Authentication is the process of checking the identity of a person. There are many different ways to do it both the digital and analog world. All these possibilities rely on some knowledge about the person itself. This is of course a recursive problem since the validity of this knowledge is very often based on information gathered by a system or a person who itself needs to be authenticated. But unless you want to end up with an egg or chicken dilemma, at some point you’ll need to define some way to define the root assumption which you need to consider true in order to base a chain of authentication on it.
In a computer system, the most obvious way to handle it is to use a password to authenticate a user and make sure that the user is properly identified during the creation process of this password. Additionally, you need to ensure that the password cannot be guessed by a third-party (or it is prohibitively complex to guess it) and that the password is in a storage which is itself safe (e.g. only in the memory of the user herself).
Meanwhile, in a world where most persons need to be authenticated in multiple places and systems on a daily or hourly basis, it has become obvious that an approach solely based on passwords and the hope that these passwords are safely stored is not sufficient to ensure safe authentication. First, a password is not only stored in the memory of its owner but also in every system which can receive it to authenticate a user (of course passwords shouldn’t be stored in a form which allows a third-party to directly read it but even encoding it with a one-way encryption mechanism doesn’t mean someone will not be able to find it out). Moreover, since a single persons needs to authenticate in many different systems, users then to use the same password in multiple systems, once a single system is compromised, authentication of these users is compromised in many other systems.
In the past, a kind of solution to this problem has been to use a password store. For each system needing to authenticate you, a unique password is generated. This password is usually a very strong password. Since this kind of passwords are more difficult to remember, it’s not the person itself who will remember it but a password store will store it and provide it on demand. Of course, this only moves the problem to another location. Now you don’t have a problem anymore with weak passwords or password reuse, but have a problem protecting the password store and making sure that only the person who’s owning the passwords can access them. This is again an authentication problem and is usually solve by using a password to secure the password store. Back to square one…
Apart from using passwords, there are many other options for identifying a user. Some of them are used instead of a password authentication. Others in addition to it, implementing a two-factors authentication. The logic behind it is that even if two authentication mechanisms are not strong enough by themselves, the combination of the two mechanisms makes it exponentially more difficult to hack the authentication mechanism. Of course, this only works if the two mechanisms are based on two completely different concepts making it difficult to circumvent them both.
Some authentication mechanisms rely on special knowledge unique to the person being identified. Once the person has been authenticated for the first time (whether using registration or personal identification on site), the system needs to gain some information, that is known only to this person. This is most easily done by gathering some facts about the person and her life. Only one piece of information is definitely not enough but a combination of them can allow to prevent most people from guessing their way through the authentication process. The problem with this is that there is still usually a circle of people who know the person to be authenticated well enough that they could actually have the same knowledge. This is then on one side a matter of reducing this circle to the minimum and on the other side of seeing whether the persons in this circle can be trusted.
In summary, although the effort required to implement such a mechanism is relatively low, it does not provide much of a security level. This is the reason why this kind of mechanism is usually not used for main authentication purposes but rather for side-processes like resetting a password. Even if someone guesses the name of your best friend in primary school, all they would achieve is to have an email sent to you and would still need to hack your email account in order to be able to use it.
What’s more unique to a person that her own body ? That’s the reason why a wide range of biometric authentication mechanism have been implemented. It encompasses fingerprints, facial recognition, retina recognition, voice recognition, hand/palm geometry and more. Fingerprint authorization is most used biometric mechanism. The reason is that a fingerprint is small enough that it can be read on a smartphone, a mouse, a keyboard, an external hard drive, a flash drive or other smaller reading devices and easy to access. Also units to read fingerprints are relatively cheap.
This kind of authentication has been widely advertized by spy movies. A few decades ago, the technology for using it was still too expensive to be able to use it in a mass market. But with lower costs, we start seeing more widely available system using this type of authentication.
The idea behind security tokens is that instead of identifying a person, you can identify a device you know only the person to be authenticated has access to. This security token can be anything which can be uniquely identified and is difficult (or ideally impossible) to forge. Since making devices which cannot be forged is virtually impossible and making devices which are very difficult to forge is expensive, this kind of authentication is best used in combination with another mechanism, e.g. by storing information on the security token which can only be read when using some other authentication mechanism like a PIN or a password.
An example of such a security token is a smart card. They are cheap, small in size and a widely used authentication mechanism. Using them requires a card reading device. This additional requirement makes them unsuitable for authentication on some platforms. Reading the card can be done either through contact with electrical connectivity pads (for contact smart cards) or through RF induction (for contactless smart cards).
Very often smart cards are combined with a digital certificates infrastructure base on a public key infrastructure (PKI). See below for more information on digital certificates.
Some USB devices can also be used for authentication purposes. They are basically very similar to smart cards. They contain some authentication information which is transmitted to the computer through a USB port. They share the same issue as smart cards (not being usable in all environments) but bring the additional problem that they are not as easy to fit in your pocket/wallet as smart cards. An alternative to USB devices are Bluetooth devices (or Bluetooth enabled USB devices) which do not require a USB port and are thus usable on a wider range of devices.
Another example is a disconnected token displaying some generated authentication data which can be entered by its owner into another system. The generation pattern for the data displayed by these devices should be such that it is almost impossible to figure it out and guess the next generated data.
Of course, now that a large portion of the population in many markets has a smartphone in their pocket, solutions turning your smartphone (or tablet computer) into a security token seem to be a good solution. This doesn’t require you to carry around an additional device which serves no other purpose than authentication.
One-time security tokens
These are security items which are created for a one-time used. Once they have been used, they are not valid anymore and another has to be used for the next authentication. Since they are valid only for a single use, if one of them is compromised, the negative impact can be limited. When using such an authentication mechanism, it is very important to secure the delivery of these tokens to your users. If the delivery mechanism itself is compromised, this mechanism itself will not provide you more security than using multiple-uses security items.
An example of this are one-time passwords generated on demand and sent to your email account (possibly in an encrypted email). Or a list of indexed one-time passwords as used for online banking.
One-time security tokens can also be images or messages transported through alternative mechanisms e.g. to your cell phone or other devices.
Digital certificates are digital identifying information usually containing some additional information, like serial numbers, expiration dates, public keys and are digitally signed by a trusted certificate (which allows the creation of an authentication chain). The root certificates (certificates at the root of an authentication chain) are usually distributed in operating systems, browsers and other system which source are secured.
Additionally to all these different types of authentication, you can also combine an authentication mechanism with some mechanism which checks the probability of the authentication. It can be done by checking some facts about the context of the authentication e.g. geolocation, IP address used, date/time (e.g. whether the user has already checked out from work or is on vacation)…
Also making the system only available in a secured environment also works as a two-factor login. You can e.g. only allow access to a system using a VPN connection and not directly over the internet. You are thus checking that the user can connect through VPN and also her password. Of course, if the authentication required to access the login page is the same as the one then used on the login page, this won’t increase the security of your application. Even if this kind of checks are not used to reject authentication but only to detect a potential breach and have it checked, it is already very useful as it limits the impact of a breach.
A few last words
Authentication is not only limited to validating passwords. There is a wide range of possibilities to verifying the identity of a person. Some of them have existed for a very long time (like checking a passport or an ID). Some of them have been around for some time too but are now becoming accessible to the wider masses (e.g. biometric mechanisms). Authenticating oneself is not something people usually enjoy especially when it has to be done many times a day. This is the reason why single sign-on has become to popular and so important. But one has to keep in mind that reusing an authentication done by a third party is a matter of trust. If the security level of this third party is not sufficient, you’re opening your system/application for security breaches.
Authentication is always based on some assumptions as to which data can securely be used to identify a person. But these assumptions are only as good as the measures in place to ensure the validity and security of these data. Checking something delivered to a person is only safe if it cannot be guessed and if the delivery to the person is also secure.
Using a combination of unrelated authentication mechanisms is always safer than relying on only one of them. How good the combination is depends on how different they are. Checking two different passwords stored in the system might not provide more security. But checking a fingerprint and a digital certificate will provide a pretty strong security mechanism.
This article does address a few authentication mechanism which probably cover a large part of what’s being used out there. But there are many more mechanism, some of them might prove to be better alternatives in the future. Also some of the mechanisms discussed here, might seem secure with our present knowledge but prove insecure in the future. The only way to keep providing a secure authentication of your users is to stay informed, learn about the weaknesses of existing authentication means and evaluate new authentication mechanisms.