Authetication

Lets try explaining whats Authentication in Information security domain.

Authentication is about Identity Validation. Its a process to determine whether the user or entity is who he claims to be. Typical example of Authentication is login credentials entered as part of login to any site or portal.

Authentication can be classified into following three types.

1. Something you know
2. Something you have
3. Something you are


1. Something you Know.
Its Knowledge based Authentication. Typical Example is User-name/Password that we use every day to log-in to any site. This is most widely used technique

Remember user name and password

Examples:
Password, PIN Numbers.




Advantages :
1. Simple Mechanism and Easy to implement             

forgot password

Drawback:
1. People tend to forgot passwords.

2. Easy to crack. Attack like brute force attack,  dictionary attack are common

"A password that is easy to remember is generally also easy for an attacker to guess".


Prevention Mechanism:
CAPTCHA, Forced lock out after number of failure attempts.
On Time Password are certain mechanism that help prevent the above mentioned attacks




2. Something you have.
Its Ownership based Authentication. Its based on something a principal or authenticating entity as it.
An access card swiped at the entry and exit of door, could you be use case for  entity based authentication.

access card swiping at entrance

An attacker must obtain or copy the token in order to break this kind of authentication.

Examples:
1. Magnetic Strip Cards. ( Credit Cards/ATM Cards)
2. Smart Cards (Challenge/Response cards and Cryptographic Calculators.)



3. Something you are.

Its based on physiological or behavioral characteristics to verify the identity of an individual.

Finger print, Bio metric authentication

Every individual has unique biometric data and individual’s behavioral or physiological characteristics have the capability to reliably distinguish between authorized and unauthorized person.

Examples:
1.  Biometrics includes fingerprints, retina scan, voice, facial ,hand geometry, and so on

Advantages:
Hardest to break.

Disadvantages:
Cost and availability
High false acceptance rate for devices


Application of principle:
All this above principle can be used in single or combination of two or all. When above factors are used in a combination, authentication becomes difficult to break.

Mutli-Factor Authentication:
ATM Card would be simple example for it, it uses a combination of "Something you have" (ATM Card) and " Something you know"( PIN Number). Even if the card is lost, PIN number is required to prove authentication.