Login process : Methods Available A detailed study

Introduction

• Authentication can be accomplished in many ways. The importance of selecting an environment appropriate Authentication Method is perhaps the most crucial decision in designing secure systems

• User authentication is the entry point to different computing networks or facilities in which a set of services are rendered to users or a set of tasks can be performed. Once authenticated, the user can gain access for example to a company’s Intranet to consoles, databases, buildings, vehicles, etc

• The different authentication mechanism leads to different Login Processes

Methods of Authentication

Passwords• Passwords are the most widely used form of authentication. Users provide an identifier, a typed in

word or phrase or perhaps a token card, along with a password

• In many systems the passwords, on the host itself, are not stored as plain text but are encrypted. Password authentication does not normally require complicated or robust hardware since authentication of this type is in general simple and does not require much processing power

• Password authentication has several vulnerabilities, some of the more obvious are: Password may be easy to guess

Writing the password down and placing it in a highly visible area

Discovering passwords by eavesdropping or even social engineering

• The risk of eavesdropping can be managed by using digests for authentication. The connecting party sends a value, typically a hash of the client IP address, time stamp, and additional secret information. Because this hash is unique for each accessed URI, no other documents can be accessed nor can it not be used from other IP address without detection. The password is also not vulnerable to eavesdropping because of the hashing. The system is, however, vulnerable to active attacks such as the-man-in-the middle attack.

One-time passwords/ Symmetric-key authentication• To avoid the problems associated with password reuse, one-time passwords were developed

• Working principle: In symmetric key authentication, user shares a unique, secret key with an authentication server. The user may be required to send a randomly generated message (the challenge) encrypted by the secret key to the authentication server. If the server can match the received encrypted message (the response) using its shared secret key, the user is authenticated. A slight variation of this approach is the use of OTP tokens, which generate the OTP on user side for matching with that generated on server side

• There are two types of one-time passwords: A challenge-response password A password list.

• The challenge-response password responds with a challenge value after receiving a user identifier. The response is then calculated from either the response value (with some electronic device) or select from a table based on the challenge

• A one-time password list makes use of lists of passwords which are sequentially used by the person wanting to access a system. The values are generated so that it is very hard to calculate the next value from the previously presented values

• It is important to keep in mind that password systems only authenticate the connecting party. It does not provide the connecting party with any method of authenticating the system they are accessing, so it is vulnerable to spoofing or a man-in-middle attack

Public-key cryptography

• Working principle: Public-key cryptography provides an authentication method that uses a private and public key pair. A private key is kept secretly by the user, while the corresponding public key is commonly embedded in a certificate digitally signed by a certification authority. The certificate is made available to others.

• Real life example: Updating address of registered voters with the Registration and Electoral Office

• The advantage of public-key cryptography is that the public key is readily available to the public. In fact, public-keys are often published to public directories on the Internet so that they can be easily retrieved. This simplifies key-management efforts

• The integrity of the public key is of the utmost importance. The integrity of a public key is usually assured by completion of a certification process carried out by a certification authority (CA). Once the CA has certified that the credentials provided by the entity securing the public key are valid, the CA will digitally sign the key so that visitors accessing the material the key is protecting will know the entity has been certified

Digital Signatures• Digital signatures are often used to implement electronic signatures, a broader term that

refers to any electronic data that carries the intent of a signature

• Digital signatures employ a type of asymmetric cryptography. For messages sent through a non-secure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly implemented digital signatures are more difficult to forge than the handwritten type

• Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid

• Digitally signed messages may include electronic mail, contracts, or a message sent via some other cryptographic protocol

SMS based authentication• Working principle: SMS is used as a delivery channel for a one-time

password (OTP) generated by an information system. User receives a password through the message shown in the cell phone, and enters the password to complete the authentication.

• Real life example: Use of SMS-based authentication in login of Internet banking system

• Using e-mail or SMS OTP as a second factor is accomplished by sending a second one-time use password to a registered e-mail address or cell phone. The user must then input that second one-time password in addition to their normal password to authenticate to the online bank

• This method is generally considered too cumbersome for everyday logins because there is a time lag before users get the OTP they need to login but is often used for the initial enrollment before providing another form of authentication

Biometric authentication• Working principle: Biometrics is a method by which a person's authentication information is generated by

digitizing measurements （ encoded value ） of a physiological or behavioral characteristic. Biometric authentication verifies user's claimed identity by comparing an encoded value with a stored value of the concerned biometric characteristic

• Real life example: Use of fingerprint in Passenger e-Channel of HK Immigration. The analysis of fingerprints for matching purposes generally requires the comparison of several features of the print pattern. These include patterns, which are aggregate characteristics of ridges, and minutia points, which are unique features found within the patterns. It is also necessary to know the structure and properties of human skin in order to successfully employ some of the imaging technologies

•

• Biometrics literally means "measuring life," and refers to the use of known and recorded physical traits of a user to authenticate their identity, as no two individuals share the same exact physical traits

• Common schemes include: Voice recognition Fingerprints Face scanning and recognition Eyeprints, such as retina and iris scans

• The issue with biometrics is that, apart from voice recognition, which can be performed using a normal cell phone, they require the use of specialized scanners, making them inconvenient for an industry such as e-commerce

Issues with Biometrics• Privacy and discrimination

It is possible that data obtained during biometric enrollment may be used in ways for which the enrolled individual has not consented. For example, biometric security that utilizes an employee's DNA profile could also be used to screen for various genetic diseases or other 'undesirable' traits

• Danger to owners of secured itemsWhen thieves cannot get access to secure properties, there is a chance that the thieves will stalk and assault the property owner to gain access. If the item is secured with a biometric device, the damage to the owner could be irreversible, and potentially cost more than the secured property. For example, in 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal the car

• Cancelable biometricsOne advantage of passwords over biometrics is that they can be re-issued. If a token or a password is lost or stolen, it can be cancelled and replaced by a newer version. This is not naturally available in biometrics. If someone's face is compromised from a database, they cannot cancel or reissue it. Cancelable biometrics is a way in which to incorporate protection and the replacement features into biometrics

Peripheral device recognition Using peripheral device recognition as a second factor is accomplished by placing a cryptographic device marker on a user’s existing device such as a USB flash drive, an iPod, Smart Phone memory card and then requiring that device to be plugged into the computer when the user logs into the online banking web site

Scratch-off cardsUsing a Scratch-off card as a second factor is accomplished by issuing the user a card containing several PIN numbers that the user scratches off and then used only one time to log in. This is a lower-cost, one-time password option than tokens

Out of band

• Using an Out-of-band verification for authentication involves the bank calling a registered phone number and requesting that the user enter their password over the phone prior to allowing the user to login. Similar to e-mail or SMS OTPs, this requirement introduces a time lag and requires that the user be at the location of the registered phone number

• OOB uses a completely separate channel, such as a mobile device, to authenticate a transaction originated from a computer. Any transaction that crosses a threshold, such as a large money transfer, would trigger a phone call, text, or notification on a specialized app that further authorization is needed for a transaction to go through. Requiring two channels makes it quite difficult for a hacker to steal money, as they would need to compromise two separate systems (cell phone and computer) in order to pull off a heist

Kerberos• Kerberos authentication was developed at the Massachusetts Institute of

Technology (MIT)

• There are two main components: A ticket, which is used for user authentication and securing data,An authenticator that is used to verify that the user is the same user to whom the ticket was initially granted. When a user logs into a system, the system connects to the Kerberos server where it retrieves a session key to be used between the user and the ticket granting service (TGS). This is encrypted with a key based on the user's password. If the user provides the right password the end system is able to decrypt the session key. After this is done, the user password is erased from memory to avoid being compromise

• The major issue with Kerberos is its scalability. The Kerberos server must store secret keys for each of the users and each of the TGSs. Kerberos can get very complex in enterprise implementations where trust relationship need to be in place between multiple organizations

Comparison of different login

methods

TCO Worksheet

TCO Worksheet

Cost Benefit Analysis

• The benefits are mentioned in the previous table

• In the previous table , the Total Cost of Ownership (TCO) increase from the left most column (Passwords) to the right most column (Under the skin Id)

• The selection of any authentication method depends on the Risk Tolerance, its TCO and expected deliverables

Best Practices

1. Match Your Authentication Solution to Your Business, Users and RiskA flexible approach that enables an organization to implement different authentication methods based on different risk levels may ensure a robust system that can be efficiently and cost-effectively deployed

2. Prefer Solutions That Adhere to Standards-Based Security and Certifications

Products that are built upon standards-based crypto-algorithms and authentication protocols are preferred. Unlike proprietary algorithms, standards-based algorithms have gone through public scrutiny by industry and security experts that reduces the chance of any inherent weaknesses or vulnerabilities. Moreover, they enjoy broad industry support

3. Consider All Access PointsOrganizations need to ensure that access to all sensitive information is authenticated, whether the information resides on premise or in the cloud. Organizations should implement the same security mechanisms for cloud resources as they would for remote access to the corporate network. In addition, organizations should deploy security mechanisms to ensure that users accessing network resources from their mobile consumer devices are securely authenticated

4. Ensure the Solution Reduces IT Administrative and Management Overhead Authentication environments have to offer convenience and transparency for end users and administrators alike. Administrators need to be able to manage all users across all devices and resources. Organizations can offer their users several authentication methods, ranging from context-based authentication, through SMS, phone tokens or hardware tokens – ensuring user acceptance and compliance with corporate security policies

Conclusion• User authentication can be handled using one or more different authentication

methods

• Some authentication methods such as plain password authentication are easily implemented but are in general weak and primitive. The fact that plain password authentication it is still by far the most widely used form of authentication, gives credence to the seriousness of the lack of security on both the Internet and within private networks

• Other methods of authentication, that may be more complex and require more time to implement and maintain, provide strong and reliable authentication (provided one keeps its secrets secret, i.e. private keys and phrases)

• That being said, one of the key factors to be considered in determining which method of authentication to implement is usability. The usability factor cannot be ignored when designing authentication systems. If the authentication methods are not deemed usable by those forced to utilize them, then they will avoid using the system or persistently try to bypass them

References

• http://brazc.uqam.ca/paperIHM06.pdf

• https://www.sans.org/reading-room/whitepapers/authentication/an-overview-of-different-a

uthentication-methods-and-protocols-118

• http://www.tweakandtrick.com/2012/06/most-common-authentication-methods-used.html

• http://www.networkworld.com/article/2296774/access-control/seven-strong-authentication

-methods.html

• http://www.infosec.gov.hk/english/promotion/files/Script_common_authentication_metho

ds_US.pdf

• http://www.safenet-inc.com/multi-factor-authentication/strong-authentication-best-practice

s/

• http://en.wikipedia.org/wiki/Fingerprint_recognition