Authentication, the process of proving that someone is who he claims to be, is one of the most important components of your security infrastructure. Users need information, but you want to make sure that you know who is accessing that information. Only specific individuals should see your company's payroll data or product source code, for example.
Although authentication is important, it does not exist in a vacuum. To be effective, authentication works together with identification and authorization. Identification, such as a username, determines whether a user is known to the system; authorization determines whether the user is allowed to access the requested resource or data. Authorization can take many forms, but Windows NT file permissions are the best example of authorization.
Identification, authentication, and authorization are often collectively referred to as access controls.
Identification, authentication, and authorization work in tandem to answer four very important questions:
Who are you?
Do you belong here?
What rights do you have?
How do I know that you are who you say you are?
These questions must be answered before a user can access any protected resource, whether it be a Web server, a workstation, or a router.
Authentication can function at all levels of your security infrastructure. You are probably most familiar with authentication to a Network Operating System (NOS), such as a Windows NT domain. Every time you fire up your computer at work, you have to log on to the NT domain before you can access any resources.
You can require users to authenticate to almost anything, including your firewall to gain access to the Internet, your mail server to check your email, your intranet Web server to gain access to the corporate intranet, the database to access customer data, and numerous other applications that enable you to go about your day-to-day activities.
Although authentication provides you with valuable information about who is accessing the application and when, users get very tired of dealing with so many accounts. Single sign-on is one technology that aims to relieve users of this problem.
Before getting to specific technologies, I want to discuss the three major types of authentication commonly used today (listed from weakest to strongest). These are authentication based on:
Something you know—Personal identification number (PIN), password.
Something you have—SecurID, smart card, iButton.
Something you are—That is, some measurable physical characteristic of you, such as fingerprints or speech. This authentication technique is called biometrics.
Smart cards, SecurID, and iButtons are great for authentication, but what happens if someone steals your device? If all that is required for authentication is the presence of a token device, your authentication is not that much stronger than a regular old password.
Individually, any one of these approaches has its limitations. "Something you have" can be stolen, whereas "something you know" can be guessed, shared, or forgotten. "Something you are" is generally the strongest approach, but it can be costly to implement.
To make authentication stronger, you can combine methods, often referred to as multifactor or strong authentication. The most common type is two-factor authentication, such as using a PIN code as well as a SecurID token to log on to your network. The example of two-factor authentication with which you are probably most familiar is your ATM card—you insert your card (something you have) into the ATM machine and enter your PIN (something you know) to access your account number and perform transactions.
You also can use three-factor authentication. For example, if you use biometrics to authenticate users to the network, you can store the fingerprint information on an iButton that is accessible only with the user's PIN.