Electronic authentication


Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.
Various e-authentication methods can be used to authenticate a user's identify ranging from a password to higher levels of security that utilize multi-factor authentication. Depending on the level of security used, the user might need to prove his or her identity through the use of security tokens, challenge questions, or being in possession of a certificate from a third-party certificate authority that attests to their identity.

Overview

The American National Institute of Standards and Technology has developed a generic electronic authentication model that provides a basic framework on how the authentication process is accomplished regardless of jurisdiction or geographic region. According to this model, the enrollment process begins with an individual applying to a Credential Service Provider. The CSP will need to prove the applicant's identity before proceeding with the transaction. Once the applicant's identity has been confirmed by the CSP, he or she receives the status of "subscriber", is given an authenticator, such as a token and a credential, which may be in the form of a username.
The CSP is responsible for managing the credential along with the subscriber's enrollment data for the life of the credential. The subscriber will be tasked with maintaining the authenticators. An example of this is when a user normally uses a specific computer to do their online banking. If he or she attempts to access their bank account from another computer, the authenticator will not be present. In order to gain access, the subscriber would need to verify their identity to the CSP, which might be in the form of answering a challenge question successfully before being given access.

History

The need for authentication has been prevalent throughout history. In ancient times, people would identify each other through eye contact and physical appearance. The Sumerians in ancient Mesopotamia attested to the authenticity of their writings by using seals embellished with identifying symbols. As time moved on, the most common way to provide authentication would be the handwritten signature.

Authentication factors

There are three generally accepted factors that are used to establish a digital identity for electronic authentication, including:
  • Knowledge factor, which is something that the user knows, such as a password, answers to challenge questions, ID numbers or a PIN.
  • Possession factor, which is something that the user has, such as mobile phone, PC or token
  • Biometric factor, which is something that the user is, such as his or her fingerprints, eye scan or voice pattern
Out of the three factors, the biometric factor is the most convenient and convincing to prove an individual's identity, but it is the most expensive to implement. Each factor has its weaknesses; hence, reliable and strong authentication depends on combining two or more factors. This is known as multi-factor authentication, of which two-factor authentication and two-step verification are subtypes.
Multi-factor authentication can still be vulnerable to attacks, including man-in-the-middle attacks and Trojan attacks.

Methods

Token

Tokens generically are something the claimant possesses and controls that may be used to authenticate the claimant's identity. In e-authentication, the claimant authenticates to a system or application over a network. Therefore, a token used for e-authentication is a secret and the token must be protected. The token may, for example, be a cryptographic key, that is protected by encrypting it under a password. An impostor must steal the encrypted key and learn the password to use the token.

Passwords and PIN-based authentication

Passwords and PINs are categorized as "something you know" method. A combination of numbers, symbols, and mixed cases are considered to be stronger than all-letter password. Also, the adoption of Transport Layer Security or Secure Socket Layer features during the information transmission process will as well create an encrypted channel for data exchange and to further protect information delivered. Currently, most security attacks target on password-based authentication systems.

Public-key authentication

This type of authentication has two parts. One is a public key, the other is a private key. A public key is issued by a Certification Authority and is available to any user or server. A private key is known by the user only.

Symmetric-key authentication

The user shares a unique key with an authentication server. When the user sends a randomly generated message encrypted by the secret key to the authentication server, if the message can be matched by the server using its shared secret key, the user is authenticated.
When implemented together with the password authentication, this method also provides a possible solution for two-factor authentication systems.

SMS-based authentication

The user receives password by reading the message in the cell phone, and types back the password to complete the authentication. Short Message Service is very effective when cell phones are commonly adopted. SMS is also suitable against man-in-the-middle attacks, since the use of SMS does not involve the Internet.

Biometric authentication

Biometric authentication is the use of unique physical attributes and body measurements as the intermediate for better identification and access control. Physical characteristics that are often used for authentication include fingerprints, voice recognition, face recognition, and iris scans because all of these are unique to every individual. Traditionally, biometric authentication based on token-based identification systems, such as passport, and nowadays becomes one of the most secure identification systems to user protections. A new technological innovation which provides a wide variety of either behavioral or physical characteristics which are defining the proper concept of biometric authentication.

Digital identity authentication

Digital identity authentication refers to the combined use of device, behavior, location and other data, including email address, account and credit card information, to authenticate online users in real time. For example, recent work have explored how to exploit browser fingerprinting as part of a multi-factor authentication scheme.

Electronic credentials

Paper credentials are documents that attest to the identity or other attributes of an individual or entity called the subject of the credentials. Some common paper credentials include passports, birth certificates, driver's licenses, and employee identity cards. The credentials themselves are authenticated in a variety of ways: traditionally perhaps by a signature or a seal, special papers and inks, high quality engraving, and today by more complex mechanisms, such as holograms, that make the credentials recognizable and difficult to copy or forge. In some cases, simple possession of the credentials is sufficient to establish that the physical holder of the credentials is indeed the subject of the credentials.
More commonly, the credentials contain biometric information such as the subject's description, a picture of the subject or the handwritten signature of the subject that can be used to authenticate that the holder of the credentials is indeed the subject of the credentials. When these paper credentials are presented in-person, authentication biometrics contained in those credentials can be checked to confirm that the physical holder of the credential is the subject.
Electronic identity credentials bind a name and perhaps other attributes to a token. There are a variety of electronic credential types in use today, and new types of credentials are constantly being created At a minimum, credentials include identifying information that permits recovery of the records of the registration associated with the credentials and a name that is associated with the subscriber.

Verifiers

In any authenticated on-line transaction, the verifier is the party that verifies that the claimant has possession and control of the token that verifies his or her identity. A claimant authenticates his or her identity to a verifier by the use of a token and an authentication protocol. This is called Proof of Possession. Many PoP protocols are designed so that a verifier, with no knowledge of the token before the authentication protocol run, learns nothing about the token from the run. The verifier and CSP may be the same entity, the verifier and relying party may be the same entity or they may all three be separate entities. It is undesirable for verifiers to learn shared secrets unless they are a part of the same entity as the CSP that registered the tokens. Where the verifier and the relying party are separate entities, the verifier must convey the result of the authentication protocol to the relying party. The object created by the verifier to convey this result is called an assertion.

Authentication schemes

There are four types of authentication schemes: local authentication, centralized authentication, global centralized authentication, global authentication and web application.
When using a local authentication scheme, the application retains the data that pertains to the user's credentials. This information is not usually shared with other applications. The onus is on the user to maintain and remember the types and number of credentials that are associated with the service in which they need to access. This is a high risk scheme because of the possibility that the storage area for passwords might become compromised.
Using the central authentication scheme allows for each user to use the same credentials to access various services. Each application is different and must be designed with interfaces and the ability to interact with a central system to successfully provide authentication for the user. This allows the user to access important information and be able to access private keys that will allow him or her to electronically sign documents.
Using a third party through a global centralized authentication scheme allows the user direct access to authentication services. This then allows the user to access the particular services they need.
The most secure scheme is the global centralized authentication and web application. It is ideal for E-Government use because it allows a wide range of services. It uses a single authentication mechanism involving a minimum of two factors to allow access to required services and the ability to sign documents.