Professional Documents
Culture Documents
Unit 4 User Authentication
Unit 4 User Authentication
User authentication verifies the identity of a user attempting to gain access to a network or
computing resource by authorizing a human-to-machine transfer of credentials during
interactions on a network to confirm a user's authenticity. The term contrasts with machine
authentication, which is an automated authentication method that does not require user
input.
Authentication helps ensure only authorized users can gain access to a system by
preventing unauthorized users from gaining access and potentially damaging systems,
stealing information or causing other problems. Almost all human-to-computer interactions --
other than guest and automatically logged-in accounts -- perform a user authentication. It
authorizes access on both wired and wireless networks to enable access to networked and
internet-connected systems and resources.
User authentication can be as simple as requiring a user to type a unique identifier, such as
a user ID, along with a password to access a system. It can also be more complex, however
-- for example, requiring a user to provide information about physical objects or the
environment or even take actions, such as placing a finger on a fingerprint reader.
As our world increasingly embraces the digital realm, assuring the validity of digital identities
has become a crucial foundation for secure transactions and interactions. Guaranteeing the
authenticity of digital identities is a fundamental measure against the rising tide of identity
theft and online fraudulent activities that have surged in recent times. The National Institute
of Standards and Technology (NIST), a federal agency responsible for establishing
standards across industries, including cybersecurity and digital identity, plays a pivotal role in
this domain. Their actions serve as a bulwark against the escalating threats in the digital
space.
Unveiled in June 2017, the NIST Special Report 800-63-3 lays out specific requirements
aimed at federal agencies that are implementing digital identity services. The primary focus
of these NIST standards is to ensure that individuals are genuinely who they claim to be
before being granted access to digital services. These standards form a crucial part of a
broader governmental strategy to combat identity theft and fraud, fostering a safer digital
environment for all.
The more likely it is that someone might try to access an account they shouldn't, the more
certain an organization needs to be about who is making the request. To make sure,
organizations use extra checks that a person has to pass before their identity is confirmed.
These checks are described by NIST using three levels: Identity Assurance Levels (IAL),
Authenticator Assurance Levels (AAL), and Federation Assurance Levels (FAL).
IAL1: IAL1 means the identity claimed doesn't have to be linked to a real person or
confirmed as belonging to the user. It's the lowest level of assurance and doesn't need
actual identity validation. When you create an account, the digital service doesn't need to
make sure you're a real person. The identity details are what you say they are, without
needing proof.
Example: Consider social media accounts, like Facebook or Twitter – you don’t have to
submit proof of your identity to set up an account registered to your name.
IAL2:IAL2 mandates that users need to show proof that they truly own the identity
they're asserting. This level requires identity validation, which can happen remotely or
in-person. The individual wanting access to something must offer proof that they indeed own
the identity they claim. This might involve biometrics like facial scans or fingerprints.
Example: Consider accounts that hold information already registered to a certain person,
such as a government account linked to a social security number. To request access to that
information, you first have to provide evidence that you are the owner of that identity,
potentially by using a passport or driver’s license.
AAL1:At this level, a single authentication factor is sufficient. This could be something
like a password or a PIN. It's the basic level of assurance.
FAL1: This level indicates basic assurance. The identity provider's verification might not
be very rigorous. It's suitable for scenarios where there is relatively lower risk or sensitivity
associated with the accessed resources.
FAL2: At this level, a higher level of assurance is required from the identity provider. The
verification process is more robust compared to FAL1. It's suitable for scenarios where
moderate assurance is needed.
FAL3: This is the strictest level of assurance. It demands strong and well-validated
verification of the identity provider. This level is appropriate for scenarios involving highly
sensitive or critical resources.
In essence, the Federation Assurance Level provides a way to measure the level of trust
organizations can place in the identity information provided by external identity providers,
helping them make informed decisions about granting access to their resources.
Summary:
1. Knowledge factors include all things users must know in order to log in to gain
access to a system. Usernames, IDs, passwords and personal identification numbers
(PINs) all fall under this category.
2. Possession factors consist of anything users must have in their possession in
order to log in. This category includes one-time password tokens, key fobs,
smartphone apps, and employee ID cards.
3. Inherence factors include characteristics inherent to individuals that confirm their
identity. This category includes the scope of biometrics, such as retina scans,
fingerprint scans, facial recognition and Voice authentication.
Other factors include location and time factors, which are typically used together or in
conjunction with another authentication factor:
1. Location factors are a method of confirming users' identity through their location.
User authentication systems accomplish this by using the built-in Global Positioning
System (GPS) functionality of most smartphones to identify a person's location or
combine Wi-Fi and cell tower triangulation to estimate a location. Authentication
systems typically do not use location on its own to confirm identity. For example, if an
attacker logs in with a user's password, the location factor can prevent the attacker in
a different geographical area from posing as the user, who typically logs in only from
a specific location. Here, location and password are used together to confirm identity.
1. User Registration: When a user creates an account, they choose a password that
only they should know. This password is stored securely on the system's servers.
2. Login Process: When the user wants to access their account, they provide their
username (or email) along with the password they set during registration.
3. Password Verification: The system checks if the provided password matches the
stored one. If they match, the user is authenticated and granted access.
1. Familiarity: Users are familiar with passwords and how to create and use them.
1. Password Weakness: Users might choose weak passwords that are easily guessed
or cracked.
2. Password Reuse: Users might reuse passwords across multiple services, which
increases the risk if one service is compromised.
4. Phishing: Users might fall victim to phishing attacks where they unknowingly give
their passwords to attackers.
3. Iris or Retina Scan: Analyzing the intricate patterns of the iris or retina in the eye.
6. Behavioral Biometrics: Analyzing behaviors like typing patterns, gait, or even the
way a person holds a device.
2. Authentication: When the user tries to access a system or service, they provide
their biometric data again. The system compares the newly provided data with the
stored template to verify identity.
1. Uniqueness: Biometric traits are unique to each individual, making them difficult to
replicate.
1. Privacy: Storing biometric data raises privacy concerns, as it's considered sensitive
personal information.
4. Non-Revocability: Unlike passwords, you can't change your biometric traits if they're
compromised.
To address these concerns, it's important to implement robust security measures, protect
stored biometric data, and use biometric methods alongside other authentication factors in
multi-factor authentication (MFA) systems.
Token Based Authentication
1. Token Generation: When a user successfully logs in with their credentials (usually a
username and password), the system generates a token for that user. This token is a long
string of characters that serves as a digital representation of their identity.
2. Token Issuance: The token is then sent back to the user's device and stored securely. It
could be stored in a cookie, local storage, or a mobile app's memory.
3. Subsequent Requests: With each subsequent request to the system, the user includes
the token in the request headers. This token is sent along with the request to prove the
user's identity without needing to send the actual credentials (username and password) with
each request.
4. Token Verification: On the server-side, the received token is verified for authenticity and
validity. This might involve checking the token's expiration time, comparing it to the stored
tokens, and ensuring it hasn't been tampered with.
5. Access Granting: If the token is valid, the server grants the user access to the requested
resource or service. If the token is invalid, expired, or has been tampered with, the user's
request is denied.
Enhanced Security: Tokens are more secure than passwords, reducing the risk of
password breaches.
Reduced Credential Exposure: Users don't need to send their credentials with each
request, minimizing the chance of interception.
Scalability:Tokens are self-contained, so they can be easily shared across different services
and systems.
Revocation:Tokens can be invalidated or revoked if necessary, enhancing control over
access.
1. User Identification: The user provides a unique identifier like a username or email.
3. Verification: The system compares the provided factor (password or PIN) to the
stored one. If they match, the user is granted access.
2. Password Weakness: Users might choose weak passwords that are easy to guess
or crack.
3. Password Reuse: Users might reuse the same password across multiple services,
amplifying risk.
4. Phishing and Social Engineering: Attackers can trick users into revealing their
password through phishing attacks or by impersonating the service provider.
Due to the limitations and security risks associated with single-factor authentication, many
organizations are adopting multi-factor authentication (MFA) or other advanced
authentication methods to enhance security and better protect user accounts and data.
Multi Factor Authentication
1. Something You Know: This is something only the user knows, like a password or a
PIN.
2. Something You Have: This involves a physical item the user possesses, such as a
smartphone, a hardware token, or a smart card.
3. Something You Are: This refers to biometric characteristics unique to the user, such
as fingerprints, facial scans, or voice recognition.
3. Verification: The system checks each authentication factor to ensure they match the
stored values. If all factors are verified, the user is granted access.
4. Improved User Confidence: Users feel more secure knowing their accounts are
protected by multiple layers of authentication.
However, there are challenges:
1. User Experience: MFA can add extra steps to the login process, which might be
perceived as less convenient.
3. Lost or Forgotten Factors: If a user loses their authentication device or forgets their
password, accessing their account might become difficult.
Despite these challenges, the benefits of increased security outweigh the inconveniences.
Many services and organizations encourage or require users to enable MFA to better protect
their accounts and sensitive information.
User authentication is a critical component of cybersecurity, but it's also vulnerable to various
security issues that attackers may exploit. Some common security issues related to user
authentication include:
1. Password Weakness: Weak passwords, such as those that are short, simple, or
easily guessable, can be easily cracked through brute-force attacks or dictionary
attacks.
2. Password Reuse: Users often reuse passwords across multiple accounts, making
them vulnerable to attacks if one account is compromised.
3. Phishing: Attackers use phishing emails to trick users into revealing their passwords
or other authentication credentials.
4. Credential Stuffing: Attackers use stolen username-password pairs from one site to
attempt unauthorized access on other sites where the user has the same credentials.
10. Biometric Spoofing: For biometric authentication, attackers might use photos, voice
recordings, or other means to impersonate the user's biometric traits.
12. Insider Threats: Employees or insiders with malicious intent can misuse their
privileges to gain unauthorized access.
13. Weak Security Questions: Poorly chosen security questions can be guessed or
researched, allowing attackers to reset passwords.