With the rapid growth of networked systems and applications such as e-commerce, the demand for effective computer security is increasing. Most computer systems are protected through a process of user identification and authentication. While identification is usually non-private information provided by users to identify themselves and can be known by system administrators and other system users, authentication provides secret, private user information which can authenticate their identity. There are various authentication approaches and techniques, from passwords to public keys (Smith, 2002). This article presents the three main authentication approaches, their technology and implementation issues, and the factors to be considered when choosing an authentication method.
Even before computers came along, a variety of distinguishing characteristics were used to authenticate people. Computer systems have applied these characteristics for user authentication. The authentication approaches can be classified into three types according to the distinguishing characteristics they use (Menkus, 1988), as presented in Figure 1:
Classification of authentication methods
What the user knows—knowledge-based authentication (e.g., password, PIN, pass code)
What the user has—possession-based authentication (e.g., memory card and smart card tokens)
What the user is—biometric-based authentication: physiological (e.g., fingerprint) or behavioral (e.g., keyboard dynamics) characteristics
As all these authentication types have benefits and drawbacks, trade-offs need to be made among security, ease of use, and ease of administration. Authentication types can be implemented alone or in combination. To strengthen the authentication process, the use of at least two types is recommended. Multiple layers of different types of authentication provide substantially better protection.Top
The most widely used type of authentication is knowledge-based authentication. Examples of knowledge-based authentication include passwords, pass phrases, or pass sentences (Spector & Ginzberg, 1994), graphical passwords (Thorpe & Van Oorschot, 2004; Wiedenbeck, Waters, Birget, Brodskiy, & Memon, 2005), pass faces (Brostoff & Sasse, 2000) and personal identification numbers (PINs). To verify and authenticate users over an unsecured public network, such as the Internet, digital certificates and digital signatures are used. They are provided using a public key infrastructure (PKI) which consists of a public and a private cryptographic key pair (Adams & Lloyd, 1999).
The traditional, and by far the most widely used, form of authentication based on user knowledge is the password (Zviran & Haga, 1993). Most computer systems are protected through user identification (like user name or user e-mail address) and a password, as shown in Figure 2.
Authentication through user identification and password
A password is conceptually simple for both system designers and end users. It consists of a secret series of characters according to some predefined rules. The user ID and password pair acts as user identification and authentication and serves to block unauthorized access to computing resources. In most systems, it can provide effective protection if used correctly.
Key Terms in this Chapter
Possession-Based Authentication: An authentication based on what the user has, such as memory cards and smart card tokens. Possession-based authentication is also referred to as token-based authentication.
Biometric-Based Authentication: An authentication based on what the user is—unique physiological characteristics such as fingerprints or behavioral characteristics such as keyboard dynamics.
Password: Knowledge-based authentication consisting of a secret series of characters according to predefined rules. It is the most widely used mechanism of authentication.
Identification: The activity of users who supply information to identify themselves, such as name, user name, and user ID.
Knowledge-Based Authentication: An authentication based on what the user knows, such as password, PIN, and pass code.
Question-and-Answer Password: A session in which a user is presented with several randomly selected questions from a set of questions stored in the user’s profile in the operating system. The user’s answers are compared to match with those stored in the profile. The two main types of question-and-answer passwords are cognitive passwords and associative passwords.
Cognitive Password: A question-and-answer password in which the user provides the system with answers to personal, fact-based questions such as the user’s mother’s maiden name, or opinion-based questions such as the user’s favorite type of music.
Associate Password: A question-and-answer password in which the user provides the system with associated responses to rotating cues.
Authentication: Verifying the identity of the user. There are three main approaches to user authentication: knowledge-based, possession-based, and biometric-based.