Remote User Authentication

User authentication verifies the identity of a user attempting to gain access to a network or
computing resource by authorizing a human-to-machine transfer of credentials during
interactions on a network to confirm a user's authenticity. The term contrasts with machine
authentication, which is an automated authentication method that does not require user
input.

Authentication helps ensure only authorized users can gain access to a system by
preventing unauthorized users from gaining access and potentially damaging systems,
stealing information or causing other problems. Almost all human-to-computer interactions --
other than guest and automatically logged-in accounts -- perform a user authentication. It
authorizes access on both wired and wireless networks to enable access to networked and
internet-connected systems and resources.

A straightforward process, user authentication consists of three tasks:

1. Identification: Users have to prove who they are.

2. Authentication: Users have to prove they are who they say they are.
3. Authorization: Users have to prove they're allowed to do what they are trying to do.

User authentication can be as simple as requiring a user to type a unique identifier, such as
a user ID, along with a password to access a system. It can also be more complex, however
-- for example, requiring a user to provide information about physical objects or the
environment or even take actions, such as placing a finger on a fingerprint reader.

NIST SP 800-63 (Digital Identity Guidelines)

As our world increasingly embraces the digital realm, assuring the validity of digital identities
has become a crucial foundation for secure transactions and interactions. Guaranteeing the
authenticity of digital identities is a fundamental measure against the rising tide of identity
theft and online fraudulent activities that have surged in recent times. The National Institute
of Standards and Technology (NIST), a federal agency responsible for establishing
standards across industries, including cybersecurity and digital identity, plays a pivotal role in
this domain. Their actions serve as a bulwark against the escalating threats in the digital
space.

Unveiled in June 2017, the NIST Special Report 800-63-3 lays out specific requirements
aimed at federal agencies that are implementing digital identity services. The primary focus
of these NIST standards is to ensure that individuals are genuinely who they claim to be
before being granted access to digital services. These standards form a crucial part of a
broader governmental strategy to combat identity theft and fraud, fostering a safer digital
environment for all.

( someone is who they say they are )

NIST 800-63-3 can be dissected into three core components:

● Enrollment and Identity Proofing (NIST SP 800-63A)

● Authentication and Lifecycle Management (NIST SP 800-63B)
● Federation and Assertions (NIST SP 800-63C)

The more likely it is that someone might try to access an account they shouldn't, the more
certain an organization needs to be about who is making the request. To make sure,
organizations use extra checks that a person has to pass before their identity is confirmed.
These checks are described by NIST using three levels: Identity Assurance Levels (IAL),
Authenticator Assurance Levels (AAL), and Federation Assurance Levels (FAL).

Identity Assurance Level

There are three IALs defined in NIST SP 800-63A – IAL1, IAL2, and IAL3 – which require
progressively stricter requirements.

IAL1: IAL1 means the identity claimed doesn't have to be linked to a real person or
confirmed as belonging to the user. It's the lowest level of assurance and doesn't need
actual identity validation. When you create an account, the digital service doesn't need to
make sure you're a real person. The identity details are what you say they are, without
needing proof.
Example: Consider social media accounts, like Facebook or Twitter – you don’t have to
submit proof of your identity to set up an account registered to your name.

IAL2:IAL2 mandates that users need to show proof that they truly own the identity
they're asserting. This level requires identity validation, which can happen remotely or
in-person. The individual wanting access to something must offer proof that they indeed own
the identity they claim. This might involve biometrics like facial scans or fingerprints.
Example: Consider accounts that hold information already registered to a certain person,
such as a government account linked to a social security number. To request access to that
information, you first have to provide evidence that you are the owner of that identity,
potentially by using a passport or driver’s license.

IAL3:IAL3 represents the highest level of identity verification according to NIST

800-63-3. It demands either in-person presence or closely monitored remote verification.
Moreover, it necessitates comparing the applicant's biometric data with the most reliable
form of identity proof.
Example: Consider how DMVs require people to show up in-person for certain services,
including applying for a driver’s license and upgrading to a REAL ID. These forms of ID not
only confer the authority to drive a vehicle, but also serve as a form of identification in and of
themselves. As a result, the confidence level in the identity of the applicant must be
extremely high.
Authenticator Assurance Level

AAL1:At this level, a single authentication factor is sufficient. This could be something
like a password or a PIN. It's the basic level of assurance.

AAL2: A higher level of assurance is required here. It involves two-factor authentication

(2FA), which means users need to provide two different types of authentication. This might
include something they know (like a password) and something they have (like a security
token or a smartphone app).

AAL3:This is the most stringent level. It requires strong two-factor or multi-factor

authentication. It might involve biometric verification (like fingerprints or facial recognition)
combined with something the user possesses (like a smart card).
Federation Assurance Level

Federation Assurance Level (FAL) is a concept defined by NIST (National Institute of

Standards and Technology) to indicate the level of trust and confidence that an organization
has in the identity assertions made by an external identity provider in a federated identity
system.
In a federated identity system, different organizations or services allow users to access their
resources using their identities from trusted external identity providers. The Federation
Assurance Level helps determine how much assurance or confidence can be placed in the
identity information provided by these external identity providers.
There are three levels of Federation Assurance (FAL):

FAL1: This level indicates basic assurance. The identity provider's verification might not
be very rigorous. It's suitable for scenarios where there is relatively lower risk or sensitivity
associated with the accessed resources.

FAL2: At this level, a higher level of assurance is required from the identity provider. The
verification process is more robust compared to FAL1. It's suitable for scenarios where
moderate assurance is needed.

FAL3: This is the strictest level of assurance. It demands strong and well-validated
verification of the identity provider. This level is appropriate for scenarios involving highly
sensitive or critical resources.

In essence, the Federation Assurance Level provides a way to measure the level of trust
organizations can place in the identity information provided by external identity providers,
helping them make informed decisions about granting access to their resources.
Summary:

IAL (Identity Assurance Level):

Identity Assurance Level (IAL) is a classification system used to measure the
degree of confidence an organization has in the validity of an individual's
claimed identity. It assesses the strength of identity proofing and verification
methods used to confirm that an individual is who they claim to be. IAL levels
range from 1 to 3, with increasing levels indicating more stringent verification
processes.

IAL1: Minimal assurance, self-asserted identity attributes.

IAL2: Some assurance, identity proofing required.
IAL3: High assurance, strong identity proofing required.

AAL (Authenticator Assurance Level):

Authenticator Assurance Level (AAL) categorizes the strength of
authentication methods used to verify a user's identity. AAL levels range from
1 to 3, with increasing levels requiring more robust authentication methods
and multiple factors for verification.

AAL1: Single-factor authentication (e.g., password).

AAL2: Two-factor authentication (e.g., password + token).
AAL3: Strong multi-factor authentication (e.g., biometrics + token).

FAL (Federation Assurance Level):

Federation Assurance Level (FAL) quantifies the level of trust an organization
has in external identity providers within a federated identity system. FAL levels
range from 1 to 3, reflecting varying degrees of confidence in the assertions
made by these external providers.

FAL1: Basic assurance, limited verification from identity provider.

FAL2: Moderate assurance, stronger verification from identity provider.
FAL3: High assurance, rigorous verification from identity provider.

These classification systems, defined by NIST, help organizations ensure

appropriate security measures are in place for identity verification and
authentication, taking into account the level of risk and sensitivity associated
with the accessed resources or services.
User authentication methods

The main factors used in user authentication include the following:

1. Knowledge factors include all things users must know in order to log in to gain
access to a system. Usernames, IDs, passwords and personal identification numbers
(PINs) all fall under this category.
2. Possession factors consist of anything users must have in their possession in
order to log in. This category includes one-time password tokens, key fobs,
smartphone apps, and employee ID cards.
3. Inherence factors include characteristics inherent to individuals that confirm their
identity. This category includes the scope of biometrics, such as retina scans,
fingerprint scans, facial recognition and Voice authentication.

Other factors include location and time factors, which are typically used together or in
conjunction with another authentication factor:

1. Location factors are a method of confirming users' identity through their location.
User authentication systems accomplish this by using the built-in Global Positioning
System (GPS) functionality of most smartphones to identify a person's location or
combine Wi-Fi and cell tower triangulation to estimate a location. Authentication
systems typically do not use location on its own to confirm identity. For example, if an
attacker logs in with a user's password, the location factor can prevent the attacker in
a different geographical area from posing as the user, who typically logs in only from
a specific location. Here, location and password are used together to confirm identity.

2. Time factors add time-based access characteristics to confirm identity. Similar to

the location factor, the time factor is not adequate on its own but can be helpful when
used with another factor. For example, if a system last authenticated a user at noon
in the U.S., an attempt to log in an hour later from Asia would be rejected based on
the combination of time and location. A time factor can also only permit access within
a scheduled time interval.

Single-factor authentication (SFA) requires verification of one piece of information from

a user, such as a password. Because SFA commonly employs knowledge factors, which
require only a single piece of information, it can't stop an attacker who has stolen a user's
password from accessing a user's system.

Multi-Factor authentication (MFA) uses more than one method of authentication to

verify the identity of a user. For example, a user may be required to provide a password in
combination with a security question. Two-factor authentication (2FA) uses factors from two
of the authentication categories, while four-factor authentication (4FA) uses at least one
factor from four categories of factors. The latter is considered far more secure due to the
additional layers of security that come with more factors.
Password Based Authentication

Password-based authentication is a common method used to verify the identity of users

before granting them access to a system, application, or service. It involves users providing
a secret password that they have previously set up. If the provided password matches the
stored one, the user is granted access.

Here's how password-based authentication works:

1. User Registration: When a user creates an account, they choose a password that
only they should know. This password is stored securely on the system's servers.

2. Login Process: When the user wants to access their account, they provide their
username (or email) along with the password they set during registration.

3. Password Verification: The system checks if the provided password matches the
stored one. If they match, the user is authenticated and granted access.

Advantages of password-based authentication:

1. Familiarity: Users are familiar with passwords and how to create and use them.

2. Easy Implementation: Password-based authentication is relatively easy to

implement for developers.

3. User Control: Users can reset their passwords if forgotten or compromised.

However, there are also disadvantages and security concerns:

1. Password Weakness: Users might choose weak passwords that are easily guessed
or cracked.

2. Password Reuse: Users might reuse passwords across multiple services, which
increases the risk if one service is compromised.

3. Brute-Force Attacks: Attackers can use automated methods to guess passwords.

4. Phishing: Users might fall victim to phishing attacks where they unknowingly give
their passwords to attackers.

To mitigate these concerns, organizations often enforce password policies (length,

complexity requirements), implement mechanisms like account lockouts or CAPTCHA to
prevent brute-force attacks, and educate users about secure password practices.
Additionally, many systems are moving towards using multi-factor authentication (MFA) or
other authentication methods in conjunction with passwords to enhance security.
Biometric Authentication

Biometric authentication is a security method that uses unique physical or behavioral

characteristics of an individual to verify their identity. Instead of using passwords or tokens,
biometric authentication relies on factors that are inherently specific to each person, making
it a more secure and convenient way to confirm identity.

Here are some common types of biometric authentication:

1. Fingerprint Recognition: Analyzing the unique patterns of ridges and valleys on a

person's fingertip to verify their identity.

2. Facial Recognition: Using facial features and measurements to authenticate a

person's identity.

3. Iris or Retina Scan: Analyzing the intricate patterns of the iris or retina in the eye.

4. Voice Recognition: Verifying identity based on the unique vocal characteristics of a

person's voice.

5. Palm Print Recognition: Examining the unique patterns and characteristics of a

person's palm.

6. Behavioral Biometrics: Analyzing behaviors like typing patterns, gait, or even the
way a person holds a device.

Here's how biometric authentication typically works:

1. Enrollment: During registration, a user's biometric data is collected and converted

into a digital template that the system can recognize.

2. Authentication: When the user tries to access a system or service, they provide
their biometric data again. The system compares the newly provided data with the
stored template to verify identity.

Advantages of biometric authentication:

1. Uniqueness: Biometric traits are unique to each individual, making them difficult to
replicate.

2. Convenience: Users don't need to remember passwords or carry tokens; their

biometric data is always with them.

3. Security: Biometric data is harder to steal compared to passwords or tokens.

However, there are also challenges and concerns:

1. Privacy: Storing biometric data raises privacy concerns, as it's considered sensitive
personal information.

2. Accuracy: Biometric systems can sometimes produce false positives or negatives.

3. Spoofing: Some biometric methods can be spoofed using high-quality photos or

replicas of body parts.

4. Non-Revocability: Unlike passwords, you can't change your biometric traits if they're
compromised.

To address these concerns, it's important to implement robust security measures, protect
stored biometric data, and use biometric methods alongside other authentication factors in
multi-factor authentication (MFA) systems.
Token Based Authentication

Token-based authentication is a security method used to verify the identity of users

accessing a system, application, or service. Instead of relying solely on passwords,
token-based authentication involves the use of tokens, which are unique pieces of
information that serve as access credentials. These tokens are more secure than passwords
and enhance the overall security of the authentication process.

Here's how token-based authentication works:

1. Token Generation: When a user successfully logs in with their credentials (usually a
username and password), the system generates a token for that user. This token is a long
string of characters that serves as a digital representation of their identity.

2. Token Issuance: The token is then sent back to the user's device and stored securely. It
could be stored in a cookie, local storage, or a mobile app's memory.

3. Subsequent Requests: With each subsequent request to the system, the user includes
the token in the request headers. This token is sent along with the request to prove the
user's identity without needing to send the actual credentials (username and password) with
each request.

4. Token Verification: On the server-side, the received token is verified for authenticity and
validity. This might involve checking the token's expiration time, comparing it to the stored
tokens, and ensuring it hasn't been tampered with.

5. Access Granting: If the token is valid, the server grants the user access to the requested
resource or service. If the token is invalid, expired, or has been tampered with, the user's
request is denied.

Advantages of token-based authentication:

Enhanced Security: Tokens are more secure than passwords, reducing the risk of
password breaches.
Reduced Credential Exposure: Users don't need to send their credentials with each
request, minimizing the chance of interception.
Scalability:Tokens are self-contained, so they can be easily shared across different services
and systems.
Revocation:Tokens can be invalidated or revoked if necessary, enhancing control over
access.

Token-based authentication is commonly used in web applications and APIs to provide a

secure and efficient way for users to access resources without constantly revealing their
passwords. JSON Web Tokens (JWT) and OAuth are examples of popular token-based
authentication systems.
Single Factor Authentication

Single-factor authentication (SFA) is a basic method of verifying a user's identity by requiring

them to provide only one type of authentication factor. This factor is typically something that
the user knows, such as a password, PIN, or a personal question. While it's a straightforward
approach, it's considered less secure compared to multi-factor authentication (MFA) because
it relies solely on one piece of information that the user possesses.

Here's how single-factor authentication works:

1. User Identification: The user provides a unique identifier like a username or email.

2. Authentication Factor: The user provides a single authentication factor, usually a

password or a PIN.

3. Verification: The system compares the provided factor (password or PIN) to the
stored one. If they match, the user is granted access.

Advantages of single-factor authentication:

1. Simplicity: It's easy for users to understand and use.

2. Ease of Implementation: Single-factor authentication is relatively simple to set up.

However, there are several significant drawbacks:

1. Security Risks: If the authentication factor (password or PIN) is compromised,

unauthorized access can occur.

2. Password Weakness: Users might choose weak passwords that are easy to guess
or crack.

3. Password Reuse: Users might reuse the same password across multiple services,
amplifying risk.

4. Phishing and Social Engineering: Attackers can trick users into revealing their
password through phishing attacks or by impersonating the service provider.

Due to the limitations and security risks associated with single-factor authentication, many
organizations are adopting multi-factor authentication (MFA) or other advanced
authentication methods to enhance security and better protect user accounts and data.
Multi Factor Authentication

Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is a

security method that requires users to provide multiple forms of authentication before they
can access a system, application, or service. MFA adds an extra layer of security by
combining different types of authentication factors, making it significantly harder for
unauthorized individuals to gain access.

MFA typically involves three categories of authentication factors:

1. Something You Know: This is something only the user knows, like a password or a
PIN.

2. Something You Have: This involves a physical item the user possesses, such as a
smartphone, a hardware token, or a smart card.

3. Something You Are: This refers to biometric characteristics unique to the user, such
as fingerprints, facial scans, or voice recognition.

Here's how MFA works:

1. User Identification: The user provides their username or email as an identifier.

2. Authentication Factors: The user is required to provide multiple authentication

factors from different categories. For example, they might enter a password
(something they know) and then receive a temporary code on their smartphone
(something they have).

3. Verification: The system checks each authentication factor to ensure they match the
stored values. If all factors are verified, the user is granted access.

Advantages of multi-factor authentication:

1. Enhanced Security: MFA significantly reduces the risk of unauthorized access, as

an attacker would need to compromise multiple factors.

2. Reduced Impact of Credential Theft: Even if one authentication factor is

compromised, the other factors provide an additional layer of protection.

3. Compliance: MFA is often required to meet regulatory compliance standards.

4. Improved User Confidence: Users feel more secure knowing their accounts are
protected by multiple layers of authentication.
However, there are challenges:

1. User Experience: MFA can add extra steps to the login process, which might be
perceived as less convenient.

2. Implementation Complexity: Implementing MFA might require changes to systems

and applications.

3. Lost or Forgotten Factors: If a user loses their authentication device or forgets their
password, accessing their account might become difficult.

Despite these challenges, the benefits of increased security outweigh the inconveniences.
Many services and organizations encourage or require users to enable MFA to better protect
their accounts and sensitive information.

Security Issues for User Authentication

User authentication is a critical component of cybersecurity, but it's also vulnerable to various
security issues that attackers may exploit. Some common security issues related to user
authentication include:

1. Password Weakness: Weak passwords, such as those that are short, simple, or
easily guessable, can be easily cracked through brute-force attacks or dictionary
attacks.

2. Password Reuse: Users often reuse passwords across multiple accounts, making
them vulnerable to attacks if one account is compromised.

3. Phishing: Attackers use phishing emails to trick users into revealing their passwords
or other authentication credentials.

4. Credential Stuffing: Attackers use stolen username-password pairs from one site to
attempt unauthorized access on other sites where the user has the same credentials.

5. Brute-Force Attacks: Attackers use automated tools to try a large number of

possible passwords until they find the correct one.

6. Keyloggers: Malware or malicious software can record keystrokes, capturing

passwords and other sensitive information as users type.

7. Session Hijacking: Attackers steal an active session's token or cookie to gain

unauthorized access to an account.

8. Man-in-the-Middle (MitM) Attacks: Attackers intercept communication between

users and the authentication server to capture login credentials.
 9. Account Lockout Manipulation: Attackers attempt to lock user accounts through
multiple failed login attempts, causing denial of service.

10. Biometric Spoofing: For biometric authentication, attackers might use photos, voice
recordings, or other means to impersonate the user's biometric traits.

11. Inadequate Multi-Factor Authentication (MFA): If MFA implementation is weak or

bypassable, attackers can overcome the additional layer of security.

12. Insider Threats: Employees or insiders with malicious intent can misuse their
privileges to gain unauthorized access.

13. Weak Security Questions: Poorly chosen security questions can be guessed or
researched, allowing attackers to reset passwords.

14. Outdated or Unpatched Software: Vulnerabilities in authentication software can be

exploited by attackers to gain unauthorized access.

To address these security issues, organizations should implement best practices:

1. Encourage strong password practices, such as longer and complex passwords.

2. Enforce password policies and regular password updates.
3. Implement multi-factor authentication (MFA) for an additional layer of security.
4. Train users to recognize phishing attempts and other social engineering attacks.
5. Regularly update and patch authentication systems to fix vulnerabilities.
6. Monitor and analyze user activity to detect anomalies and potential attacks.

Overall, a comprehensive approach that combines strong authentication methods, user

education, and vigilant monitoring is essential to mitigate these security issues and protect
user authentication.