Controlling access to information systems requires two distinct activities: determining the identity of the end user (the identification phase) and proving that the end user is who he or she claims to be (the authentication phase).
In most cases, identification is very straightforward: Information systems simply ask the user to provide his or her identity in the form of a unique user name. Security is added to the process through the authentication phase, when the user is asked to provide proof of the claimed identity.
Authentication techniques rely on a variety of mechanisms to prove claims of identity, but all of these techniques may be grouped into three categories:
- Something the user knows: This authentication mechanism relies on secret information that only the user and the authentication system know. The most common implementation of this approach is the secret password. Other examples of knowledge-based authentication include PINs, pass phrases and the answers to challenge questions (for example, “What is your mother’s maiden name?”).
- Something the user has: In this approach, the authentication mechanism verifies that the user possesses something that proves identity. This often involves a token that requires the user to press a button to receive a code to be entered into the authentication system. The system will use a mathematical algorithm to validate that the code came from the user’s token, establishing possession. Other examples of devices that this authentication approach might use include smart cards and physical keys.
- Something the user is: Biometric authentication relies on a physical characteristic of the user to verify his or her identity. These mechanisms measure some unique trait, such as fingerprints, hand geometry, palm veins, facial patterns or iris/retinal patterns. The system compares the characteristics of the user seeking access with information stored in the authentication database to determine whether the identity claim is legitimate.
Each type of authentication mechanism has its advantages and drawbacks. Knowledge-based authentication mechanisms are inexpensive, easy to implement and familiar to end users. However, if an attacker is able to learn the password or other secret information used to verify a user’s identity, there is no way for the system to determine the impostor from the legitimate user.
This is an excerpt from our Two Factor Authentication white paper. Download the PDF to read more.