To access resources on a network, a user must prove who they are and that they have permissions to access the resources. This process consists of the following:
- Identification is the initial process of confirming the identity of a user requesting credentials and occurs when a user types in a user ID to log on. Identity proofing occurs during the identification phase as the user proves that they are who they say they are in order to obtain credentials. If a person has previously been identified, but cannot provide their assigned authentication credentials (such as a lost password), then identity proofing is called upon again.
- Authentication is the verification of the issued identification credentials. It is usually the second step in the identification process, and establishes the user's identity, ensuring that users are who they say they are.
The three ways a user can prove identity to an authentication server are:
|Type 1 Something you know||Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of something you know authentication controls are:
Note: Usernames are not a form of Type 1 authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity.
|Type 2 Something you have||Something you have (also called token-based authentication) is authentication based on something a user has in their possession. Examples of something you have authentication controls are:
Smart cards typically use certificates for identification and authentication. With certificates, the digital document is associated with a user in one of the following ways:
Digital certificates require the implementation of a PKI, which have high administrative overhead.
|Type 3 Something you are||Something you are authentication uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is the most expensive and least accepted, but is generally considered to be the most secure form of authentication.
Common attributes used for biometric systems are:
Biometric systems include multiple scans of the biological attribute. Scans are then translated into a numeric constellation map of critical points. That mathematical representation is bound to a digital certificate that links to the subject's user account in the user database. Most biometric systems require implementation of a PKI system.
You should be aware of the following terms used to measure the effectiveness of authentication solutions:
|False negative||A false negative (or Type I error) occurs when a person who should be allowed access is denied access. The False Rejection Rate (FRR) is a measure of the probability that a false negative will occur.|
|False positive||A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The False Acceptance Rate (FAR) is a measure of the probability that a false positive will occur. False positives are more serious than false negatives and represent a security breach because unauthorized persons are allowed access.|
|Crossover error rate||The crossover error rate, also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. Select the system with the lowest crossover error rate within your budget.|
|Processing rate||The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated. An acceptable rate is 10 subjects per minute or above.|
To increase security, you can use a combination of authentication methods as described in these options:
|Two-factor Three-factor Multi-factor||Requires two (or more) different authentication types to be deployed.||To enter a secured building, you must insert your key card (Type 2) and undergo a retina scan (Type 3).|
|Strong||Requires two or more methods, but they can be of the same type.||To log on to an online banking system, you enter your username, password, and then must answer a random personal question (such as your birthplace or mother's maiden name).|
|One-factor||Uses credentials of only one type, but may require multiple methods within the same type||To log in, you supply a username and a password (the username is not used for authentication, so the only credential supplied for authentication is the password) To log in, you supply a username, PIN, and a pass phrase (all credentials are of the same type)|
|Mutual||Requires that both parties authenticate with each other before beginning communications.||To log in, your computer sends its digital certificate to prove its identity to a network server. The server then proves its identity to your computer before they will exchange messages.|
If you are considering implementing biometrics, keep in mind the following:
- Some biometric factors are unique even between identical twins.
- When a biometric is used by itself, it is no more secure than a strong password. A single successful attack can subvert a biometric in much the same way that a single successful attack can subvert a password.
- Biometric attacks need not be physical harm based (such as cutting off a finger), but can include a wide variety of realistic reproductions that fool the biometric reader device.
- The most important consideration for a biometric device is accuracy.
- When a biometric device has its sensitivity set too high, it will result in numerous false negative rejections (i.e., when authorized users are not recognized and therefore rejected).
- To use a biometric, new users must go through a physical enrollment process that is more complex and time consuming than the enrollment process for a password-only based system.
- Biometric enrollment requires the new users to prove their identity to a user administrator. The new user must then provide the first example of their biometric to a reader device under the supervision of the user administrator. This first example is digitized and stored as a reference template. All future uses of the biometric will compare the contemporary biometric sample offered to the historical recorded template.