Authentication Methods and Techniques - Research Paper Example

? Authentication Methods and Techniques Table of Contents Introduction 3 2.Authentication Techniques and Methods 4 A.Authentication by Knowledge 4 a.Passwords / PINs 4 b.Challenge Response 5 B.Authentication by Possession 6 a.Hardware Tokens 6 b.Software Tokens 7 c.Digital Certificates on Smart Cards 7 C.Authentication by Property 8 3.Risk Assessment 9 a.Maintaining a Balance 10 b.Multi-Factor Authentication 10 c.Applying the Risk Assessment 11 d.Usability of System 12 4.Conclusion 12 5.References 14 1. Introduction Authentication is one of the vital steps involved in providing access control (Tipton & Nozaki, 2011). Authentication is the process through which a system verifies whether a person is actually who he/she claims to be. Throughout the course of history, humans have been using some means of authentication in their day to day dealings. In the simplest form of authentication, a person was authenticated by merely his/her physical appearance and voice as the authenticating party knew the person by face. As the person’s social circle increased, the need to be authenticated arose in environments where the person was unknown to the authenticating party. So the authentication method evolved and pictures were used in the authentication documents (such as passports, etc.). With time, the personal records and private information of a person increased not only in amount (as it became a requirement in schools, universities, offices, banks, airports, hospitals, ) but also in value (credit cards, debit cards, etc.). Means of authentication evolved significantly thereafter as with the availability of this information on public or private networks (e-banking, e-health, e-ticketing, e-commerce), the access points to this information also increased tremendously (on a public network the information is accessible to millions of Internet users all over the world). It was necessary that only the authorized personnel could access the information and so the authentication techniques relevant to the scenario and information worth would have to be brewed up. As the authentication methods progressed, so did the attacks aimed at stealing the private information (Mallow, n.d.). When an authentication method was compromised, an alternative strategy would be looked into for adapting to. This paper gives an overview of the various authentication methods that have been proposed in various applications and literature and have successfully been used for allowing controlled access to private information. The paper also discusses the vulnerability issues associated with each authentication method and assesses it against some important assessment factors. The paper also discusses how to decide the best authentication strategy while living amidst the sophisticated hackers’ realm. 2. Authentication Techniques and Methods As mentioned earlier, authentication involves providing a proof to the authority of one’s identity. The various authentication techniques can be listed down into three broad categories; proof by knowledge techniques, proof by property techniques and proof by possession techniques (Jensen, 2003; Cranor & Garfinkel 2005). All authentication methods can be placed into one of these three techniques. The available authentication techniques and methods can be assessed keeping into consideration the major factors of cost, ease of installation, level of authentication and the usability. In this section the various authentication methods alongside their assessment based on these factors is discussed. A. Authentication by Knowledge This category of authentication is based on the fact that only the actual person himself can know some particular information. Examples include text based passwords or Personal Identification Number (PIN) and the response challenges. a. Passwords / PINs Benefits: This type of authentication is the least expensive of all methods as no specific software or hardware is required to set it up. Furthermore, the method is so easy that the users can easily set up or even change the passwords themselves. Issues: Although text based authentication is presently the most commonly used method yet it is not the strongest and highly susceptible to attacks. Mostly users keep passwords that are short, easily memorable for them and so the passwords are easy to crack (Davis 2005). According to a case study of a company, the security team was able to crack 80% of the passwords (Gilhooly, 2005). In another case study, from amongst 14000 passwords, 25% were cracked using a dictionary containing merely 3 million words (Klein, 1990). Besides being vulnerable to dictionary attacks, the security is dependent on how well the users are able to keep the passwords and PINs secret. Users may write the text passwords down so they don’t forget or use same passwords for various applications or share them with friends and eventually passwords come into the hands of intruders. And therefore, passwords are not a reliable means of authentication in sensitive applications such as remote financial transactions (e.g. e-banking). If the users keep complex passwords, there is a high chance of the user forgetting the password and therefore extra cost would be required of the support team as passwords would have to be reset after locking of accounts due to multiple login failures. b. Challenge Response This authentication method is an enhanced version of passwords and PINs where the authenticator poses a number of challenges (i.e. asks a question or presents an identifier) and the user provides the responses (i.e. the password for the particular question or identifier) for each challenge. If the password is correct, the response is valid. Benefits: The authentication method is securer than the conventional password method where only one password is required for authentication. In challenge response, both text and graphics based challenges and responses can be configured where the user is supposed to remember all pairs. It is a simple authentication procedure that does not require carrying any dedicated hardware device. In it each of the challenges (that may be pre-defined) is presented to the user to which the response is noted and access is granted accordingly. Issues: The method although securer than the conventional password authentication is not immune to the man-in-the-middle attacks (Pathak, 2009). Secondly, the user would have to remember all responses to the questions (challenges) presented. Extra cost might be involved in support as the user may forget the challenge-response pairs and might have gotten their accounts disabled by providing incorrect information repeatedly. B. Authentication by Possession These techniques are based on the fact that only the person himself can possess a particular object of identification. Examples include smart cards, security tokens (hardware/software) (Birss, 1997), digital certificates, etc. These authentication techniques are generally securer than the password method, etc. and can also be used in conjunction to the authentication by knowledge techniques. a. Hardware Tokens A hardware device generates a new access key periodically (e.g. every minute) based on a unique 128-bit encryption seed. Benefits: Hardware tokens are easy to use authentication mean that is securer than passwords and PINs and provide secure credential access (login and transactional authentication) to a system. They eliminate the need of user having to memorize complex passwords. The can also be used in conjunction with the passwords. Issues: Hardware tokens are battery operated devices that involve extra cost due to hardware purchase. Secondly, in case of multiple devices or sites, a separate token would be required for each. Furthermore, it could be a nuisance for the person to carry along the token everywhere. Although, tokens are securer to use than passwords yet, they are not safe from the “man-in-the-middle” attacks. b. Software Tokens Software tokens are stored on general-purpose electronic devices (desktop computers, laptops, PDAs or mobile phones) and generate keys similar to the hardware tokens. Benefits: Software tokens are cheaper than the hardware alternative as no separate device is to be purchased and therefore no extra or multiple devices are required to be carried around. Software tokens eliminate the need to remember complex passwords. No battery failure can ever occur unlike hardware tokens. Software tokens are securer than password authentication. Issues: Software tokens are vulnerable to computer viruses and malware so they must be deployed in a secure environment. They may also require some training on part of the user to be able to use them or reinstall and reconfigure them in case of system failure or corruption. c. Digital Certificates on Smart Cards Digital certificate is a document that stores the credential information of a user and ensures that the public key enclosed in the certificate only belongs to the person the certificate is issued to. The private key of user is kept inside the smart phone. Benefits: Digital Certificates on smart cards are securer to use that the passwords. The users trust the authentication mechanism owing to the involvement of third party issuing the certificates. As the private key resides on the smart card, it is difficult to be extracted by an intruder. So in case the certificate is used, the situation of non-repudiation cannot arise as the primary key can only reside with the user. Issues: Subscription to the certificate issuing authority cost extra especially when a separate certificate is required for each device or site. Additional cost is required for purchase the smart device as well. The device or USB is required to be carried along at all times in order to login. Some training may also be required for generation and use of certificates. C. Authentication by Property The authentication is based on some physical property that universally specific to the person himself e.g. any of the biometrics technology (face, fingerprints, voice, iris, etc.). Benefits: This means of authentication can be used in high security access systems and sites. Through this method the element of non-repudiation is handled as the property used is universally specific to the particular user only. This makes the method the hardest to compromise. Issues: The biometric technology based authentication offers most reliable authentication solution but at the highest of cost. This is due to the additional hardware (i.e. scanners) costs, the high deployment costs and the extra support and maintenance costs. As specialized hardware is required to gather input from the user, this authentication method is not feasible to deploy in mass-consumer sites. 3. Risk Assessment A good authentication system is one which generates absolutely no false positive results while the false negatives are as little as possible. The above discussion has helped highlight the benefits and issues associated to each authentication method. The authentication method chosen for an application must be determined by the level of risks involved in the target application. The selected authentication method must be in accordance with that. There are several factors to consider while determining the level of risk in an application or system; the sensitivity and value of the information stored in the system, the availability of information on network (i.e. whether on a private or public network), the users of the applications (whether retail or commercial users), the size and volume of information to be transmitted/stored/transacted. The risk assessment must consider the fact that technologies progress with time and so do the threats. Threats get sophisticated day by day. Considering the foreseeable challenges associated to the application, and keeping into account the prevailing technological offerings and threats, the relevant authentication method must be selected (Clarke, 2011). The selected authentication level must be sophisticated enough to counter the prevailing threats and must be flexible enough to counter the future attacks. For instance, owing to the readily available “sniffers” and tools for cracking passwords and PINs, the standard method of password or PIN combination render the security of authentication meaningless. a. Maintaining a Balance In the previous section, the assessment of the various authentication methods was done with view to the factors of cost, level of authentication, ease of installation. While selecting an authentication method, a balance must be kept between the offerings of the method and the system demand. For instance, in an informational website that offers online forums to hold discussions regarding various topics, the risk level of information is low. Employing an authentication technique of possession (software tokens, hardware tokens, etc.) would be costly and inappropriate choice in this situation as the authentication level would be higher than the estimated risk level. Similarly, in an e-banking environment, where financial transactions are carried out, the risk level of information is high. In this situation, password based authentication would not be a wise decision as the level of authentication would be too low. b. Multi-Factor Authentication When only one authentication technique is involved in protecting information, it is known as single factor authentication. Even though the single factor authentication methods (e.g. passwords and PINS) were once considered as being highly equipped to authenticate online transactions (e.g. e-banking; account inquiry, bill aggregation and payments), yet with the increase in the number and sophistication level of threats and the increase in rates of compromises of the installed authentication measures, the single factor authentication techniques became insufficient and inadequate to protect and manage the high risk applications/transactions. Therefore, in order to be a step ahead of the hacking threats, the horizon of the strategy of adopting the various authentication techniques was expanded. The authentication model would comprise of either using the multi factor authentication techniques (i.e. using two types of authentication techniques in conjunction e.g. hardware tokens alongside the passwords) or a tiered system of single factor authentication (i.e. two or more levels of a single factor). A scenario of such a tiered system would be one that uses more than one password at various stages of the authentication process. c. Applying the Risk Assessment In the existing corporate environment, there is a constant need that only authorized personnel can access the critical devices or services. Risk assessment is generally applied in two ways. In some applications / systems, the risk assessment determines a constant set of processes, procedures and resources to use. In each session the users use the same credentials. However, different credentials are used by users requiring different resources. For instance, in a system, while on one hand usernames and passwords would be sufficient for some of the users while on the other hand some users having high level access to sensitive information would require a two-factor hardware token. Another way of applying risk-based authentication is in systems where different levels of authentication are required by the same user based upon the transactions to be executed, not his identity. For instance, in most of the web services, a cookie placed on the users system from an earlier session through the browser is considered as a proof of identity for browsing through the catalogue pages yet when making a purchase the user will be asked for username and password. d. Usability of System It is a surprising fact that even in the present world, plain text based password is still the most widely used form of authentication because it is easy to install and use and is the least expensive method available. This fact suggests the level of security of the information available on the Internet and the private networks. One of the possible reasons for this worldwide trend is the ease of use of the authentication method. One of the major factors that ought to be considered while determining the authentication method to adopt is its usability. In case an authentication system is not considered usable by the users, and yet it is forcefully installed in an environment, the users would eventually start avoiding the system and seeks ways to bypass them. Thus usability is the major that determines the successful adoption and maintenance of an authentication system. 4. Conclusion There are many authentication methods available for designing a user authenticating system. Some of the available methods may seem easy to install and use (e.g. passwords and PINs) yet being primitive they could be very weak as there may already be numerous readily available hacking threats for bypassing the selected authentication mean. There are alternative methods, that although may seem complex, and may require extra time and cost, yet the authentication achieved in the end is strong and reliable as long as the information meant to be kept secret remains a secret. Each available authentication method and technique provides a certain level of authentication. By analyzing the level of risk of the system or application, a method offering the required level of authentication can be utilized. In applications involving high risks, a system based on multiple factor authentications may be designed. 5. References C. Mallow. (n.d.) Authentication Methods and Techniques. Retrieved from www.giac.org/cissp-papers/2.pdf D. Klein. (1990) Foiling the Cracker: a survey of, and improvements to, password security. In Proceedings of the 2 n USENIX Security Workshop, pp. 5-14. E. Birss (1997). Network World. pp. 49. H. Davies. (2005) Physiognomic access control. Information Security Monitor, Vol. 10, Issue 3, pp. 5-8. H.F. Tipton, M.K. Nozaki (2011) Information Security Management Handbook, Volume 5. pp. 255, CRC Press K. Gilhooly. (2005). Biometrics: Getting back to business”. Computerworld. L.F. Cranor and S. Garfinkel (2005) Security And Usability: Designing Secure Systems That People Can Use. O'Reilly Media, Inc. N. Clarke (2011) Transparent User Authentication: Biometrics, Rfid and Behavioural Profiling. pp. 49. Springer V. Pathak. (2009) Robust Decentralized Authentication for Public Keys and Geographic Location. pp. 33. ProQuest. W. Jansen. (2003). Authenticating users on handheld devices. In Proceedings of the Canadian Information Technology Security Symposium Read More