SlideShare una empresa de Scribd logo

Two-factor authentication- A sample writing _Zaman

Asad Zaman
Asad Zaman

This document discusses various authentication methods including passwords, biometrics, tokens, two-factor authentication, and multi-factor authentication. It provides details on each method, including their strengths, weaknesses, and how they provide different levels of security. Multiple authentication factors can be combined to achieve stronger authentication through a multi-factor approach. The document also includes examples of how different authentication methods may be suitable for different access levels and use cases.

1 de 17
Descargar para leer sin conexión
0  |  P a g e       Authentication”, “Two factor Authentication”, “Multifactor Authentication” and “Authorization”. By Asad Zaman Sales Engineer –Candidate Cellphone: 443 929 5793
1  |  P a g e     Table of Contents Introduction ………………………………………………………………………………2 Authentication…………………………………………………………………………….3 A. Password……………………………….….………………………………………….4 B. Biometrics.…………………………………………………………………….………5 C. Token………………………………………………………………………………….8 Two-factor Authentication…………………………….…….…………………….……..9 Multi-factor Authentication………………………………………………………….….11 Authorization………………………………………………….…………………………13 Summary…………………………………………………………………………………14 References……………………………………………………………………………….15 Figure & Tables Figure-1: A Sample of the biometric trail captured……………………………………..6 Table 1: Authenticators and their Levels of Assurance……………………………….10 Table 2: Authentication Protocols and Levels of Assurance…………………………11
2  |  P a g e     Introduction Authentication is the process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (Dempsey, et al., 2011). Authentication is typically based on one of more of the following factors (Vacca, 2009, pp. 59, 67, 87, 568): a. Something the user knows, such as a password or PIN; b. Something the user has, such as a smart card or token; c. Something personal about the user, such as a finger-print, retinal pattern, or other biometric identifier. Use of a single factor, such as password only is considered a weak authentication. A combination of two factors, such as password and smart card is considered strong authentication. Although, two factors is one type of multifactor, but sometimes, multi factor for stronger authentication means more than two factors, such as a combination of password, smart card or token, and a biometric factor. Strong authentication can also be implemented using Public Key Infrastructure (PKI), especially used for Web sites. Authorization is the process of enforcing policies: determining what type of activities, resources, or services an authenticated user is permitted. Authorization is applied to put up safeguards against unlawful access.
3  |  P a g e     Authentication Vulnerability in authentication continues to be one of the primary targets of attackers. Security personnel can work hard to ensure that the latest patches are applied to systems and that firewalls are running at peak efficiency, but when it comes to authentication, it is sometimes harder to achieve strong security. This is because end users often compromise authentication by creating weak password or write them down. Nevertheless, because users have multiple passwords in now days, they often write them down exposing the passwords to others. However, authentication is becoming stronger. New technologies are being implemented that make difficult for attackers to steal user’s authentication and impersonate them. Industry regulations and typical corporate policies require that IT, security and compliance groups create audit trails of all the activity on network. Knowing the IP address of the access device isn't enough to definitively identify the behavior of a specific user. Anyone could be using the device associated with a given address if they discover the valid user's username/password information. According to CompTIA security+ book “Authentication access control is the process by which resources or services are granted or denied. There are four basic steps: Identification is the presentation of credentials or identification, typically performed when logging on to a system. Authentication is the verification of the credentials to ensure that they are genuine and not fabricated. Authorization is granting permission
4  |  P a g e     for admittance. Access is the right to use specific resources. Another way authentication can also viewed as one of three elements in security: Authentication- Something you know; such as password Authorization –Something you have, such as token Accounting –Something you are, such as a fingerprint or a voiceprint. These three elements help control access to network resources, enforce security policies, and audit usage. Authentication credentials A. Password Passwords are used in many ways to protect data, systems, and networks. For example, passwords are used to authenticate users of operating systems and applications such as email, and remote access. Passwords are also used to protect files and other stored information, such as password-protecting a single compressed file, a cryptographic key, or an encrypted hard drive. A comprehensive provide password management policy to all employees, which is the process of defining, implementing, and maintaining and monitors password enforcement policies. Effective password management reduces the risk of compromise of password-based authentication systems. We need to protect the confidentiality, integrity, and availability (CIA) of passwords so that all authorized users—and no unauthorized users—can use passwords successfully as needed. Integrity and availability should be ensured by typical data security controls, such as using access control lists to
5  |  P a g e     prevent attackers from overwriting passwords and having secured backups of password files. Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls along with decisions involving the characteristics of the passwords themselves. For example, requiring that password long and complex makes it less likely that attackers will guess or crack them, but it also makes the password harder for users to remember, and thus more likely to be stored insecurely. Authentication policy implements password construction, expiration, privacy, reset, reuse, and password lifetime. An example of create password: all passwords must be 8-16 character long, with one number, one symbol, and one character capitalized. This increases the likelihood that users will store their passwords insecurely and expose them to attackers. C. Biometrics Biometrics (or biometric authentication) consists of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In computer science, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance (Wikipedia 2010). This technology is an automated method of identifying a person based on a physical characteristic, an example a thumbprint or retina pattern. Using this type of authentication requires comparing a registered sample of against a captured biometric sample, such as a fingerprint captured during a logon. Biometric authentication requires comparing a registered or enrolled biometric sample (biometric template or identifier) against a newly captured biometric sample (for example, a fingerprint captured during a login).
6  |  P a g e     During Enrollment, as shown in the picture below, a sample of the biometric trait is captured, processed by a computer, and stored for later comparison. Biometric recognition can be used in Identification mode, where the biometric system identifies a person from the entire enrolled population by searching a database for a match based solely on the biometric. For example, an entire database can be searched to verify a person has not applied for entitlement benefits under two different names. This is sometimes called “one-to-many” matching. A system can also be used in Verification mode, where the biometric system authenticates a person’s claimed identity from their previously enrolled pattern. This is also called “one-to-one” matching. In most computer access or network access environments, verification mode would be used. A user enters an account, user name, or inserts a token such as a smart card, but instead of entering a password, a simple touch with a finger or a glance at a camera is enough to authenticate the user. Enrollment: Present Biometric C No match Verification: Present Biometric Match Figure 1: A sample of the biometric trait is captured The biometric authentication mechanism typically consists of two processes: physical/standard biometrics and Behavioral biometric (Wettern, 2005). Capture   Process   Store   Capture     Process     Compare  
7  |  P a g e     (1) Physical uses a person’s unique characteristics for authentication another word (what he/or she is). Examples include, but are not limited to fingerprint, face recognition, DNA, Palm print, hand geometry, iris recognition, which has largely replaced retina, and odor/scent. There are two types of fingerprint scanners: i) A static fingerprint scanner requires the user to place his entire thumb or finger on a small oval window on the scanner. ii) Dynamic fingerprint scanners work on the same principle as stud finders that carpenters use to locate wood studs behind drywall. (2) Behavioral Biometrics is related to the behavior of a person. To address the issue and concerns in physical/standard biometrics behavioral has been developed. An example of typing rhythm, voice recognition, and computer foot-printing. Below is a brief discussion of some considerations needed to examine before implementation a biometric authentication method but not limited to a)Performance and reliability issue - Biometric readers are not always foolproof and can reject authorized users while accepting unauthorized users called false negative and false positive. b)Privacy and decimation - It is possible that data obtained during biometric enrollment may be used in ways for which the enrolled individual has not consented. For example, biometric security that utilizes an employee's DNA profile could also be used to screen for various genetic diseases or other 'undesirable' traits (Wikipedia 2010). c)Costly - Biometric readers (hardware scanning devices) must be installed at each location or PC where authentication is required.
8  |  P a g e     d)Availability - A dial up connection will not work on remote computer, given biometric device might be available on all computer in the organization. C. Tokens A token is a device that can be issued to a user for use in the authentication process (Wattern, 2004). Token are often small handheld devices, with or without keypads, which range in size from a credit card to a small pocket calculator. One increasingly common type of token is a smart card, which is a card the size of a credit card that has a small computer chip in it. For example one common token system sync with a server. Each minute the numbers on the server and on the device is working. For a user to authenticate, he must type in the number on the display, which must match the number on the server for the user to be authenticated. SecurID, manufactured by RSA Security, is one of the most commonly used token-based authentication products. The goals are to have an adaptive authentication framework that can authenticate a user using a variety of authentication tokens and protocols. These various authentication tokens and protocols provide different levels of assurance in identifying a user. Access privileges granted to the user should be linked to the assurance level of the authentication token/protocol used in the particular authentication instance. Such a linkage is necessary for the provision of fine-grained access control and privilege allocation in environments in which the same or different applications may have dissimilar authentication requirements as dictated by varying levels of resource sensitivity and access mode towards different groups of users. For
9  |  P a g e     example, services such as e-journal subscription or e-learning services may have a relatively low sensitivity level and therefore can be accessible to everybody who can be identified by the IP address of his/her machine (Zhang, 2006). An example of Tutors/examiners may need to use a stronger form of authentication than that used by students in order to access, say, exam papers, as the former bear more responsibility with regards to the confidentiality and integrity of the data resource. Similarly, in a health Grid context, electronic patient records (EPRs) and electronic health records (EHRs) are shared among GPs, clinicians, and clinical and biomedical researchers across different institutions and organizations. EPRs/EHRs have high levels of privacy requirements due to legal and ethical reasons. Therefore, it is usually expected that EPRs/EHRs are de-personalized and sensitive information that can be used to identify the owner of a record are removed, before being released to entities outside hospital premises or before researchers are allowed to access them (Haken, 2004). Password-based authentication methods may be sufficient to identify researchers when accessing these de-personalized records. However, the suppliers of the records, e.g. GPs and hospitals, should use a stronger form of authenticators when uploading new records into the de-personalized data repository due to privacy and accountability concerns. Therefore, there is clearly a need for a fine-grained access-control framework to satisfy the complex access-control requirements, and one important element of the access-control decision making is the authentication strength of the authenticator used by the user. Although tokens offer reliable security, it can be costly and difficult to deploy in enterprise environment. Two- factor Authentication
10  |  P a g e     Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security (Wikipedia, 2010). A combination of: Something you have, such as token Something you are, such as a fingerprint. Two factor authentications are grouped into two categories: token-based, such as memory or smart tokens; and ID-based, such as biometrics. These authentication factors have different strengths providing different levels of assurance (LoA) in identifying a user. For example, a smart token equipped with a cryptographic key because the former is normally easier to guess. Although biometrics is more difficult to forge, alone they cannot be used for remote electronic authentication due to the lack of secrets. To achieve a higher LoA, two or more authentication factors can be combined together to identify a user. A smart token locked with a fingerprint or a personal identification number (PIN), which is a two-factor authenticator, is a better choice than using an unlocked token alone as it is more susceptible to theft or loss. Table I. Authenticators and their levels of assurance Authenticators Level 1 Level 2 Level 3 Level 4 Hard token X X X X Soft token X X X One-time password device X X X Strong passwords X X
11  |  P a g e     Passwords and PINs X Table II. Authentication protocols and their levels of assurance. Authentication protocols Level 1 Level 2 Level 3 Level 4 Private key proof-of-possession protocol X X X X Symmetric key proof-of-possession protocol X X X Zero-knowledge password protocol X X Tunneled password protocol (e.g. password over SSL) X X Challenge-response password protocol X Authenticators and their associated LoAs have been classified into four levels in a specification published by the NIST (U.S. National Institute of Standards and Technology), According to the likely consequences of an authentication error when using each of them. As shown in Table I, Level 1 authenticators have the lowest LoA, whilst Level 4 have the highest. To compromise a Level 4 authenticator, say a smart card token locked with a PIN number, the perpetrator would first have to obtain the card and, then work out the PIN number. It therefore provides a higher LoA than a soft token such as a cryptographic key stored in a file. System is aimed at integrating all of the authenticators shown in Table I and protocols from Table II.
12  |  P a g e     Multi-factor Authentication Multi-factor authentication, sometimes called strong authentication, is an extension of two-factor authentication. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor authentication involves two or more factors. Thus, every two-factor authentication is a multi-factor authentication, but not vice versa (Wikipedia, 2010). RSA provide Seamless Migration from Passwords to Multi-factor Authentication. According to RSA website, RSA Authentication Manager Express delivers a seamless, strong authentication solution for users through risk-based authentication – providing invisible, behind-the-scenes protection of web-based resources (SSL VPNs and web applications) against unauthorized access. Users continue to use their standard username and password, while the RSA Risk Engine evaluates dozens of factors associated with the authentication in each of these three categories below. Multi-factor authentication most often combines two of the following three elements to establish the identity: • Something you know, such as a PIN • Something you have, such as ATM card • Something you are, biometric characteristic, such as a fingerprint or a voiceprint Password-based or PIN authentication, biometrics fingerprint, and token or ATM card all have their respective advantage and disadvantages. One thing that they have in common is that a dedicated attacker can circumvent any of these authentication methods. Authentication methods that depend on more than one factor are more
13  |  P a g e     difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include controls for risk mitigation. The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans. Authorization Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Authorization systems provide answers to the questions: • Is user X authorized to access resource R? • Is user X authorized to perform operation P? • Is user X authorized to perform operation P on resource R?
14  |  P a g e     Authentication and authorization are somewhat tightly-coupled mechanisms -- authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources. RSA Authentication Manager Express delivers strong, multi-factor authentication optimized for the unique security, convenience and budget requirements of your organization. A stronger and more secure alternative to password-only protection, RSA Authentication Manager Express helps organizations to extend anytime, anywhere access confidently to remote employees, partners, contractors and clients. It delivers strong authentication that can be tailored to an organization’s resource constraints, risk tolerance and user profile (RSA Authentication, 2011). Summary Strong authentication is a must before any authorization can happen. Organizations are providing their services through electronic means in a rapidly developing digital world, but such services are usually accessible only to those who have the required privileges. In order to authorize a person, a group, or even software to access a service, the recipients must first be authenticated, i.e. their identities must be verified before allowing them access according to their assigned privileges (Almagwashi & Gray, 2009).
15  |  P a g e     References Almagwashi, H. & Gray, A. (2009, January 1). E-Government Authentication Frameworks: A gap analysis. Retrieved October 1, 2011 from http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?vid=4&hid=23&si d=036aa1d8-576f-40f5-979d-20fc6d4c48e0%40sessionmgr11 Bishop, M. (2003) Computer security: Art and science. Pearson Education Chen, T. & Walsh, P. J. (2009). Guarding against network intrusions. In J. R. Vacca (Ed.), Computer and information security (p. 59). Burlington, MA: Morgan Kaufmann Ciampa, M. (2008). CompTIA Security +. Boston, MA: Course Technology. Dempsey, K., Chawla, N. S., Johnson, A., Jones, A. C., Orebaugh, A., Scholl, M., & Stine, K. (2011). Information security continuous monitoring (ISCM) for federal information systems and organizations. National Institute of Standards and Technology (NIST) of U.S. Department of Commerce. Retrieved October 1, 2011 from http://csrc.nist.gov/publications/PubsSPs.html Harris, S. (2002). All-In-One CISSP Certification Exam Guide. McGraw-Hill/Osborne Dunn, J. S., & Podio, F. L. (2008). Biometric Authentication Technology: From the Movies to Your Desktop. Retrieved from National Institute of Standards and Technology web site: http://www.nist.gov
16  |  P a g e     Federal Financial Institutions Examination Council, Authentication in an Electronic Banking Environment. (2001). Retrieved from http://www.ffiec.gov/pdf/authentication_guidance.pdf Helken, H. (August 2004). De-identification framework. White paper, IBM Haifa Labs, Isreal. Retrieved from Library Computer Science database. Rsa authentication (2011). Rsa Authentication Manager Express. Retrieved on October 2, 2011 from http://www.rsa.com/products/AMX/ds/11241_h9006-amx-ds-0711.pdf Unknown Author (2011). Authentication versus Authorization. Retrieved from http://www.duke.edu/~rob/kerberos/authvauth.html . Zhang, N. C., Goble, C., Rector, A., & Chadwich, D. ( Oct, 2006). Achieving Fine-grained Access Control in Virtual Organizations. CONCURRENCY AND COMPUTATION PRACTICE AND EXPERIENCE. 19:1333–1352. Retrieved from Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/cpe.1099. Wettern, J. (2005). Security+ certification. Academic Learning Series, Redmond, WA: McGraw- Hill. Wikipedia (2010). Multi-factor Authentication. Retrieved from http://en.wikipedia.org/wiki/Multi- factor_authentication#References

Recomendados

Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetLessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementPriyanka Aash
 

Recomendados

Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetLessons Learned in Automated Decision Making / How to Delay Building Skynet
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementPriyanka Aash
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile applicationVikrant Kansal
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Keynote Session : Kill The Password
Keynote Session : Kill The PasswordKeynote Session : Kill The Password
Keynote Session : Kill The PasswordPriyanka Aash
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On TrainingTonex
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-studyhomeworkping4
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatPriyanka Aash
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Class paper final
Class paper finalClass paper final
Class paper finalAnusha Manchala
 
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationPeter Choi
 

Más contenido relacionado

La actualidad más candente

Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile applicationVikrant Kansal
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Keynote Session : Kill The Password
Keynote Session : Kill The PasswordKeynote Session : Kill The Password
Keynote Session : Kill The PasswordPriyanka Aash
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsOurCrowd
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On TrainingTonex
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-studyhomeworkping4
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatPriyanka Aash
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 

La actualidad más candente (20)

Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile application
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
 
Keynote Session : Kill The Password
Keynote Session : Kill The PasswordKeynote Session : Kill The Password
Keynote Session : Kill The Password
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for InvestorsThe Cyber Security Landscape: An OurCrowd Briefing for Investors
The Cyber Security Landscape: An OurCrowd Briefing for Investors
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
61370436 main-case-study
61370436 main-case-study61370436 main-case-study
61370436 main-case-study
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider Threat
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 

Similar a Two-factor authentication- A sample writing _Zaman

Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationPeter Choi
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
 
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IRJET Journal
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - ReportNavin Kumar
 
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...IJCSIS Research Publications
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PREMISES
MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PREMISESMACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PREMISES
MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PREMISESIRJET Journal
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyacijjournal
 
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
AnevaluationofsecurestorageofauthenticationdataIJISR.pdfAnevaluationofsecurestorageofauthenticationdataIJISR.pdf
AnevaluationofsecurestorageofauthenticationdataIJISR.pdftonkung6
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
 
IRJET - Human Identification using Major and Minor Finger Knuckle Pattern
IRJET - Human Identification using Major and Minor Finger Knuckle PatternIRJET - Human Identification using Major and Minor Finger Knuckle Pattern
IRJET - Human Identification using Major and Minor Finger Knuckle PatternIRJET Journal
 
IRJET- Human Identification using Major and Minor Finger Knuckle Pattern
IRJET- Human Identification using Major and Minor Finger Knuckle PatternIRJET- Human Identification using Major and Minor Finger Knuckle Pattern
IRJET- Human Identification using Major and Minor Finger Knuckle PatternIRJET Journal
 

Similar a Two-factor authentication- A sample writing _Zaman (20)

Class paper final
Class paper finalClass paper final
Class paper final
 
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor AuthenticationAddressing Insider Threat using "Where You Are" as Fourth Factor Authentication
Addressing Insider Threat using "Where You Are" as Fourth Factor Authentication
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
 
C02
C02C02
C02
 
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
IMPLEMENTATION PAPER ON MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PRE...
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - Report
 
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
DS-NIZKP: A ZKP-based Strong Authentication using Digital Signature for Distr...
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PREMISES
MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PREMISESMACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PREMISES
MACHINE LEARNING BASED SECURITY SYSTEM FOR OFFICE PREMISES
 
13_2
13_213_2
13_2
 
Biometrics security
Biometrics securityBiometrics security
Biometrics security
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison study
 
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
AnevaluationofsecurestorageofauthenticationdataIJISR.pdfAnevaluationofsecurestorageofauthenticationdataIJISR.pdf
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
 
IRJET - Human Identification using Major and Minor Finger Knuckle Pattern
IRJET - Human Identification using Major and Minor Finger Knuckle PatternIRJET - Human Identification using Major and Minor Finger Knuckle Pattern
IRJET - Human Identification using Major and Minor Finger Knuckle Pattern
 
IRJET- Human Identification using Major and Minor Finger Knuckle Pattern
IRJET- Human Identification using Major and Minor Finger Knuckle PatternIRJET- Human Identification using Major and Minor Finger Knuckle Pattern
IRJET- Human Identification using Major and Minor Finger Knuckle Pattern
 
120 i143
120 i143120 i143
120 i143
 

Two-factor authentication- A sample writing _Zaman

  • 1. 0  |  P a g e       Authentication”, “Two factor Authentication”, “Multifactor Authentication” and “Authorization”. By Asad Zaman Sales Engineer –Candidate Cellphone: 443 929 5793
  • 2. 1  |  P a g e     Table of Contents Introduction ………………………………………………………………………………2 Authentication…………………………………………………………………………….3 A. Password……………………………….….………………………………………….4 B. Biometrics.…………………………………………………………………….………5 C. Token………………………………………………………………………………….8 Two-factor Authentication…………………………….…….…………………….……..9 Multi-factor Authentication………………………………………………………….….11 Authorization………………………………………………….…………………………13 Summary…………………………………………………………………………………14 References……………………………………………………………………………….15 Figure & Tables Figure-1: A Sample of the biometric trail captured……………………………………..6 Table 1: Authenticators and their Levels of Assurance……………………………….10 Table 2: Authentication Protocols and Levels of Assurance…………………………11
  • 3. 2  |  P a g e     Introduction Authentication is the process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (Dempsey, et al., 2011). Authentication is typically based on one of more of the following factors (Vacca, 2009, pp. 59, 67, 87, 568): a. Something the user knows, such as a password or PIN; b. Something the user has, such as a smart card or token; c. Something personal about the user, such as a finger-print, retinal pattern, or other biometric identifier. Use of a single factor, such as password only is considered a weak authentication. A combination of two factors, such as password and smart card is considered strong authentication. Although, two factors is one type of multifactor, but sometimes, multi factor for stronger authentication means more than two factors, such as a combination of password, smart card or token, and a biometric factor. Strong authentication can also be implemented using Public Key Infrastructure (PKI), especially used for Web sites. Authorization is the process of enforcing policies: determining what type of activities, resources, or services an authenticated user is permitted. Authorization is applied to put up safeguards against unlawful access.
  • 4. 3  |  P a g e     Authentication Vulnerability in authentication continues to be one of the primary targets of attackers. Security personnel can work hard to ensure that the latest patches are applied to systems and that firewalls are running at peak efficiency, but when it comes to authentication, it is sometimes harder to achieve strong security. This is because end users often compromise authentication by creating weak password or write them down. Nevertheless, because users have multiple passwords in now days, they often write them down exposing the passwords to others. However, authentication is becoming stronger. New technologies are being implemented that make difficult for attackers to steal user’s authentication and impersonate them. Industry regulations and typical corporate policies require that IT, security and compliance groups create audit trails of all the activity on network. Knowing the IP address of the access device isn't enough to definitively identify the behavior of a specific user. Anyone could be using the device associated with a given address if they discover the valid user's username/password information. According to CompTIA security+ book “Authentication access control is the process by which resources or services are granted or denied. There are four basic steps: Identification is the presentation of credentials or identification, typically performed when logging on to a system. Authentication is the verification of the credentials to ensure that they are genuine and not fabricated. Authorization is granting permission
  • 5. 4  |  P a g e     for admittance. Access is the right to use specific resources. Another way authentication can also viewed as one of three elements in security: Authentication- Something you know; such as password Authorization –Something you have, such as token Accounting –Something you are, such as a fingerprint or a voiceprint. These three elements help control access to network resources, enforce security policies, and audit usage. Authentication credentials A. Password Passwords are used in many ways to protect data, systems, and networks. For example, passwords are used to authenticate users of operating systems and applications such as email, and remote access. Passwords are also used to protect files and other stored information, such as password-protecting a single compressed file, a cryptographic key, or an encrypted hard drive. A comprehensive provide password management policy to all employees, which is the process of defining, implementing, and maintaining and monitors password enforcement policies. Effective password management reduces the risk of compromise of password-based authentication systems. We need to protect the confidentiality, integrity, and availability (CIA) of passwords so that all authorized users—and no unauthorized users—can use passwords successfully as needed. Integrity and availability should be ensured by typical data security controls, such as using access control lists to
  • 6. 5  |  P a g e     prevent attackers from overwriting passwords and having secured backups of password files. Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls along with decisions involving the characteristics of the passwords themselves. For example, requiring that password long and complex makes it less likely that attackers will guess or crack them, but it also makes the password harder for users to remember, and thus more likely to be stored insecurely. Authentication policy implements password construction, expiration, privacy, reset, reuse, and password lifetime. An example of create password: all passwords must be 8-16 character long, with one number, one symbol, and one character capitalized. This increases the likelihood that users will store their passwords insecurely and expose them to attackers. C. Biometrics Biometrics (or biometric authentication) consists of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In computer science, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance (Wikipedia 2010). This technology is an automated method of identifying a person based on a physical characteristic, an example a thumbprint or retina pattern. Using this type of authentication requires comparing a registered sample of against a captured biometric sample, such as a fingerprint captured during a logon. Biometric authentication requires comparing a registered or enrolled biometric sample (biometric template or identifier) against a newly captured biometric sample (for example, a fingerprint captured during a login).
  • 7. 6  |  P a g e     During Enrollment, as shown in the picture below, a sample of the biometric trait is captured, processed by a computer, and stored for later comparison. Biometric recognition can be used in Identification mode, where the biometric system identifies a person from the entire enrolled population by searching a database for a match based solely on the biometric. For example, an entire database can be searched to verify a person has not applied for entitlement benefits under two different names. This is sometimes called “one-to-many” matching. A system can also be used in Verification mode, where the biometric system authenticates a person’s claimed identity from their previously enrolled pattern. This is also called “one-to-one” matching. In most computer access or network access environments, verification mode would be used. A user enters an account, user name, or inserts a token such as a smart card, but instead of entering a password, a simple touch with a finger or a glance at a camera is enough to authenticate the user. Enrollment: Present Biometric C No match Verification: Present Biometric Match Figure 1: A sample of the biometric trait is captured The biometric authentication mechanism typically consists of two processes: physical/standard biometrics and Behavioral biometric (Wettern, 2005). Capture   Process   Store   Capture     Process     Compare  
  • 8. 7  |  P a g e     (1) Physical uses a person’s unique characteristics for authentication another word (what he/or she is). Examples include, but are not limited to fingerprint, face recognition, DNA, Palm print, hand geometry, iris recognition, which has largely replaced retina, and odor/scent. There are two types of fingerprint scanners: i) A static fingerprint scanner requires the user to place his entire thumb or finger on a small oval window on the scanner. ii) Dynamic fingerprint scanners work on the same principle as stud finders that carpenters use to locate wood studs behind drywall. (2) Behavioral Biometrics is related to the behavior of a person. To address the issue and concerns in physical/standard biometrics behavioral has been developed. An example of typing rhythm, voice recognition, and computer foot-printing. Below is a brief discussion of some considerations needed to examine before implementation a biometric authentication method but not limited to a)Performance and reliability issue - Biometric readers are not always foolproof and can reject authorized users while accepting unauthorized users called false negative and false positive. b)Privacy and decimation - It is possible that data obtained during biometric enrollment may be used in ways for which the enrolled individual has not consented. For example, biometric security that utilizes an employee's DNA profile could also be used to screen for various genetic diseases or other 'undesirable' traits (Wikipedia 2010). c)Costly - Biometric readers (hardware scanning devices) must be installed at each location or PC where authentication is required.
  • 9. 8  |  P a g e     d)Availability - A dial up connection will not work on remote computer, given biometric device might be available on all computer in the organization. C. Tokens A token is a device that can be issued to a user for use in the authentication process (Wattern, 2004). Token are often small handheld devices, with or without keypads, which range in size from a credit card to a small pocket calculator. One increasingly common type of token is a smart card, which is a card the size of a credit card that has a small computer chip in it. For example one common token system sync with a server. Each minute the numbers on the server and on the device is working. For a user to authenticate, he must type in the number on the display, which must match the number on the server for the user to be authenticated. SecurID, manufactured by RSA Security, is one of the most commonly used token-based authentication products. The goals are to have an adaptive authentication framework that can authenticate a user using a variety of authentication tokens and protocols. These various authentication tokens and protocols provide different levels of assurance in identifying a user. Access privileges granted to the user should be linked to the assurance level of the authentication token/protocol used in the particular authentication instance. Such a linkage is necessary for the provision of fine-grained access control and privilege allocation in environments in which the same or different applications may have dissimilar authentication requirements as dictated by varying levels of resource sensitivity and access mode towards different groups of users. For
  • 10. 9  |  P a g e     example, services such as e-journal subscription or e-learning services may have a relatively low sensitivity level and therefore can be accessible to everybody who can be identified by the IP address of his/her machine (Zhang, 2006). An example of Tutors/examiners may need to use a stronger form of authentication than that used by students in order to access, say, exam papers, as the former bear more responsibility with regards to the confidentiality and integrity of the data resource. Similarly, in a health Grid context, electronic patient records (EPRs) and electronic health records (EHRs) are shared among GPs, clinicians, and clinical and biomedical researchers across different institutions and organizations. EPRs/EHRs have high levels of privacy requirements due to legal and ethical reasons. Therefore, it is usually expected that EPRs/EHRs are de-personalized and sensitive information that can be used to identify the owner of a record are removed, before being released to entities outside hospital premises or before researchers are allowed to access them (Haken, 2004). Password-based authentication methods may be sufficient to identify researchers when accessing these de-personalized records. However, the suppliers of the records, e.g. GPs and hospitals, should use a stronger form of authenticators when uploading new records into the de-personalized data repository due to privacy and accountability concerns. Therefore, there is clearly a need for a fine-grained access-control framework to satisfy the complex access-control requirements, and one important element of the access-control decision making is the authentication strength of the authenticator used by the user. Although tokens offer reliable security, it can be costly and difficult to deploy in enterprise environment. Two- factor Authentication
  • 11. 10  |  P a g e     Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security (Wikipedia, 2010). A combination of: Something you have, such as token Something you are, such as a fingerprint. Two factor authentications are grouped into two categories: token-based, such as memory or smart tokens; and ID-based, such as biometrics. These authentication factors have different strengths providing different levels of assurance (LoA) in identifying a user. For example, a smart token equipped with a cryptographic key because the former is normally easier to guess. Although biometrics is more difficult to forge, alone they cannot be used for remote electronic authentication due to the lack of secrets. To achieve a higher LoA, two or more authentication factors can be combined together to identify a user. A smart token locked with a fingerprint or a personal identification number (PIN), which is a two-factor authenticator, is a better choice than using an unlocked token alone as it is more susceptible to theft or loss. Table I. Authenticators and their levels of assurance Authenticators Level 1 Level 2 Level 3 Level 4 Hard token X X X X Soft token X X X One-time password device X X X Strong passwords X X
  • 12. 11  |  P a g e     Passwords and PINs X Table II. Authentication protocols and their levels of assurance. Authentication protocols Level 1 Level 2 Level 3 Level 4 Private key proof-of-possession protocol X X X X Symmetric key proof-of-possession protocol X X X Zero-knowledge password protocol X X Tunneled password protocol (e.g. password over SSL) X X Challenge-response password protocol X Authenticators and their associated LoAs have been classified into four levels in a specification published by the NIST (U.S. National Institute of Standards and Technology), According to the likely consequences of an authentication error when using each of them. As shown in Table I, Level 1 authenticators have the lowest LoA, whilst Level 4 have the highest. To compromise a Level 4 authenticator, say a smart card token locked with a PIN number, the perpetrator would first have to obtain the card and, then work out the PIN number. It therefore provides a higher LoA than a soft token such as a cryptographic key stored in a file. System is aimed at integrating all of the authenticators shown in Table I and protocols from Table II.
  • 13. 12  |  P a g e     Multi-factor Authentication Multi-factor authentication, sometimes called strong authentication, is an extension of two-factor authentication. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor authentication involves two or more factors. Thus, every two-factor authentication is a multi-factor authentication, but not vice versa (Wikipedia, 2010). RSA provide Seamless Migration from Passwords to Multi-factor Authentication. According to RSA website, RSA Authentication Manager Express delivers a seamless, strong authentication solution for users through risk-based authentication – providing invisible, behind-the-scenes protection of web-based resources (SSL VPNs and web applications) against unauthorized access. Users continue to use their standard username and password, while the RSA Risk Engine evaluates dozens of factors associated with the authentication in each of these three categories below. Multi-factor authentication most often combines two of the following three elements to establish the identity: • Something you know, such as a PIN • Something you have, such as ATM card • Something you are, biometric characteristic, such as a fingerprint or a voiceprint Password-based or PIN authentication, biometrics fingerprint, and token or ATM card all have their respective advantage and disadvantages. One thing that they have in common is that a dedicated attacker can circumvent any of these authentication methods. Authentication methods that depend on more than one factor are more
  • 14. 13  |  P a g e     difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include controls for risk mitigation. The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans. Authorization Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Authorization systems provide answers to the questions: • Is user X authorized to access resource R? • Is user X authorized to perform operation P? • Is user X authorized to perform operation P on resource R?
  • 15. 14  |  P a g e     Authentication and authorization are somewhat tightly-coupled mechanisms -- authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources. RSA Authentication Manager Express delivers strong, multi-factor authentication optimized for the unique security, convenience and budget requirements of your organization. A stronger and more secure alternative to password-only protection, RSA Authentication Manager Express helps organizations to extend anytime, anywhere access confidently to remote employees, partners, contractors and clients. It delivers strong authentication that can be tailored to an organization’s resource constraints, risk tolerance and user profile (RSA Authentication, 2011). Summary Strong authentication is a must before any authorization can happen. Organizations are providing their services through electronic means in a rapidly developing digital world, but such services are usually accessible only to those who have the required privileges. In order to authorize a person, a group, or even software to access a service, the recipients must first be authenticated, i.e. their identities must be verified before allowing them access according to their assigned privileges (Almagwashi & Gray, 2009).
  • 16. 15  |  P a g e     References Almagwashi, H. & Gray, A. (2009, January 1). E-Government Authentication Frameworks: A gap analysis. Retrieved October 1, 2011 from http://ehis.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?vid=4&hid=23&si d=036aa1d8-576f-40f5-979d-20fc6d4c48e0%40sessionmgr11 Bishop, M. (2003) Computer security: Art and science. Pearson Education Chen, T. & Walsh, P. J. (2009). Guarding against network intrusions. In J. R. Vacca (Ed.), Computer and information security (p. 59). Burlington, MA: Morgan Kaufmann Ciampa, M. (2008). CompTIA Security +. Boston, MA: Course Technology. Dempsey, K., Chawla, N. S., Johnson, A., Jones, A. C., Orebaugh, A., Scholl, M., & Stine, K. (2011). Information security continuous monitoring (ISCM) for federal information systems and organizations. National Institute of Standards and Technology (NIST) of U.S. Department of Commerce. Retrieved October 1, 2011 from http://csrc.nist.gov/publications/PubsSPs.html Harris, S. (2002). All-In-One CISSP Certification Exam Guide. McGraw-Hill/Osborne Dunn, J. S., & Podio, F. L. (2008). Biometric Authentication Technology: From the Movies to Your Desktop. Retrieved from National Institute of Standards and Technology web site: http://www.nist.gov
  • 17. 16  |  P a g e     Federal Financial Institutions Examination Council, Authentication in an Electronic Banking Environment. (2001). Retrieved from http://www.ffiec.gov/pdf/authentication_guidance.pdf Helken, H. (August 2004). De-identification framework. White paper, IBM Haifa Labs, Isreal. Retrieved from Library Computer Science database. Rsa authentication (2011). Rsa Authentication Manager Express. Retrieved on October 2, 2011 from http://www.rsa.com/products/AMX/ds/11241_h9006-amx-ds-0711.pdf Unknown Author (2011). Authentication versus Authorization. Retrieved from http://www.duke.edu/~rob/kerberos/authvauth.html . Zhang, N. C., Goble, C., Rector, A., & Chadwich, D. ( Oct, 2006). Achieving Fine-grained Access Control in Virtual Organizations. CONCURRENCY AND COMPUTATION PRACTICE AND EXPERIENCE. 19:1333–1352. Retrieved from Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/cpe.1099. Wettern, J. (2005). Security+ certification. Academic Learning Series, Redmond, WA: McGraw- Hill. Wikipedia (2010). Multi-factor Authentication. Retrieved from http://en.wikipedia.org/wiki/Multi- factor_authentication#References