Without knowing your potential purchase in-depth, you could make critical errors during evaluation. Read more to avoid getting stuck with something you procured on half-knowledge.
What is Authentication?
Authentication refers to the process of proving an identity over a network. Usually, this is done by providing credentials; an agreed piece of information shared between the user and the system. The most common authentication mechanism involves a username and a password. But there are others.
In this ebook we will cover all the common elements related to authentication. It is good to know the landscape when looking for a solution.
Authentication is Part of IAM
Authentication is part of Identity and Access Management.
It is about more than just providing a mechanism to validate a set of credentials.
An IAM vendor might provide advanced authentication modalities that are more secure than just credentials. They might provide AI and machine-learning based solutions that utilize intelligence to improve user-experience and security for a customer. They may also provide social login options (login via facebook, google, etc.) which improve accessibility and user-experience, and offer development tools to customers such as authentication APIs so that the customer may integrate new apps seamlessly.
Authentication has many elements, as discussed below.
Password policies are a collection of rules created to help increase computer and network security. A vendor offers various choices to a customer to set their password policies for authentication. Some examples of password policy parameters include:
- Password complexity requirements, such as number of characters (minimum and maximum password length) and mandated character combinations (number, letter, special characters, uppercase, lowercase),
- Forbidden passwords are stored in a password dictionary. Common passwords like ‘password123’, ‘admin’, ‘user’, etc., are not permitted by the system. Customers can also add their own list to the dictionary.
- Repeat password history. This is how many new passwords must be utilized before an old one can be used again.
- First Login. This determines whether users will be prompted to change their password when logging in to the system for the first time.
- Authorized password change. This is about the conditions under which users can change their passwords. For example, before a user can change his or her password, the server can be configured to require the user to first enter his current password to authenticate his identity.
- Account lockout. These are the conditions under which an account is disabled for access by the user. For example, if a user fails to properly authenticate after three attempts, then the server can be configured to lock the account on the fourth attempt.
- Password storage scheme. Determines how the password is to be encrypted and stored on the server.
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource, rather than just asking for a username and password.
There are 3 possible authentication factor groups:
- Things you know (knowledge), such as a password or PIN
- Things you have (possession), such as a key fob or smartphone
- Things you are (inherence), such as a biometric like fingerprints or voice recognition
- Answers to personal security questions
- OTPs (Can be both Knowledge and Possession – You know the OTP and you have to have something in your Possession to get it like your phone)
- OTPs generated by smartphone apps
- OTPs sent via text or email
- Access badges, USB devices, Smart Cards or fobs or security keys
- Software tokens and certificates
- Fingerprints, facial recognition, voice, retina or iris scanning or other Biometrics
- Behavior analysis
Utilizing more than one authentication factor provides additional security by introducing more barriers to gain access. However, this is also its downfall. MFA makes the user-experience more irksome. This is solved by adaptive authentication, as follows.
Adaptive Authentication (also called context-based or risk-based authentication)
Adaptive Authentication analyzes additional factors by considering context and behavior when authenticating and uses these values to assign a level of risk associated with the login attempt.
- From where is the user when trying to access information?
- When are you trying to access company information? During your normal hours or during “off hours”?
- What kind of device is used? Is it the same one used yesterday?
- Is the connection via private network or a public network?
The risk level is calculated based upon how these questions are answered and can be used to determine whether or not a user will be prompted for an additional authentication factor or whether or not they will even be allowed to log in. That’s why another term used to describe this type of authentication is risk-based authentication.
- Reduced user friction – When a user is repeatedly asked for a password, an otp, and a biometric, day after day after day, to log in to a single application, it becomes trying. On the one hand the only way to maintain a high level of security is to use multiple authentication factors, but on the other hand – is it really necessary? With adaptive authentication, users can login with just one factor if they fulfil requirements – such as logging in from the office network and be required to provide other factors only if they are logging in from a different country, at an odd hour, or from home (or a combination of all 3). This way security can be maintained, and users can experience less fatigue and confusion when it comes to logging in to work resources.
- Enhanced security – Adaptive authentication does more than just provide context-based step-up authentication. It can enhance security using analytics and by assessing risk. Is the IP that a user is attempting to login from amongst a blacklist of untrustworthy IPs? The login attempt can be blocked entirely. Or did the user just attempt to login from the US when his or her last login, just a few minutes before, was from Europe? This too can be blocked. There are a host of risk-based authentication protocols that are possible, and new ones keep coming.
Simple authentication methods that require only username and password combinations are inherently vulnerable. Attackers can guess or steal credentials and gain access to sensitive information and IT systems.
Passwordless Authentication is an authentication method that allows a user to gain access to an application or IT system without entering a password or answering security questions. Instead, the user provides some other form of evidence such as a fingerprint, software token, or hardware token code. Passwordless Authentication is often used in conjunction with Multi-Factor Authentication (MFA) and Single Sign-On solutions to improve the user experience, strengthen security, and reduce IT operations expense and complexity.
One benefit of passwordless authentication is the ability to sign-on through mobile devices. Utilizing facial recognition, fingerprint analysis, SMS OTP, or soft tokens in their mobile devices, a user can seamlessly login to their desktop or their applications without passwords. This improves user-experience considerably.
But, what is the difference between passwordless authentication and adaptive authentication? Adaptive authentication can be passwordless, but passwordless authentication might not be part of an adaptive authentication protocol.
It simply improves security and user experience by utilizing things like biometrics, OTPs, and soft and hard tokens, instead of passwords. This is not as secure as adaptive authentication but does offer similar benefits.
- Improve user-experience – by eliminating password fatigue and providing unified access to all applications and services.
- Strengthen security – by eliminating risky password management techniques and reducing credential theft and impersonation.
- Simplify IT operations – by eliminating the need to issue, secure, rotate, reset, and manage passwords.
Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token. During the life of the token, users then access the website or app that the token has been issued for, rather than having to re-enter credentials each time they go back to the same webpage, app, or any resource protected with that same token.
Authentication tokens work like a stamped ticket. The user retains access as long as the token remains valid. Once the user logs out or quits an app, the token is invalidated. Tokens offer a second layer of security, and administrators have detailed control over each action and transaction.
Token-based authorization offers the following benefits:
- Tokens are stateless. The token is self-contained and contains all the information it needs for authentication. This is great for scalability as it frees customer servers from having to store session state.
- Tokens can be generated from anywhere. Token generation is decoupled from token verification allowing you the option to handle the signing of tokens on a separate server or even through a different company.
- Fine-grained access control. Within the token payload you can easily specify user roles and permissions as well as resources that the user can access.
Social Login authentication provides end-users with a convenient way to register and log into sites and user portals using their existing social network identities from Facebook, Twitter, Google+, and LinkedIn. This method is popular with users because it doesn’t require them to remember another password. Users simply use their social logins in place of another set of credentials.
Authentication and Authorization APIs
API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. Each time you use an app like Facebook, send an instant message, or check the weather on your phone, you’re using an API.
Inherent to the corporate networking universe is the requirement for applications to interact with one another. As such, organizations require exposed APIs to develop connectors from one app to another. So, a good authentication solution would provide a system for connecting APIs through its system. This is another element of authorization in IAM.
Authentication might seem simple on the front-end, where all a user sees is a login screen. He just enters credentials, or scans his fingerprint, or enters an SMS OTP. In some cases he must provide a number of authentication factors to validate his identity. While it might seem straightforward to him, the user-experience is poor. Adaptive authentication improves this.
And, on the other hand, passwords themselves pose a critical security threat and offer a very poor user experience. How does a user remember so many passwords for different applications? How does an organization ensure that ‘good’ passwords are maintained? How does an organization protect itself from the glaring vulnerabilities of password-based authentication – with all the different kinds of attacks that steal credentials? Passwordless authentication offers the solution, which can be used in tandem with adaptive authentication.
Authentication is complex and comprises many elements. Knowing all these elements is key to understanding it more fully, and then being able to determine what solution best meets your organization’s needs.