Latest Blog Posts

We're members of the

We've ridden there:


Layne's certifications:


To access resources on a network, a user must prove who they are and that they have permissions to access the resources. This process consists of the following:

  • Identification is the initial process of confirming the identity of a user requesting credentials and occurs when a user types in a user ID to log on. Identity proofing occurs during the identification phase as the user proves that they are who they say they are in order to obtain credentials. If a person has previously been identified, but cannot provide their assigned authentication credentials (such as a lost password), then identity proofing is called upon again.
  • Authentication is the verification of the issued identification credentials. It is usually the second step in the identification process, and establishes the user's identity, ensuring that users are who they say they are. 

The three ways a user can prove identity to an authentication server are:

Type Description
Type 1 Something you know Something you know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of something you know authentication controls are:
  • Passwords, codes, or IDs
  • PINs
  • Pass phrases (long, sentence-length passwords)
  • Cognitive information such as questions that only the user can answer, including:
    • Your mother's maiden name
    • The model or color of your first car
    • The city where you were born
  • Composition passwords, which are created by the system and are usually two or more unrelated words divided by symbols on the keyboard

Note: Usernames are not a form of Type 1 authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity.

Type 2 Something you have Something you have (also called token-based authentication) is authentication based on something a user has in their possession. Examples of something you have authentication controls are:
  • Swipe cards(similar to credit cards) with authentication information stored on the magnetic strip.
  • Photo IDs are very useful when combined with other forms of authentication, but are high risk if they are the only form of required authentication. Photo IDs are easily manipulated or reproduced, require personnel for verification, and cannot be verified against a system.
  • Smart cards contain a memory chip with encrypted authentication information. Smart cards can:
    • Require contact such as swiping or they can be contactless.
    • Contain microprocessor chips with the ability to add, delete, and manipulate data on it.
    • Can store digital signatures, cryptography keys, and identification codes.
    • Use a private key for authentication to log a user into a network. The private key will be used to digitally sign messages.
    • Be based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in.
Types of token-based authentication are:
  • Using a static password, the password is saved on the token device. Swiping the token supplies the password for authentication.
  • A synchronous dynamic password generates new passwords at specific intervals on the hardware token. Users must read the generated password and enter it along with the PIN to gain access.
  • An asynchronous dynamic password generates new passwords based on an event, such as pressing a key.
  • A challenge-response password generates a random challenge string. The challenge text is entered into the token, along with the PIN. The token then uses both to generate a response used for authentication.

Smart cards typically use certificates for identification and authentication. With certificates, the digital document is associated with a user in one of the following ways:

  • With a one-to-one mapping, each certificate maps to an individual user account (each user has a unique certificate).
  • With many-to-one mapping, a certificate maps to many user accounts (a group of users share the same certificate).

Digital certificates require the implementation of a PKI, which have high administrative overhead.

Type 3 Something you are Something you are authentication uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is the most expensive and least accepted, but is generally considered to be the most secure form of authentication.

Common attributes used for biometric systems are:

  • Fingerprints (end point and bifurcation pattern)
  • Hand topology (side view) or geometry (top down view)
  • Palm scans (pattern, including fingerprints)
  • Retina scans (blood vein pattern)
  • Iris scans (color)
  • Facial scans (pattern)
  • Voice recognition
  • Handwriting dynamics
  • Keyboard or keystroke dynamics (behavioral biometric systems)
    • Dwell time (key press time)
    • Flight time (how fingers move from key to key)
When implementing a biometric system, the attribute that is used for authentication must meet the following criteria:
  • Universality means that all individuals possess the attribute.
  • Uniqueness means that the attribute is different for each individual.
  • Permanence means that the attribute always exists and will not change over time.
  • Collectability ensures that the attribute can be measured easily.
  • Performance means that the attribute can be accurately and quickly collected.
  • Circumvention allows for acceptable substitutes for the attribute in case the original attribute is missing or can't be read.
  • Acceptability identifies the degree to which the technology is accepted by users and management.

Biometric systems include multiple scans of the biological attribute. Scans are then translated into a numeric constellation map of critical points. That mathematical representation is bound to a digital certificate that links to the subject's user account in the user database. Most biometric systems require implementation of a PKI system.

You should be aware of the following terms used to measure the effectiveness of authentication solutions:

Measure Description
False negative A false negative (or Type I error) occurs when a person who should be allowed access is denied access. The False Rejection Rate (FRR) is a measure of the probability that a false negative will occur.
False positive A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The False Acceptance Rate (FAR) is a measure of the probability that a false positive will occur. False positives are more serious than false negatives and represent a security breach because unauthorized persons are allowed access.
Crossover error rate The crossover error rate, also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. Select the system with the lowest crossover error rate within your budget.
Processing rate The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated. An acceptable rate is 10 subjects per minute or above.

To increase security, you can use a combination of authentication methods as described in these options:

Authentication Method Description Example
Two-factor Three-factor Multi-factor Requires two (or more) different authentication types to be deployed. To enter a secured building, you must insert your key card (Type 2) and undergo a retina scan (Type 3).
Strong Requires two or more methods, but they can be of the same type. To log on to an online banking system, you enter your username, password, and then must answer a random personal question (such as your birthplace or mother's maiden name).
One-factor Uses credentials of only one type, but may require multiple methods within the same type To log in, you supply a username and a password (the username is not used for authentication, so the only credential supplied for authentication is the password) To log in, you supply a username, PIN, and a pass phrase (all credentials are of the same type)
Mutual Requires that both parties authenticate with each other before beginning communications. To log in, your computer sends its digital certificate to prove its identity to a network server. The server then proves its identity to your computer before they will exchange messages.

If you are considering implementing biometrics, keep in mind the following:

  • Some biometric factors are unique even between identical twins.
  • When a biometric is used by itself, it is no more secure than a strong password. A single successful attack can subvert a biometric in much the same way that a single successful attack can subvert a password.
  • Biometric attacks need not be physical harm based (such as cutting off a finger), but can include a wide variety of realistic reproductions that fool the biometric reader device.
  • The most important consideration for a biometric device is accuracy.
  • When a biometric device has its sensitivity set too high, it will result in numerous false negative rejections (i.e., when authorized users are not recognized and therefore rejected).
  • To use a biometric, new users must go through a physical enrollment process that is more complex and time consuming than the enrollment process for a password-only based system.
  • Biometric enrollment requires the new users to prove their identity to a user administrator. The new user must then provide the first example of their biometric to a reader device under the supervision of the user administrator. This first example is digitized and stored as a reference template. All future uses of the biometric will compare the contemporary biometric sample offered to the historical recorded template.