Download User Authentication Techniques

Lea J. Ivanoff
COSC 454
User Authentication Techniques
In 1953 IBM publicly introduced its first electric computer and first mass
produced computer. Later IBM introduced its first personal computer called the IBM
PC in 1981. Since then technology has been on the rise. Computers are everywhere
and being used for all sorts of different tasks. With the gross amount being made and
sold daily around the world the security of them becomes important. Computers are
used by hospitals, law firms, banks, personal use, and many other day to day
responsibilities; therefore, security for the computers becomes equally important to
get with them. There are criminals everywhere whether they are standing right next to
you and all the way up to hacking into your computer which makes learning user
authentication techniques critical.
Computer/Network security hinges on two very simple goals: keeping
unauthorized persons from gaining access to resources and ensuring that authorized
persons can access the resources they need. Authentication is an essential element of
a security model. It is the process of confirming the identification of a user (or in
some cases, a machine) that is trying to log on or access resources. Some may confuse
this with authorization which is the verification that the user in question has the
correct permissions and rights to access the requested resource. With this being said,
they it works is a user provides some sort of credentials- a password, smart card,
fingerprint, digital certificate- which identifies that user as the person who is
authorized to access the system. A user must have a valid user account configured by
the network administrator that specifies the user’s permissions and rights. User
credentials must be associated with this account—a password is assigned, a smart
card certificate is issued, or a biometric scan is entered into the database against
which future readings will be compared. Then, when the user wants to log on, he or
she provides the credentials and the system checks the database for the original entry
and makes the comparison. If the credentials provided by the user match those in the
database, access is granted.
Authentication can be considered to be three types. The first type of authentication
is accepting proof of identity given by a credible person who has first-hand evidence
that the identity is genuine. The second type is comparing the attributes of the object
itself to what is known about objects of that origin. Lastly, the third type of
authentication relies on documentation or other external affirmations. An example of
this is when a user who belongs to a Windows domain logs onto the network, his or
her identity is verified via one of several authentication types. Then the user is issued
an access token, which contains information about the security groups to which the
user belongs. When the user tries to access a network resource (open a file, print to a
printer, etc.), the access control list (ACL) associated with that resource is checked
against the access token. If the ACL shows that members of the Managers group have
permission to access the resource, and the user’s access token shows that he or she is
a member of the Managers group, that user will be granted access unless the user’s
account, or a group to which the user belongs, has been explicitly denied access to the
resource. However, there are many different types of user authentication techniques.
Password Authentication is where the user enters a set password. An example is the
use of password to login at a public library system for book reservation. It is the most
common method, and it is not difficult to use/remember. Password authentication has
several vulnerabilities, some of the more obvious are: password may be easy to
guess, writing the password down and placing it in a highly visible area, and
discovering passwords by eavesdropping or even social engineering. Another is
Smart-Card Authentication which is when the user swipes a card, enters a PIN
number. An example is when a person uses the ATM. The card being used has some
sort of chip that allows the machine to know who could possibly be using it and the
PIN is the verification to the machine that it is the correct person using the card. This
type of authentication can be vulnerable to social engineering where the user must be
in possession of card to gain access. Moreover, Biometric Authentication is when the
user uses unique biological traits to verify identity. Some examples of this are: Ear –
the identification of an individual using the shape of the ear, Eye (Iris & Retina) – the
iris recognition uses the features found in the iris to identify an individual and the
retina recognition uses the patterns of veins in the back of the eye, Face – the analysis
of facial features or patters for the recognition of an individual’s identity, most face
authentications use either eigenfaces or local feature analysis, Fingerprint – the use of
the ridges and valleys found on the surface tips of a finger, Hand Geometry – the
geometric features of the hand such as lengths of the fingers and the width of the
hand. Others consist of Voice, Vein, Odor, Gait, Typing, and Signature This method
of proving one’s identity is very difficult to falsify which is what makes this type of
authentication so secure. An example of how the client reaches the server is as
followed, the client selects some random numbers and sends the results to the server
as a message: Message 1. The server then sends different random numbers back to the
client based on Message 1. The Clients then computes the new value and sends
Message 2 to the server. The Server then uses the clients public key to verify that the
values returned could have only been computed using the private key. Moreover, one
of the more newest types of authentication is two-factored authentication, also known
as 2FA. This authentication is a security process in which the user provides two
means of identification, one of which is typically a physical token, such as a card, and
the other of which is typically something memorized, such as a security code.
Other types of authentication is Network Access and IPSEC. Network access
authentication verifies the user’s identity to each network service that the user
attempts to access. It differs in that this authentication process is, in most cases,
transparent to the user once he or she has logged on. Otherwise, the user would have
to reenter the password or provide other credentials every time he or she wanted to
access another network service or resource. IP Security (IPSec) provides a means for
users to encrypt and/or sign messages that are sent across the network to guarantee
confidentiality, integrity, and authenticity. IPSec transmissions can use a variety of
authentication methods, including the Kerberos protocol, public key certificates
issued by a trusted certificate authority (CA), or a simple pre-shared secret key which
is a string of characters known to both the sender and the recipient. Lastly, Kerberos
is a computer network authentication protocol which works on the basis of 'tickets' to
allow nodes communicating over a non-secure network to prove their identity to one
another in a secure manner.
Furthermore, there have been a number of authentication breaches in many
different companies. One of the companies was Slack Technologies which is a tech
start-up company. The attackers breached their whole authentication database which
included user names, email addresses and one-way encrypted, or hashed passwords
and some profiles. In result, they made a two-factor authentication which stops easy
access with stolen credentials by requiring a second level of authentication after the
user enters their username and password. Also, they made a password kill switch for
team owners which allows for both instantaneous team-wide resetting of passwords
and forced termination of all user sessions for all team members. This means that
everyone is signed out of you Slack team in all applications and devices. Another
company was the New York Times. Chinese nationals got wind of a developing story
allegedly tying billions of dollars in profits to relatives of China’s Prime Minister.
The attackers targeted the systems of the New York Times to steal information about
reporters and their confidential sources. Stealing that one username and password
allowed the Chinese attackers to install malware and gain access to every computer in
the global New York Times system. The Times had anti-malware and anti-virus
software deployed on its systems during the attack. Unfortunately it only detected one
of the 45 pieces of malware used in the attack.
To conclude, when having any vital information on a computer that you need to
keep confidential it is key to have good authentication techniques. These techniques
should be easy for the user to remember and it shouldn’t require too much input from
the user. However, the techniques should not be obvious to anyone else but the user.
Moreover, plain password authentication it is still by far the most widely used form of
authentication, gives credence to the seriousness of the lack of security on both the
Internet and within private networks. Other methods of authentication, that may be
more complex and require more time to implement and maintain, provide strong and
reliable authentication. Also, one of the key factors to be considered in determining
which method of authentication to implement is usability. If the authentication
methods are not deemed usable by those forced to utilize them, then they will avoid
using the system or persistently try to bypass them. Largely, when having a computer
it is important to make sure you have a secure user authentication and a secure
network.
References
http://en.wikipedia.org/wiki/Authentication
http://www.techrepublic.com/article/understanding-and-selectingauthentication-methods/
http://www.biometricsinstitute.org/pages/types-of-biometrics.html