Note: Article has been updated since original submission September 2014 for a college assignment.
When boarding an airplane, people are asked to display some sort of identification. Only certain documents are accepted. From passports to drivers’ licenses, all establish an idea that the person is who they say they are. This is a rudimentary understanding of validating identity. A person who is allowed to board the plane has had their identity checked. The person was able to board because the security guard finds that their piece of information (their document) is true. People agree to these demands in order to board the plane. Most agree that this is done to prevent unwanted persons from entering the plane. The behaviors and reasoning for proving identity is the basis of user authentication. It is a widely used practice that is an integral part of people’s lives. The following research demonstrates mostly user authentication in a digital context. User authentication methods have developed in order to provide a secure environment for accessing information and using applications. It will continue to have an increasingly larger role as information becomes more efficient to store digitally.
User authentication is substantiating a claim of identity. The user has to provide means to claim that their identity matches what the receiver of the information knows. Generally, there are two parts to establishing identity. These two parts are identification and verification (Rountree 14). Identification associates the user with an identity that is hopefully theirs. Verification is the accepted acknowledgment that the user matches the identity. The processes of the said steps enable a basic method for authentication. To begin with, there are some basic ways to create identification. The user either knows, possesses, is, or does certain things to prove who they are (Stallings 452). Common ways of identification are passwords, fingerprints, etc. Determining the combination of which methods to use is challenging. The goal is to preserve security and to prevent fraud.
Authentication is needed for technology users because they want to believe that they can trust someone or something with the control of their information. Perhaps they wish to access a Cloud system or they want to see their banking information online. Generally, people want to know that no one else has access to the same application, especially if it is private. Since digital applications cannot verify the user through physical meetings, like at an airport, users must provide an identity check. One type of authentication is a one user instance. Only the one sending the information needs to substantiate who they are (Stallings 454). A common practice of it is e-mail. The more common practice of authentication is known as mutual authentication. There are two or more parties attempting to provide a valid identity to the other (Rountree 10). It requires that both communicate by sending some proof that the other is who they say they are. People want to know that whatever they are sending their credentials to is the one they want to send it to. It is the same vice versa. Protocols are set in place to ensure a safe exchange. In order to do such, an exchange of some known thing between the parties takes place. A digital representation of such could be a key or sequence of numbers that must match what the receiver of the information knows. For example, the Key Distribution Center (KDC) creates a session key that the user can use with the other party (network, server, etc.) (Stallings 455). It allows the network or server to recognize that the user has access. This a very basic understanding of what happens for authentication protocols between two parties. IEEE 802.1X outlines authentication protocols required by port based networks. It explicitly states that “possession of master keys is proof of mutual authentication in key agreement protocols,” (“Port Based Network” 29). The standards demonstrate mutual authentication practices. Another well-known use of mutual authentication practices is the Kerberos system. The authentication service from Massachusetts Institute of Technology (MIT) negotiates the authentication process between users and services (Rountree 16). It depends on symmetric encryption. The efficiency of this system is that users may access whatever servers that Kerberos is associated which creates a single sign-on (SSO) time (Rountree 18). There are common and necessary standards for mutual authentication. It is how authentication services are regulated.
The types of verification that a user may use for authentication vary. The multiple methods and its usage are known as multifactor authentication. Different types and amounts of authentication can be used to establish some identity (Rountree 23). For example, a person may be asked to give a password along with a fingerprint to access a computer. The process took two types of information to validate the identity of the user, something the user knows and something the user is. It could also be as simple and common as just typing a password. Ideally, it is accepted that increased factors of authentication may create higher security (Rountree 24). It would help prevent false users from passing one or more tests. By having multiple factors, the opponents will have a harder time accessing another user’s information.
Some methods of user authentication are preferred over others. Each situation is different, hence authentication methods vary. For example, it is standard to have a username/password for when accessing an email account. It would not be plausible to use biometric authentication for an email account. There is limited availability (Stallings 452). Yet, biometric authentication may be useful for accessing a phone. Using the most suitable or many different kinds of user authentication creates a better safety net from unwanted people. It has enabled people to be more conscious of what types of access they are protecting. From limiting Wi-Fi access to bank accounts, many of the things used require a specific type of authenticating oneself. Deciding which type of authentication will vary depending on how important the access is.
Non-physical forms of authentication came to be because of the lack of identification through physical attributes. Digital environments promote a sense of anonymity, but it is difficult to protect such (Shinder). Generally, when one wants to prove who they are, they appear before the other party. One’s physical features can substantiate that they are who they say they are. On the internet, no party can identify who one is based on physical features. Authenticating identity is crucial. It provides people a secure digital environment for people to store information or to have access to something (Rountree 7). It is then necessary to create a claim of identity through non-physical attributes. Authentication allows users to be exclusive with their information or applications. People either store information for later use or they want to access a certain application. Only users know the code required to access the item they want.
Everyone has valuable information to their name. Usually, if the information is truly valuable, say private pictures, people want to put a lock on it. They store it in some chest and use it later. In order to access the things stored, the user needs a key. When talking about digital information or applications, the same concept applies. To demonstrate how valuable information is, the internet is an example. A major use of the internet is to share information (Rountree 7). It is a caveat. Although there is a bounty of information and applications, there is minimal credibility and trust of the communication paths. A simple search for a name could pull out things that one does not want others to know. For example, if one’s information is associated with a social media site, someone could easily find an address and a phone number. It is also important to note that the internet has proved to have many applications, such as online banking. Many use the internet as their “real selves”, they act as if they were doing the same actions in person (Shinder). Hiding all the intricate details of a person’s life is difficult when people are always using that information online. People go through the hardships of user authentication in order to limit access to such information.
Yet even with different types of authentication processes, it has its flaws. It is possible to find a hole that enables unwanted users to have access. They find ways to fabricate user authentication, without having the user. For example, identity theft is an adamant topic that people worry about. Identity theft is when someone or something takes a person’s “identity” (Stallings 453). Usually, this is done unnoticed. Some person has magically obtained a person’s information by finding out how a person authenticates themselves. A simple example is using a username/password of somebody else to access their information. The username/password grants access to a credit card account. It seems mysterious as to how the bad guys obtained the username/password. One method of obtaining the username/password or the session key for access is brute-force attack. It requires guessing what the key could be (Stallings 33). This could range from pulling passwords from a large deposit of possible passwords or passwords based on a probable algorithm. Although this method seems inefficient, it works from time to time. The enemy would probably have to check upon thousands of combinations in order to get something right. Yet, if they were to try hard enough, they could probably get the information.
Not all problems of user authentication are associated with the authenticating process. An unwanted user may not want to entirely access someone’s information as them. They may prefer to alter something already in existence. Replay attacks are a common attempt on a piece of information’s vitality (Stallings 453). The enemy accesses the information the sender is in the process of sending, manipulates it (copy/change), and pretends/slips unnoticed to be the original sender. It is difficult to monitor this case because once the username/password has been authenticated, the information is vulnerable. There are very few things that can be done at this time.
Another problem associated with user authentication is time. Time does not necessarily seem to be an issue, but it has a major input to how “good” information is. Time is usually a precaution to make information more secure, also known as a timestamp (Stallings 453). The information that a person sends or stores may be associated with a time to further prevent people from accessing the information. The receiver of the information knows that the piece is associated with a certain time frame. They know if the timeframe does not match what their expecting, it probably has been tampered with. It seems secure, yet, there are ways to bypass this feature. For starters, the enemy may take advantage of the time it takes for the information to sync with the local time (Stallings 454). The opponent could access the information if they knew that the clocks between the sender and the receiver are off. Another possible fault lies within the processors. The thing that is processing may have some sort of glitch that is unable to properly sync with the opposing clock at the correct time (Stallings 454). The receiver/sender has minimal control in this case.
To avoid a timestamp problem, an alternative solution is a challenge/response system. This mode of authenticating requires that both parties are “present” to semi-communicate with each other (Rountree 15). The two parties have communicated beforehand to respond in a certain way when the sender starts the authentication process. One party sends a challenge and one sends a response. It is different than having just a username/password situation because the challenge/response system can vary a great deal. The main issue is overhead, or future insight (Stallings 454). Rather than no worries at the time of the authentication, users would have to be dependent on what is going to happen. Generally, there are going to be cases where the user will not be able to partake in the challenge/response or the opponent may have already figured out what the response will be. Users will find that a challenge/system may be inefficient for basic usage. Combining both timestamps and challenge/response authenticators are ideal, but it may create more overhead (Stallings 455). Since the authentication process requires both a timestamp and a challenge response, both parties must have more information to work together. This may be good for enemies if they were to figure out at least one piece of the authenticator, for example, a timestamp or challenge/response. It could potentially be easier to figure out the missing part.
Authenticating processes are not without flaw, but it creates great good. Many use some type of technology that requires an authentication process. Naturally, there are times when people have access to certain types of information and other times they do not. Perhaps, they wish to join a Wi-Fi network or a printer sharing group. Whatever the case may be, this group is exclusive. It is required to become authenticated in order to access the group. Authentication protocols are in place to protect these acceptances of groups. The IEEE 802.1X mandates a basic safety protocol that all port-based networks must abide to (“Port Based Network” 20). Port-based networks are the entities that authorize a user’s access to the network. The servers have specific protocols that they abide by in order to be deemed a secure communication line. It prevents illegal transmissions, data loss, or data intrusion (“Port Based Network” 19)). There are multiple mandates, protocols, and guidelines highlighted in IEEE 802.1X. For example, Extensible Authentication Protocol (EAP) orders that networks support authentication servers (“Port Based Network” 65). Authentication requirements work together with authorization protocols in order to create a secure line. Usually, these requirements happen without the user knowing. Although these standards are low key, they occur on a regular basis. It is widely used every day.
A relatively new method of user authentication is federated identity management. This concept outlines the importance of shared user authentication protocols (Stallings 478). A single set of authentication standards would apply to multiple companies, organizations, etc. It reduces inefficiencies such as repetition or time (Stallings 479). Common authentication protocols allow users to basically use the same credentials for one thing to apply to many things. Federated identity schemes separate authentication from authorization. Individual providers/applications do not deal directly with a user’s credentials. The system is checked regularly and has more requirements in order to access the network, but it creates a more efficient use of shared networks. It is becoming more and more widely available, notably Google, Yahoo, Facebook, etc. (Rountree 38). Yet, there are problems with this type of system. One of the problems associated with federated identities is the lack of knowledge to use. There are few technologies/applications that enable the features necessary to use federated authentication (Rountree 35). Another common issue is that federated technologies are still expensive compared to longstanding authentication systems like Kerberos (Rountree 35). It will still be awhile before every application can use a federated identity scheme. Yet, with issues of identity theft and lack of organization, a centralized approach to identity management may prove useful (Shinder). By creating a common authentication scheme, it will create many more applications for users. All it will take is just one credential.
People will become more dependent on technology, as more applications and uses are created. Providing a credential is as harmless as making a bet without no money. Digital information is constantly being accessed and stored. In order to preserve the integrity of the information, user authentication is a must. Most protocols for validating an identity depend on multiple parties. These parties share and exchange information. As seen with federated identities, one type of credential can be used to access multiple applications. Even now, there are many authentication protocols in place such as the IEEE 802.1X to provide a secure environment. Regulation of authentication is now the key to future technological advances. Future research can be done to create even stronger authentication services. A more efficient, secure, and stable authentication process will definitely be seen soon.
“Port Based Network Access Control.” IEEE 802.1X™-2010. IEEE Standards Association, 2010. 19-143. Print.
Rountree, Derrick. Federated Identity Primer. Burlington: Elsevier Science, 2012. Ebook Library. Web. 4 Sep. 2014.
Shinder, Deb. “Cybercrime and the online problem of identity verification”. TechRepublic. N.p., 29 Feb. 2012. Web. 04 Sept. 2014.
Stallings, William. “User Authentication.” Cryptography and Network Security: Principles and Practice. Sixth ed. Pearson Education, 2014. 33,451-490. Print.