Chapter Preview
TopBackground
Information security involves blocking attacks and unauthorized malicious access to a system’s resources and information (Erlich & Zviran, 2010). As mobile devices and smartphones are becoming widely adopted and affect almost every aspect of modern life, the imperative of ensuring organizational and personal data security has become a major challenge. The main goals of information security are confidentiality, integrity, and availability (Solomon & Chapple, 2005). Confidentiality means the assurance that access to information is granted only to users who have rights to access, integrity means the assurance that the data can be modified only by users that are authorized to modify it, and availability means the assurance that computer resources and information are available to authorized users whenever they are needed.
Access control supports both the confidentiality and the integrity goals of computer and information security. There are three main components of access control: identification, authentication and authorization (Zviran & Erlich, 2006). A user is typically equipped with a unique identifier, such as a user name. The process of authentication is used to verify the user’s identity. The two phases of identification and authentication provide reasonable protection against unauthorized access to the computer system.
In choosing an authentication method a number of factors need to be considered: effectiveness, ease of implementation, ease of use and user attitude and acceptance (Furnell, Dowland, Illingworth, & Reynolds, 2000). This article focuses on the various authentication approaches.
The authentication approaches can be classified into three types according to the distinguishing characteristics they use (Menkus, 1988), as presented in Figure 1 (Erlich & Zviran, 2009):
Figure 1. Classification of authentication methods
- •
What the user knows: Knowledge-based authentication (e.g., password, PIN, pass-code).
- •
What the user has: Possession-based authentication (e.g., memory card and smart card tokens).
- •
What the user is: Biometrics-based authentication: physiological (e.g., fingerprints) or behavioral characteristics (e.g., keystroke or tapping dynamics).
Key Terms in this Chapter
Cognitive Passwords: A question-and-answer mechanism in which the user provides the system with answers to personal fact-based questions or opinion-based questions.
Authentication: Verifying the identity of the user. There are three main approaches to user authentication: knowledge-based, possession-based and biometrics-based.
Identification: The activity of users who supply information to identify themselves, such as name, username, and user ID.
Question-and-Answer Password: A session in which a user is presented with several randomly selected questions from a set of questions stored in the user’s profile in the operating system. The user’s answers are compared with those stored in the profile. The two main types of question-and-answer passwords are cognitive and associative passwords.
Password: Knowledge-based authentication mechanism consisting of a secret series of characters according to predefined rules. It is the most widely-used mechanism of authentication.
Possession-Based Authentication: Authentication mechanism based on what the user has, such as memory cards and smart card tokens. Possession-based authentication is also referred to as token-based authentication.
Knowledge-Based Authentication: Authentication mechanism based on what the user knows, such as password, PIN, and pass-code.
Biometrics-Based Authentication: Authentication mechanism based on what the user is: unique physiological characteristics such as fingerprints, or behavioral characteristics such as keyboard dynamics.
Associative Passwords: A question-and-answer mechanism in which the user provides the system with associated responses to rotating cues.