Identification and Authentication

Managing authentication information

The user is the container; Requires proactive measure to train and educate the user about proper procedures

Identification

1. Announces the identity of the user to be associated with a principal in the system; 2. Typically not secret, but not public

Authorization

1. Determine if an authenticated user has the correct permission to access a resource; 2. Without authentication, user identification has no credibility, no credibility means no authorization

Biometrics Hypothesis

1. Null hypothesis says that when the biometric collected from the device matches the specified entry in the biometric database the person is authentic, and the claim of identification is true; Alternate hypothesis is the opposite; 2. False positives compounds false acceptance rate and false negatives compound false rejection rate, Crossover Error Rate represents the point at which the previous two rates are equal

Something you know: Passwords

1. They are easy to use, but include problems such as writing them down, length, and transferring it securely over a network; 2. There are also one time passwords for challenge response systems.

Factors of Authentication

Authentication is required to be secret and unique; 1. Something you know; 2. Something you have; 3. Something you are;

Authentication

Information pertaining to the identified entity that can be used to validate the claim of identification; 1. Needs to be processed by the computer that results in unambiguous and uncontested proof of identity; 2. Computer has no judgement here, it relies on a prior established database of valid users and rules for matching conditions

Something you have: The Token

Problems include availability, forgery, mechanical viruses, and man in the middle attacks

Something you are: Biometrics

Problems include fingerprints and gummy bears, liveness, sanitation, cost, usability, and probability of a match

Accountability and Authorization of Actions

This concept is key to managing access to any system that processes information on behalf of individuals or groups of individuals