What is Authentication ?

Authentication is the act of confirming the truth

of an attribute of a datum or entity.

This might involve confirming the identity of a

person or software program, tracing the origins of
an artifact.

Authentication often involves verifying the validity

of at least one form of identification.
• Authentication is the process of verifying a user or device before
allowing access to a system or resources.
• In other words, authentication means confirming that a user is who they
say they are. This ensures only those with authorized credentials gain
access to secure systems.
• When a user attempts to access information on a network, they must
provide secret credentials to prove their identity.
• Authentication allows you to grant access to the right user at the right
time with confidence. But this doesn’t occur in isolation.
Authentication is part of a three-step process for gaining access to digital
resources:
• Identification—Who are you?
• Authentication—Prove it.
• Authorization—Do you have permission?
 Authentication in simple term
• Positive verification of identity (man or
machine)
• Verification of a person’s claimed identity
• 3 Categories:
– What you know
– What you have
– Who you are
 Review: 3 Categories
• What you know
– Password
– PIN
• What you have
– e-Token
– RFID
– Certificate
• Who you are
– Biometrics
Four main types of authentication
available are:
Pa
ss
w Ce
or rti
d ficE-
ba atTo
se eke Bi
d bao n
se
au ba m
th detrse
au
en ic d
th
tic auba
ati ense
th
tic
on en d
atiau
tic
onati
th
en
on
tic
ati
on
Password based authentication :
• Password are the most common form of
authentication.

• Password may be a string of alphabets ,numbers

and special characters

• This password is compulsorily to be known by

the ENTITY or the THING or a PERSON that is
being Authenticated
How does the Authentication Process
takes places(password)..
Steps :
1. Prompts for user id and password.

2. User enters user id and password.

3. User id and password validation.

4. Authentication result back to the server.

5. Inform user accordingly.

Certificate based authentication :

• A certificate is a digital document that at a minimum

includes a Distinguished Name (DN) and an associated
public key.

• The certificate is digitally signed by a trusted third

party known as the Certificate Authority (CA).Digital
Certificates can then be reused for user authentication.

• Certificate based authentication is stronger as

compared to password based authentication.

• Because here the user is expected to HAVE

something(CERTIFICATE) rather than to KNOW
something(PASSWORD).
Certificate based authentication is an electronic document
that contains information on:

(1) The Entity it belongs to…

(2) The Entity it was issued by…

(3) Unique serial number or some other unique identification…

(4) Valid dates …

(5) A Digital fingerprint…

How does the Authentication Process
takes places(certificate)..
Steps :
1. Creation, storage and distribution of
DC(Digital Certificate).

2. Login request (user to server).

3. Server creates a random challenge.

4. User signs the random challenge.

5. Server returns an appropriate message

back to the user.
E-Token based authentication :
• An authentication token is a small device that generates a new
random value every time it is used.

• This random value becomes the basis for authentication{an

alternative to a password}

• Can be implemented on a USB key fob or a smart card.

• Data physically protected on the device itself

• May store credentials such as passwords, digital signatures

and certificates, and private keys.
Usually an Authentication Token has
the foll components or features:

1. Processor.

2. LCD for displaying outputs or

random values.
3. Battery.

4. Small keypad for entering

information.
optional
5. Real-time clock.
How does the Authentication Process
takes places(e-token)..
Steps :
1. Creation of a token.

2. Use of token.

3. Token validation.

4. Server returns an appropriate message

back to the user.
Biometric based authentication :

• Biometrics (or biometric authentication)

refers to the identification of humans by their
characteristics such as fingerprint, voice, Iris
pattern of the eye, vein pattern, etc.

• Biometrics is used in computer science as a

form of identification and access control.

• It is also used to identify individuals in groups

that are under observation.
How does the Authentication Process
takes places(Biometric)..

• The user database contains a sample of

user’s biometric characteristics

• During Authentication process, the user is

required to provide a new sample of the
user’s biometric.

• This sample is sent to encryption.

• This current sample is decrypted &

compared.(if the sample matches )

• User is considered as valid one

 Biometrics Process

new biometric sample is

requested. No
Signal Processing, Quality
Biometric Transmission Feature Extraction, Sufficient?
Data Collection Representation

Yes

database
Database Template Match

Yes Decision
Confidence?

No
The common Physical characteristics are:

• Fingerprint

• Face

• Retina

• Iris

• Vein pattern

• Hand and finger geometry

 Signature Verification Process

 The angle at which the pen is held

 The number of times the pen is lifted
 The time it takes to write the entire
signature
 The pressure exerted by the person
while signing
 The variations in the speed with
which different parts of the signature
are written.
 Aadhaar card:

One-time standardized Aadhaar enrolment establishes uniqueness of resident via ‘biometric

de-duplication’
– Only one Aadhaar number per eligible individual

Online Authentication is provided by UIDAI

– Demographic Data (Name, Address, DOB, Gender)
– Biometric Data (Fingerprint, Iris, Face)

Aadhaar :subject to online authentication is proof of ID

Aadhaar No. Issued,
Aadhaar enrollment / Update = KYC “Verification” of KYC (Authentication)
stored in Auth. Server
Advantages of biometrics
1. Uniqueness

2. Universality

3. Performance

4. Measurability

5. User friendly

6. Accuracy

7. Comfort
 An authentication entity, in the context of computer security and identity
management, refers to a digital or logical representation of a user or
system that seeks access to a resource, application, or network.
• Authentication entities are used to verify the identity of individuals,
devices, or services attempting to gain access to protected resources.
• Authentication entities typically consist of a set of attributes or credentials
that help establish and verify identity. These attributes may include:
• Username: A unique identifier associated with a user or system account.
• Password: A secret authentication credential known only to the entity
being authenticated. Passwords are a common form of authentication in
username/password-based systems.
• Biometrics: Physical or behavioural characteristics unique to an individual,
such as fingerprints, facial recognition, or voice patterns, used to verify
identity.
• Digital Certificates: Cryptographic credentials issued by trusted certificate
authorities (CAs) that bind a public key to an identity. Certificates are often
used in secure communications and authentication.
• API Keys: Secret keys issued to applications or services to authenticate
their access to APIs (Application Programming Interfaces).
• Smart Cards: Physical cards containing a microprocessor chip that stores
authentication data.
• Token-Based Authentication: Authentication entities may possess tokens
or tokens may be issued during the authentication process. These tokens
can include one-time passwords (OTP) or time-based codes generated by
authentication apps or devices.
• Client Certificates: Digital certificates used by client applications to
authenticate themselves to servers.
• Social Media Authentication: Some authentication systems allow users to
log in using their social media credentials (e.g., "Sign in with Google" or
"Sign in with Facebook").
• Device Identity: The unique characteristics of a device, such as its MAC
address, device fingerprint, or hardware-based security features, can be
used as part of the authentication entity.
• Authentication entities can represent various entities, including:
• User Entities: Represent individual users, each with their own set of
authentication credentials.
• System Entities: Represent software systems, services, or applications that
need to authenticate themselves to access other systems or resources.
• Service Entities: Represent specific online services or APIs that require
authentication for access.
• The authentication entity plays a critical role in the
authentication process by presenting its credentials to an
authentication system, which then verifies the entity's identity
based on these credentials. The entity's access rights and
permissions are determined based on the successful
verification of its identity. Security measures, such as multi-
factor authentication (MFA), are often used to enhance the
security of authentication entities.
 Authentication Attributes
• Source
• Location
• Path
• Time duration
 Authentication Types
• Direct/Indirect
• One way/Mutual
• On demand/Periodic
• Dynamic/Continous
• Direct and indirect authentication are two different approaches to verify
a user's identity or grant access to a system or resource. These approaches
differ in how they establish and verify identity, and they are often used in
various security and access control contexts.
• Direct Authentication:
• Direct authentication refers to a straightforward process where the user
provides their identity credentials directly to the system or service they
want to access. This approach typically involves the user interacting
directly with the authentication system, such as entering a username and
password. Some key points about direct authentication include:
– User directly interacts with the authentication system.
– Commonly used in traditional username/password-based
authentication.
– Credentials are provided to the system being accessed.
• Example: When a user enters their username and password on a login
page to access an email account, this is a form of direct authentication.
• Indirect Authentication:
• Indirect authentication, also known as federated authentication or single sign-on
(SSO), is an approach where a user's identity is verified by an external or central
identity provider, and the verified identity is then trusted by multiple systems or
services without the user having to provide credentials to each of them. Key
characteristics of indirect authentication include:
– An external identity provider handles the authentication process.
– Users authenticate once with the identity provider, which then vouches for
their identity to other connected services.
– Eliminates the need for users to remember and enter credentials for each
service.
• Example: Using your Google or Facebook account to log in to
various third-party websites and apps without providing a
separate username and password for each site is an example
of indirect authentication. Google or Facebook serves as the
identity provider.
• Indirect authentication offers several benefits, including
improved user convenience (as users don't have to manage
multiple sets of credentials) and centralized control over
authentication and access policies. However, it also introduces
potential security risks, as a compromise of the central
identity provider can lead to unauthorized access to multiple
services.
• One-way authentication and mutual authentication are two different
authentication processes used in network security and communication
protocols. They vary in terms of how identities are verified and whether
both parties involved in the communication exchange credentials or not.
• One-Way Authentication (Server Authentication):
– One-way authentication primarily involves verifying the identity of
one party to the communication, typically the server or the service
provider.
– In this scenario, only the server presents its credentials (usually a
digital certificate) to the client or the user.
– The client or user does not provide any credentials to the server.
– This process is often used in scenarios where the client only needs to
verify the server's identity to establish a secure connection.
• Example: When you connect to a secure website (HTTPS), your web
browser verifies the identity of the website's server by checking its
SSL/TLS certificate. You, as the client, do not provide any credentials to the
server.
• Mutual Authentication (Two-Way Authentication):
• Mutual authentication, also known as two-way authentication or client-
server authentication, involves both the client (user) and the server
verifying each other's identities.
• In this scenario, both parties exchange credentials or certificates to
establish trust and confirm each other's identities.
• Mutual authentication is commonly used in scenarios where both parties
need to trust each other before exchanging sensitive information.
• Example: In many secure email systems, both the email client (user) and
the email server authenticate each other. The email client presents its
credentials (e.g., username and password), and the email server presents
its digital certificate. This ensures that both parties can trust each other's
identities.
• On-demand authentication refers to a process where authentication is
initiated only when it is explicitly requested by a user or a system, rather
than being a continuous or automatic authentication process. In other
words, authentication occurs as needed, in response to a specific action or
event, rather than being performed proactively or continuously. This
approach is often used to balance security and usability in various
applications and systems. Here are some key aspects of on-demand
authentication:
• User-Initiated: On-demand authentication is typically user-initiated,
meaning that it occurs when a user actively requests access to a resource
or performs a specific action that requires authentication.
• Triggered Events: Authentication is triggered by specific events or actions.
For example, a user may request access to a secure document, initiate a
financial transaction, or log in to an online account, prompting the system
to request authentication.
• Enhanced Security: On-demand authentication can enhance security by ensuring
that access to sensitive resources or actions is protected by authentication. It helps
prevent unauthorized access that may occur if continuous authentication is not in
place.
• User Experience: While on-demand authentication can improve security, it can
also be more user-friendly compared to requiring users to authenticate frequently.
Users are prompted to authenticate only when necessary, reducing friction in their
interactions with systems and applications.
• Authentication Methods: The authentication methods used in on-demand
authentication can vary widely, depending on the system and its security
requirements. Common methods include username/password, biometrics, one-
time passwords (OTPs), or multi-factor authentication (MFA).
• Examples of on-demand authentication include:
• Logging into an online banking account: Authentication is required when the user
initiates a login to access their financial information or perform transactions.
• Accessing a secure building or facility: Employees or visitors must authenticate
themselves through methods like card swipes or biometric scans when they want
to enter a restricted area.
• Periodic authentication

• It is a security practice where users are required to reauthenticate

themselves at regular intervals during their session or interaction with a
system or application.
• The goal of periodic authentication is to enhance security by reducing the
risk of unauthorized access, especially in situations where users might
leave their sessions unattended or forget to log out.
• It ensures that users who started a session are still the same individuals
actively using it.
• Here are some key aspects of periodic authentication:
• Time-Based: Periodic authentication is time-based, meaning
that users are prompted to reauthenticate after a certain
period of inactivity or after a predefined time interval has
elapsed.
• User Sessions: It is often used in the context of user sessions,
where a session represents a continuous interaction between
the user and a system, such as an online application or a
computer.
• Security Enhancement: By requiring users to periodically
reauthenticate, the system reduces the risk of unauthorized
access in cases where a user's session is left unattended or if
someone else gains physical access to the user's device.
• Authentication Methods: The methods used for periodic authentication
can vary and may include entering a password, providing biometric data
(e.g., fingerprint or facial recognition), or using a one-time password
(OTP).
• Customizable Intervals: Organizations can typically customize the intervals
at which periodic authentication is required based on their security
policies and risk assessments. For example, they might require
reauthentication every 15 minutes or every hour.
• User Experience: Balancing security with user experience is important.
Too frequent or disruptive periodic authentication prompts can be
frustrating for users, while too infrequent prompts may not provide
adequate security.
• Examples of where periodic authentication might be used include:
• Online Banking: Users may be required to reenter their password or
provide additional authentication every 10 minutes of inactivity to access
their bank accounts.
• Computer Locking: To protect against unauthorized access, a computer
may lock itself and require the user to reenter their password after a
period of inactivity.
• Dynamic authentication refers to a security
mechanism that adapts and changes based on
various factors and conditions, providing an
additional layer of protection for digital
systems, applications, or data.
• Unlike static authentication methods, such as
traditional username and password
combinations, dynamic authentication takes
into account real-time information and
context to verify a user's identity
• Here are some key aspects of dynamic authentication:
• Multi-Factor Authentication (MFA): MFA is a common implementation of
dynamic authentication. It combines two or more authentication factors,
which can include something you know (e.g., a password), something you
have (e.g., a smartphone or a hardware token), and something you are (e.g.,
biometrics like fingerprint or facial recognition). The combination of these
factors adds an extra layer of security.
• Contextual Authentication: Dynamic authentication systems can consider
contextual information, such as the user's location, device, time of access,
and behavior. If a login attempt appears to deviate from the user's typical
patterns, the system may trigger additional authentication measures or
request further verification.
• Risk-Based Authentication: This approach assesses the level of risk
associated with a particular authentication request. Risk factors can include
the user's behavior, the device being used, and the location of the request. If
the risk is deemed high, the system may require stronger authentication
methods.
• Adaptive Authentication: Adaptive authentication systems use machine
learning and artificial intelligence to continuously evaluate and adapt their
security measures. They analyze user behavior and system data to
determine the appropriate level of authentication required for each
interaction. For example, a user logging in from a known device and
location may require minimal authentication, while a suspicious login
attempt triggers more stringent checks.
• Time-Based Authentication: Some dynamic authentication methods
generate one-time codes or tokens that expire after a short period. Users
must provide these codes in addition to their regular credentials. Time-
based codes add an element of unpredictability to the authentication
process.
• Biometric Authentication: Biometric data, such as fingerprints, facial
recognition, or voice recognition, can be used for dynamic authentication.
These biometric factors are unique to each individual and are difficult to
fake.
• Continuous Authentication: Rather than authenticating a user only at the
initial login, continuous authentication monitors the user's activity
throughout their session. If the system detects any suspicious behavior or
deviations, it may prompt the user to reauthenticate.

• Smart Access Policies: Dynamic authentication systems can enforce access

policies that adapt based on user roles, privileges, and the sensitivity of
the data being accessed. Users with higher permissions may be subject to
more rigorous authentication checks.

• Dynamic authentication is essential in today's cybersecurity landscape to

mitigate the risks associated with unauthorized access and data breaches.
It helps organizations strike a balance between security and user
convenience by applying appropriate authentication methods based on
the specific circumstances of each access request.
• Continuous authentication, also known as continuous
authentication and authorization (CAA), is a security approach
that involves constantly monitoring and verifying a user's
identity and access rights throughout their entire session or
interaction with a system, application, or network.

• Unlike traditional authentication methods that only verify a

user's identity at the initial login, continuous authentication
ensures ongoing security by regularly revalidating the user's
identity and assessing the context of their activities.

• This approach helps protect against unauthorized access,

session hijacking, and other security threats.
• Key characteristics and components of continuous authentication include:
• Behavioral Analysis: Continuous authentication often relies on analyzing user
behavior and patterns during a session. This can include tracking mouse
movements, typing patterns, touchscreen gestures, and other user
interactions. Behavioral biometrics are used to create a unique profile for
each user.

• Machine Learning and AI: Advanced machine learning and artificial

intelligence algorithms are employed to establish a baseline of normal user
behavior. These algorithms continuously monitor and compare the user's
actions against this baseline. If significant deviations are detected, it may
trigger additional authentication or raise security alerts.

• Biometrics: Biometric factors such as fingerprint recognition, facial

recognition, voice recognition, and even heartbeat patterns can be used as
continuous authentication methods. These biometric factors are difficult to
replicate, providing a high level of security.
• Device and Context Analysis: Continuous authentication systems also
consider the context in which the user is operating. This includes assessing
the device being used, its location, IP address, and other environmental
factors. If the context changes dramatically (e.g., the user switches to a
different device or location), it may trigger reauthentication.
• Time-Based Factors: Continuous authentication may also incorporate
time-based elements, such as generating and validating time-sensitive
tokens or codes at regular intervals to confirm the user's identity.
• Risk-Based Approach: Similar to dynamic authentication, continuous
authentication systems employ a risk-based approach. They evaluate the
level of risk associated with the user's actions and adjust security
measures accordingly. For example, if the system detects unusual
behavior, it may require the user to provide additional authentication
factors.
• Adaptive Access Control: Continuous authentication is often used in
conjunction with adaptive access control policies. These policies
dynamically adjust user permissions and access rights based on the
ongoing assessment of the user's identity and behavior. For instance, if a
user's behavior becomes suspicious, their access privileges may be
restricted.
• Continuous authentication provides a proactive and responsive security
framework, enhancing protection against threats like account takeover
attacks, insider threats, and unauthorized access. It reduces the reliance
on static credentials (e.g., passwords) that can be easily compromised and
offers a more robust and user-friendly approach to safeguarding digital
resources.
• However, implementing continuous authentication requires careful
consideration of user privacy concerns and the need for transparent user
consent and monitoring.
• Assisted and automatic authentication refer to processes and
technologies that simplify or streamline the user authentication process
by reducing the manual effort required from the user. These methods aim
to enhance security while also improving user convenience. Here's an
overview of both:
• Assisted Authentication:
– Assisted authentication involves some level of user interaction but
aims to make the authentication process more user-friendly and
efficient.
– Common examples include password managers, biometric recognition
systems (e.g., fingerprint or facial recognition), and single sign-on
(SSO) solutions.
– Password managers help users store and autofill their login
credentials, reducing the need to remember and manually enter
passwords.
– Biometric recognition systems allow users to authenticate themselves
by using their unique physical or behavioral traits, such as fingerprints
or facial features.
– SSO solutions enable users to log in once and gain access to multiple
services or applications without needing to enter credentials
repeatedly.
• Automatic Authentication:
– Automatic authentication aims to minimize or eliminate user
involvement in the authentication process, making it nearly seamless.
– Examples include:
• Token-based Authentication: Users carry a physical device or use a
mobile app that generates one-time tokens, which automatically
authenticate them without requiring manual input.
• Location-based Authentication: When a user's device is in a
trusted location (e.g., their home or office), automatic
authentication can occur without any additional input.
• Behavioral Analysis: Advanced systems use machine learning and
AI to continuously monitor user behavior during a session. If the
behavior aligns with a known user profile, authentication happens
automatically.
• Persistent Authentication: Once a user logs in successfully, their
session remains authenticated until certain conditions are met
(e.g., inactivity timeout, logout, or a change in user context). This
minimizes the need for repeated logins.
• Benefits of assisted and automatic authentication methods
include improved security (as they reduce the risk of human
error in password management), enhanced user experience,
and increased productivity.
• However, it's essential to implement these methods securely
to protect against potential risks, such as biometric data
breaches or unauthorized access when automatic
authentication is used.
• Additionally, organizations must consider user privacy and
data protection regulations when implementing assisted and
automatic authentication, as they often involve the collection
and storage of sensitive user information.
• Proper security measures and user consent mechanisms
should be in place to address these concerns.
• 3 Factors of Authentication Factors:
• There are typically three primary types of authentication factors:

– Something You Know: This includes information that only the authorized
user should know, such as passwords, PINs (Personal Identification
Numbers), security questions, or passphrases.
– Something You Have: These are physical items or tokens that the user
possesses, like smart cards, security tokens, mobile devices, or physical
keys.
– Something You Are: This factor relies on unique biological or behavioral
characteristics of the individual, such as fingerprints, retinal scans, facial
recognition, voice patterns, or handwriting analysis. Biometric
authentication is an example of this factor.
• Generating strong and secure passwords with varying lengths and mixed
character types is essential for enhancing the security of your online accounts
and systems. A strong password typically consists of a combination of upper
and lower-case letters, numbers, and special characters. Here are some
guidelines and methods for generating such passwords:
• Passphrases:
– Consider using passphrases instead of traditional passwords. Passphrases
are longer and often easier to remember while still being highly secure.
– Create a phrase by combining random words, making sure they are
unrelated and not easily guessable. For example,
"PurpleTiger$Jumped#High!".
• Random Password Generators:
– Use a password manager or a random password generator tool to create
strong, random passwords.
– Ensure that the generator includes options for specifying password length
and the types of characters to include (uppercase, lowercase, numbers,
and symbols).
• Character Variety:
– Include a mix of character types in your passwords. Use uppercase letters,
lowercase letters, numbers, and special symbols.
• Length:
– Longer passwords are generally more secure. Aim for a minimum of
12-16 characters or more if the system allows.
– Longer passwords are harder to crack through brute force attacks.
• Avoid Dictionary Words:
– Do not use complete words found in dictionaries, as these can be
easily guessed or cracked using dictionary attacks.
– If you want to include a word, misspell it or combine it with other
unrelated words and symbols.
• Unpredictability:
– Make your passwords as unpredictable as possible. Avoid using easily
guessable information such as birthdays, names, or common phrases.
• Avoid Repeated Characters:
– Do not use repeated characters or patterns in your password (e.g.,
"1234" or "aaaaaa").
– Repeating characters make passwords weaker.