With the rapid growth of networked systems and applications such as e-commerce, the demand for effective computer security is increasing. Most computer systems are protected through a process of user identification and authentication. While identification is usually non-private information provided by users to identify themselves and can be known by system administrators and other system users, authentication provides secret, private user information which can authenticate their identity. There are various authentication approaches and techniques, from passwords to public keys (Smith, 2002). This article presents the three main authentication approaches, their technology and implementation issues, and the factors to be considered when choosing an authentication method.
Even before computers came along, a variety of distinguishing characteristics were used to authenticate people. Computer systems have applied these characteristics for user authentication. The authentication approaches can be classified into three types according to the distinguishing characteristics they use (Menkus, 1988), as presented in Figure 1:
Classification of authentication methods
What the user knows—knowledge-based authentication (e.g., password, PIN, pass code)
What the user has—possession-based authentication (e.g., memory card and smart card tokens)
What the user is—biometric-based authentication: physiological (e.g., fingerprint) or behavioral (e.g., keyboard dynamics) characteristics
As all these authentication types have benefits and drawbacks, trade-offs need to be made among security, ease of use, and ease of administration. Authentication types can be implemented alone or in combination. To strengthen the authentication process, the use of at least two types is recommended. Multiple layers of different types of authentication provide substantially better protection.Top
The most widely used type of authentication is knowledge-based authentication. Examples of knowledge-based authentication include passwords, pass phrases, or pass sentences (Spector & Ginzberg, 1994), graphical passwords (Thorpe & Van Oorschot, 2004; Wiedenbeck, Waters, Birget, Brodskiy, & Memon, 2005), pass faces (Brostoff & Sasse, 2000) and personal identification numbers (PINs). To verify and authenticate users over an unsecured public network, such as the Internet, digital certificates and digital signatures are used. They are provided using a public key infrastructure (PKI) which consists of a public and a private cryptographic key pair (Adams & Lloyd, 1999).
The traditional, and by far the most widely used, form of authentication based on user knowledge is the password (Zviran & Haga, 1993). Most computer systems are protected through user identification (like user name or user e-mail address) and a password, as shown in Figure 2.
Authentication through user identification and password
A password is conceptually simple for both system designers and end users. It consists of a secret series of characters according to some predefined rules. The user ID and password pair acts as user identification and authentication and serves to block unauthorized access to computing resources. In most systems, it can provide effective protection if used correctly.