2. Web Authentication
• Authentication is the process of determining whether someone or
something is, in fact, who or what it is declared to be.
• Authentication is accomplished by:
– Something the user knows
• e.g., password, PIN, pattern
– Something the user has
• e.g., ATM card, smart card
– Something the user is
• e.g., biometric characteristic, such as a fingerprint.
2
3. Password Authentication
• It is based on “something the user
knows”.
• Advantages:
– Passwords require no special software on the users' computer
– Passwords authenticate the user directly because only the user knows
the password.
3
4. Password Authentication
• Drawbacks:
– Users can't remember strong passwords, so they write them down.
– When passwords are forgotten, the password must be recovered,
which is either expensive or insecure.
– Users can share passwords. Revenue is lost when multiple users share
an account.
– An administrator can discover the password and use it to masquerade
as the user.
– The user must have a unique password for each site.
4
5. Biometric Authentication
• Authenticates a user through a unique physical characteristic.
• Typically biometrics used are
fingerprints, voice, face,
typing pattern, etc.
5
6. Biometrics
• Advantages:
– Biometrics directly authenticates the person, not indirectly through a
password or token.
– Biometrics features are difficult to steal; thereby making biometric
authentication very strong.
• Drawbacks:
– User's computer must include the appropriate biometric sensor and
software. Reliable sensors are expensive.
– False positives(wrongly accepting an invalid user) and false-negatives
(denying a valid user).
6
7. Token based authentication
• Authentication through “something the user has”.
• Example of a hardware/software token is RSA SecureID.
7
8. Tokens
• Advantages:
– Tokens prevent a thief with a stolen password from accessing the web
site.
– Tokens prevent accounts from being shared since the token must be
duplicated.
– Tokens require no special software on the user's computer.
• Drawbacks:
– Tokens are expensive and must be replaced or refurbished every few
years.
– A lost token prevents a valid user from accessing the web site, which
disrupts business or commerce.
– Tokens are inconvenient since the user must manually enter the value
of the token as well as the password.
8
9. PKI - Public Key Infrastructure
• PKI is a specific implementation of asymmetric cryptography.
• Relies on the use of digital certificates that are issued by
certificate authorities as a means to bind a user to an assigned
key pair.
• A public key. This is something that you make public - it is freely
distributed and can be seen by all users.
• A corresponding (and unique) private key. This is something that
you keep secret - it is not shared amongst users.
9
14. HTTPS
• Most popular usage example of PKI is the HTTPS
(Hypertext Transfer Protocol Secure) protocol.
14
15. Public Key Infrastructure
• Advantages:
– Every modern browser has the built-in capability for public key
authentication.
– Public key authentication can be automatic and even transparent to
users.
– Public key authentication is much stronger than passwords, because
the authentication “secret” is stronger and is not shared with web
sites.
– A single certificate can be used for many web sites, since the “secret”
is not shared.
15
16. Public Key Infrastructure
• Drawbacks:
– The complexity of the infrastructure:
• The PKI model requires that the digital certificate binds the proofed identity of the
user to the value of the user's public key. This seemingly simple requirement
generates a great deal of Complexity: how is the identity proofed, who does the
proofing, what are the liabilities if the identity proofing is wrong?
– The PKI model focuses on identity and does not address the
authorization
16
17. LDAP – Lightweight Directory Access Protocol
• The Lightweight Directory Access Protocol is a protocol for
querying and modifying directory running over TCP/IP.
• It is not a directory, a database or an information repository.
– It is a protocol to access directory services.
• Single Sign On systems mostly use LDAP authentication.
– User is authenticated at site1; then accesses a resource at
site2
• Drawbacks
– Web is loosely coupled, consisting of many security domains.
SAML is a standard that governs the transfer of assertions
between domains.
17
18. LDAP – Lightweight Directory Access Protocol
18
• Client requests to bind to server.
• Server accepts/denies bind
request.
• Client sends search request.
• Server returns zero or more
directory entries.
• Server sends result code with any
errors.
• Client sends an unbind request.
• Server sends result code and
closes socket.
19. OAuth – Open Authentication
• A simple open standard for secure API authentication.
• An authenticating protocol that allows internet users to approve
an application to act on their behalf without the need for the user
to share their password with the application.
• In OAuth the service provider issues tokens and it involves the
exchange of tokens/keys and signing of requests thus making it a
secure protocol.
19
21. OAuth
Advantages:
•You don't have to create another profile on the net.
•Fewer passwords to remember.
•Do not have to submit a password to your application if user does
not completely trust us.
•User can prevent access to the application from the OAuth provider.
Drawbacks:
•User can not tailor the profile for your application (would require
additional development).
•Can be a bit confusing for the user having to create an account with
OAuth providers if he / she does not have an account there already.
21
1. Installing CA (Certificate Authority) root certificate - The browser vendor receives the CA root certificate from the CA; and distributes it as part of the browser installation package. 2. Signing Web server certificate - The Web server owner sends the certificate request to the CA. The CA, acting as the RA (Registration Authority), verifies the Web server identity. Then the CA signs (or issues) the Web server's certificate. 3. Validating Web server certificate - When you use the browser to visit the Web server, the browser, acting as the VA (Validation Authority), receives the Web server's certificate and validates it against the CA root certificate. If the browser finds no issue in the server certificate, it starts to use the public key embedded in the server certificate to secure the communication with the server.