using a unique identifier and approved credentials is called authentication.

Now, often students get these two terms confused. Just remember, identification is provided by the user as a claim to who they are. Identification may be provided through a user name, account number, or even through their Social Security number. Authentication, on the other hand, occurs on the access control side. This occurs once the identification, for example, the user name, is checked against the validated credential, for example, the password. There are five factors of authentication.

A knowledge factor is something a person knows, such as a user name or a password. An ownership factor is something a person has, such as a smart card or a key fob. A characteristic factor is something a person is, such as their biometric data. A location factor is somewhere a person is, like their GPS location, and an action factor is something that a person does, such as how they sign their name. In order to increase the security of the authentication process, multiple factors of authentication should be used.

If dual-factor authentication is used, for example, the user might have to provide something they know like their user name or password, with something they are, like a scan of their fingerprint. This is also known as two-factor authentication. Multi-factor authentication might be used for higher security systems. Instead of relying on only one or possibly two factors of authentication, we might require a mix of three, four, or even five different factors of authentication. One of the ownership factors is to use certificate-based authentication.

Under this method, a digital certificate is provided to a server or a user. This digital certificate is used to provide the identity of the requester through the use of the public key infrastructure known as PKI. Under PKI, anyone can access the public key that's issued, but only the authorized user maintains ownership of the private key. Without both the public and the private key available, attackers are unable to impersonate the authorized user. These certificates are created and assigned by a certificate authority known as a CA.

If your organization wants to accept the digital certificates from another organization, both of your CAs have to establish a trust relationship called cross-certification. This allows either CA to validate the digital certificates from each other's certificate authority. Due to the large number of resources and websites that an average user accesses on a daily basis, many organizations have begun to adopt a single sign-on or SSO environment. When adopted, the organization establishes a default user profile for each user, and then links that profile to all of the resources that the user might need.

Under this type of system, the user is able to have a single, long, strong password that they memorize. Instead of having to memorize 30 or 40 different log-in credentials, the user is only required to memorize this single one. This makes accessing new resources much quicker and easier, as well as simplifying user and password management. The one major drawback to using single sign-on, though, is that if the user's credentials have been compromised, the attacker gains access to every resource the user had access to.

Think about it like a master key. Let's assume that you had a single key that opens your office, your car, and your house, but you lost it. Well, now the person who found it is going to have access to all three places. This is the drawback to a single sign-on environment. Another type of authentication that's heavily utilized in enterprise networks, is 802.1X. This is a centralized port-based authentication mechanism for the protection of your network. Using the 802.1X standard, access control is established with each and every network device attempting to connect to your local area network or wireless network.

Each one must be authenticated prior to allowing it to have access. This authentication could involve checking the client's MAC address, or other security settings. Context-aware authentication is a process that checks the user or system's attributes or characteristics prior to allowing it to connect. The most common form of context-based authentication occurs by limiting the time or the day that the user can log on to a particular client or server. Another commonly-used form is to limit the geographic area that the user can log in from.

For example, if you're a small company in the United States and you don't have any international employees, then you could prevent any users from outside the United States from attempting to log in to your systems. This could be checked either by the location of the source IP of the user, or the GPS coordinates of the device attempting to log in. The final authentication mechanism is known as push-based authentication. If a system uses this method, it will send a notification or unique access code to a registered user's device prior to allowing the user to connect.

For example, when I try to log in to Amazon.com to make a purchase, I have to enter my user name and my password. Once I do that, Amazon sends a unique, one-time-use code to my cellphone by text message. Until I enter that one-time-use code into the Amazon website, I'm prevented from using my account. In this case, the authentication becomes a two-factor model comprised of a knowledge factor and an ownership factor.