Corporate Security

Physical Security

IT Security

Personnel

Information Security

Reputation

Special Sections

Home » Identity Fraud » Authentication and Access Control

Authentication and Access Control

by Graham Williamson | ASM | May-June 2010

In the third and final instalment in a series of articles on identity management, Graham Williamson addresses methods of authentication, authorisation, and the importance of effective access control.

Three-quarters of all businesses in North America are connected to the internet. In Australia/Oceania, this falls to 60 per cent, and in Europe (East and West combined) it is 50 per cent. There is little doubt that online transactions are increasingly seen as a way to improve business efficiency.

As organisations embrace the use of electronic transactions, their “business velocity” (a term made famous by Bill Gates in his book Business @ the Speed of Thought) increases, and the speed with which they make decisions increases. This phenomenon, along with the greater access to information that the internet affords, improves decision-making within the firm, which in turn decreases costs.

The result is that more organisations transacting business on the internet need to assure themselves that people with whom they are doing business are who they purport to be and can legitimately do business with them. Failure to do this might result in unauthorised ordering of goods, illegal transfer of funds, or malicious alteration of data.

The act of verifying a person’s credentials (identity, qualifications, authorisation level etc.) is called authentication. The core activity of any identity management environment is to provide ‘authentication’ services. Authentication, as the word implies, is the act of verifying a person’s identity as they attempt to access restricted resources. This most commonly refers to the ‘log on’ procedure that users must complete before being granted access to a company’s computing resources.

Authentication is differentiated from ‘authorisation’, which is the act of granting access to a specific computer application, or maybe just one or two features of an application. This is often referred to as ‘access control’, which is a somewhat broader term in that it encompasses physical access to buildings as well as logical access to computer systems. Either way, the user’s credentials are compared against the access control list which determines the level of access a user is entitled to receive.

Authentication, then, is the act of confirming that a user is who they purport to be before granting them access to corporate resources. Once a user is authenticated, authorisation provides access to computer programs (applications) commensurate with the user’s ‘authenticated identity’. This is a critical activity for any organisation but becomes particularly acute for a company with high-security requirements. All companies have security issues; for instance, they do not want external entities to gain access to their price lists, inventory levels or strategic direction statements. Some companies such as pharmaceutical companies, defence-related organisations or companies working in sensitive areas must protect their resources to a higher degree. The higher the security requirement, the higher the cost to implement a mechanism that protects corporate resources. Before an authentication mechanism is put in place, it is a good idea for a risk assessment to be conducted that identifies the degree to which resources need to be protected.

Another word requiring definition is ‘validation’. Typically the validation stage refers to the check of identity source documents as part of an enrolment process. Before gaining access to protected resources, a person must produce identity documents to validate their identity claims. This evidence of identity (EOI) check is an integral part of the validation process.

Validation is undertaken once, whereas authentication occurs whenever the user logs on to the network.

Methods of authentication

By far the most common authentication method is username/password. Approximately 95 per cent of identity management systems use passwords to authenticate users. This leaves but five per cent for all the other mechanisms. This is not surprising, because passwords are usually quite satisfactory for most authentication requirements.

Other methods include:

One-time password: in this scenario the user is issued with a hardware token that is synchronised with the organisation’s back-end systems. A display on the token shows a number that changes approximately every minute. When a user logs in they are prompted to enter the current number to substantiate that they are who they purport to be.
Challenge response: this method is widely used in password self-service applications. Most organisations now employ a password reset facility that requires a user to establish one or more challenge questions and their responses. When they wish to change their password they are challenged with one or more questions and upon receiving the correct response the system will update their password.
Digital certificate: issuing a digital certificate to a user is a multi-step process that requires an EOI check to be competed. The certificate is then created containing the user’s identity details, and it is signed by the issuing organisation. The certificate will be issued on a device such as a smartcard and it will be accompanied by a private key that must be transmitted to the user in a secure manner.
Biometrics: another form of authentication which is generally considered more secure uses biometric identification. Popular biometrics are fingerprints, facial image templates or iris scans. Such systems require the installation of hardware that the user can access, and the additional cost must be justified by the requirement for greater security.

Combining authentication methods

One way to increase the security, and therefore protection, that an authentication scheme provides is by combining authentication methods.

As they are combined they provide stronger authentication. Even if a biometric method (considered quite a strong method) is selected on its own, it is still a single-factor authentication scheme.

Authentication mechanisms are categorised as follows:

Something you know, such as a password or shared secret
Something you have, such as a dongle or smartcard (typically containing a digital certificate and private key)
Something you are, such as a fingerprint or facial template (typically stored on a smartcard or similar device).

One-factor authentication

Single-factor authentication mechanisms typically rely on ‘something you know’; this is usually a password. Passwords fall into a category of authentication known as ‘shared secret’ methodology. This is a relatively weak form of authentication because someone might give their password to someone else to allow them to fraudulently access the system in question.

There are variants of strengths associated with a password. Many systems require a password to be a combination of letters and numbers and to have at least one case change. Some systems require the use of at least one special character in the password.

Two-factor authentication

A two-factor authentication mechanism typically relies on ‘something you know’ and ‘something you have’. Users will be required not only to know a password (or PIN) but also to have something such as a security dongle that plugs into the USB port, or a smartcard that must be plugged into a card reader receptacle in order to gain access to the system.

One-time passwords typically fall into this category since they rely on the possession of a hardware device that displays the required password.

Three-factor authentication

Three-factor authentication mechanisms require all three: ‘something you know’, ‘something you have’, and ‘something you are’. In this instance a user might be required to carry a smartcard with a biometric feature on it. Typically biometrics are fingerprints or facial templates that carry the unique characteristics of the user’s fingerprint or facial features.

In a typical three-factor authentication system, a user will plug their smartcard into a reader (something they have), type in a PIN (something they know) and have a facial recognition system verify their facial template (something they are).

Access control

Authentication is the basic mechanism for restricting access to a company’s corporate resources. These are typically computer resources but can also include physical access to the company’s buildings or equipment. If someone has been issued a password, digital certificate or other authentication mechanism, they can access resources for which they have been authorised, and they will retain that access until it is rescinded. Identity management is crucial to managing this access and protecting the corporation’s assets.

Authorisation or access control is the raison d’être for most identity management deployments. While there may be some benefit inherent in effectively and efficiently managing the identities within an organisation, it is usually for the purpose of granting access to restricted facilities, both virtual and physical.

Access control, by definition, must be real-time. As a user attempts to gain access to a computer application, the access control system must provide the user credentials to enable the user to gain the appropriate access. For instance, an account clerk might get access to the company’s financial system to allow the entry of a customer transaction. The Finance Manager, however, will require far greater access to be able to create reports and monitor all activity in the system. It is the access control mechanism that will provide this differentiation.

Conclusion

Controlling access to computer applications or corporate facilities is becoming more important for organisations as there is increasing focus on keeping access to documents and property properly managed. This access must be associated with a proven identity validated by a trusted entity.
It is important that this access is integrated with the organisation’s identity management environment to ensure that a person’s access to resources is removed as soon as it is no longer appropriate. In too many companies access control facilities are kept separate from authentication mechanisms and inevitably discrepancies arise.

Identity management is one area in which corporate governance will increasingly take an interest – you can bet on it.

This is an extract from the book Identity Management – A Primer, co-authored by Graham Williamson.

Identity Management – A Primer is available for purchase at Amazon.com, or at Woodslane.com.au

Article Added: 07/06/2010

« Back

Related Articles:

1st April, 2010

The identity management conundrum

29th January, 2009

Fight identity theft and protect privacy on all fronts

17th August, 2008

Combating the $100 billion high-tech �black economy�

Search Website