Authentication

Authentication is the set of methods used to prove a claim of identity is true by using some type of credential.

Can be used to prove the identity of:

We want to authenticate everything in IT security.

Factors of Authentication

Factors are approaches to authentication.

There are 5 factors of authentication:

Something you know
- E.g., password, PIN, etc.
- weak form of authentication
  - if the information is exposed, the authentication method is no longer unique
Something you have
- E.g., ID cards, software-based security tokens, cell phones, email account
Something you are
- relatively unique physical attributes of an individual, referred to as biometrics
  - Physiological
    - E.g., Face, fingerprint, iris, hand scan, DNA, hair color, weight
- not usually distinctive enough to be very secure identifiers
- there is some question as to whether biometrics constitute authentication or just identity verification
Something you do
- Behavioral
  - analysis of a person’s gait or handwriting
  - time between keystrokes
- strong authentication, but high rate of false-negatives
Where you are
- geographically based
- E.g., authenticate at a specific location

Single-factor authentication
- uses only one factor of authentication
- E.g. only password
Two-factor authentication
- uses a combination of two factors of authentication.
- E.g., Password + TOTP

Example

Banks: ATM card & PIN
Gym access: Biometrics palm scan & ID card
Work ID badges: SmartID card & PIN

Multi-factor authentication
- uses three or more factors of authentication
- typically only client-side
Mutual authentication
- is an authentication mechanism in which both parties in a transaction authenticate each other
- typically software-based
- client authenticates to the server, and vice versa
- often relies on digital certificates
- In cases where you don’t perform mutual authentication,
  - you leave yourself open to impersonation attacks, aka man-in-the-middle attacks