Professional Documents
Culture Documents
At Unit1 19-09-29
At Unit1 19-09-29
1. Processor.
2. Use of token.
3. Token validation.
Yes
database
Database Template Match
Yes Decision
Confidence?
No
The common Physical characteristics are:
• Fingerprint
• Face
• Retina
• Iris
• Vein pattern
2. Universality
3. Performance
4. Measurability
5. User friendly
6. Accuracy
7. Comfort
An authentication entity, in the context of computer security and identity
management, refers to a digital or logical representation of a user or
system that seeks access to a resource, application, or network.
• Authentication entities are used to verify the identity of individuals,
devices, or services attempting to gain access to protected resources.
• Authentication entities typically consist of a set of attributes or credentials
that help establish and verify identity. These attributes may include:
• Username: A unique identifier associated with a user or system account.
• Password: A secret authentication credential known only to the entity
being authenticated. Passwords are a common form of authentication in
username/password-based systems.
• Biometrics: Physical or behavioural characteristics unique to an individual,
such as fingerprints, facial recognition, or voice patterns, used to verify
identity.
• Digital Certificates: Cryptographic credentials issued by trusted certificate
authorities (CAs) that bind a public key to an identity. Certificates are often
used in secure communications and authentication.
• API Keys: Secret keys issued to applications or services to authenticate
their access to APIs (Application Programming Interfaces).
• Smart Cards: Physical cards containing a microprocessor chip that stores
authentication data.
• Token-Based Authentication: Authentication entities may possess tokens
or tokens may be issued during the authentication process. These tokens
can include one-time passwords (OTP) or time-based codes generated by
authentication apps or devices.
• Client Certificates: Digital certificates used by client applications to
authenticate themselves to servers.
• Social Media Authentication: Some authentication systems allow users to
log in using their social media credentials (e.g., "Sign in with Google" or
"Sign in with Facebook").
• Device Identity: The unique characteristics of a device, such as its MAC
address, device fingerprint, or hardware-based security features, can be
used as part of the authentication entity.
• Authentication entities can represent various entities, including:
• User Entities: Represent individual users, each with their own set of
authentication credentials.
• System Entities: Represent software systems, services, or applications that
need to authenticate themselves to access other systems or resources.
• Service Entities: Represent specific online services or APIs that require
authentication for access.
• The authentication entity plays a critical role in the
authentication process by presenting its credentials to an
authentication system, which then verifies the entity's identity
based on these credentials. The entity's access rights and
permissions are determined based on the successful
verification of its identity. Security measures, such as multi-
factor authentication (MFA), are often used to enhance the
security of authentication entities.
Authentication Attributes
• Source
• Location
• Path
• Time duration
Authentication Types
• Direct/Indirect
• One way/Mutual
• On demand/Periodic
• Dynamic/Continous
• Direct and indirect authentication are two different approaches to verify
a user's identity or grant access to a system or resource. These approaches
differ in how they establish and verify identity, and they are often used in
various security and access control contexts.
• Direct Authentication:
• Direct authentication refers to a straightforward process where the user
provides their identity credentials directly to the system or service they
want to access. This approach typically involves the user interacting
directly with the authentication system, such as entering a username and
password. Some key points about direct authentication include:
– User directly interacts with the authentication system.
– Commonly used in traditional username/password-based
authentication.
– Credentials are provided to the system being accessed.
• Example: When a user enters their username and password on a login
page to access an email account, this is a form of direct authentication.
• Indirect Authentication:
• Indirect authentication, also known as federated authentication or single sign-on
(SSO), is an approach where a user's identity is verified by an external or central
identity provider, and the verified identity is then trusted by multiple systems or
services without the user having to provide credentials to each of them. Key
characteristics of indirect authentication include:
– An external identity provider handles the authentication process.
– Users authenticate once with the identity provider, which then vouches for
their identity to other connected services.
– Eliminates the need for users to remember and enter credentials for each
service.
• Example: Using your Google or Facebook account to log in to
various third-party websites and apps without providing a
separate username and password for each site is an example
of indirect authentication. Google or Facebook serves as the
identity provider.
• Indirect authentication offers several benefits, including
improved user convenience (as users don't have to manage
multiple sets of credentials) and centralized control over
authentication and access policies. However, it also introduces
potential security risks, as a compromise of the central
identity provider can lead to unauthorized access to multiple
services.
• One-way authentication and mutual authentication are two different
authentication processes used in network security and communication
protocols. They vary in terms of how identities are verified and whether
both parties involved in the communication exchange credentials or not.
• One-Way Authentication (Server Authentication):
– One-way authentication primarily involves verifying the identity of
one party to the communication, typically the server or the service
provider.
– In this scenario, only the server presents its credentials (usually a
digital certificate) to the client or the user.
– The client or user does not provide any credentials to the server.
– This process is often used in scenarios where the client only needs to
verify the server's identity to establish a secure connection.
• Example: When you connect to a secure website (HTTPS), your web
browser verifies the identity of the website's server by checking its
SSL/TLS certificate. You, as the client, do not provide any credentials to the
server.
• Mutual Authentication (Two-Way Authentication):
• Mutual authentication, also known as two-way authentication or client-
server authentication, involves both the client (user) and the server
verifying each other's identities.
• In this scenario, both parties exchange credentials or certificates to
establish trust and confirm each other's identities.
• Mutual authentication is commonly used in scenarios where both parties
need to trust each other before exchanging sensitive information.
• Example: In many secure email systems, both the email client (user) and
the email server authenticate each other. The email client presents its
credentials (e.g., username and password), and the email server presents
its digital certificate. This ensures that both parties can trust each other's
identities.
• On-demand authentication refers to a process where authentication is
initiated only when it is explicitly requested by a user or a system, rather
than being a continuous or automatic authentication process. In other
words, authentication occurs as needed, in response to a specific action or
event, rather than being performed proactively or continuously. This
approach is often used to balance security and usability in various
applications and systems. Here are some key aspects of on-demand
authentication:
• User-Initiated: On-demand authentication is typically user-initiated,
meaning that it occurs when a user actively requests access to a resource
or performs a specific action that requires authentication.
• Triggered Events: Authentication is triggered by specific events or actions.
For example, a user may request access to a secure document, initiate a
financial transaction, or log in to an online account, prompting the system
to request authentication.
• Enhanced Security: On-demand authentication can enhance security by ensuring
that access to sensitive resources or actions is protected by authentication. It helps
prevent unauthorized access that may occur if continuous authentication is not in
place.
• User Experience: While on-demand authentication can improve security, it can
also be more user-friendly compared to requiring users to authenticate frequently.
Users are prompted to authenticate only when necessary, reducing friction in their
interactions with systems and applications.
• Authentication Methods: The authentication methods used in on-demand
authentication can vary widely, depending on the system and its security
requirements. Common methods include username/password, biometrics, one-
time passwords (OTPs), or multi-factor authentication (MFA).
• Examples of on-demand authentication include:
• Logging into an online banking account: Authentication is required when the user
initiates a login to access their financial information or perform transactions.
• Accessing a secure building or facility: Employees or visitors must authenticate
themselves through methods like card swipes or biometric scans when they want
to enter a restricted area.
• Periodic authentication
– Something You Know: This includes information that only the authorized
user should know, such as passwords, PINs (Personal Identification
Numbers), security questions, or passphrases.
– Something You Have: These are physical items or tokens that the user
possesses, like smart cards, security tokens, mobile devices, or physical
keys.
– Something You Are: This factor relies on unique biological or behavioral
characteristics of the individual, such as fingerprints, retinal scans, facial
recognition, voice patterns, or handwriting analysis. Biometric
authentication is an example of this factor.
• Generating strong and secure passwords with varying lengths and mixed
character types is essential for enhancing the security of your online accounts
and systems. A strong password typically consists of a combination of upper
and lower-case letters, numbers, and special characters. Here are some
guidelines and methods for generating such passwords:
• Passphrases:
– Consider using passphrases instead of traditional passwords. Passphrases
are longer and often easier to remember while still being highly secure.
– Create a phrase by combining random words, making sure they are
unrelated and not easily guessable. For example,
"PurpleTiger$Jumped#High!".
• Random Password Generators:
– Use a password manager or a random password generator tool to create
strong, random passwords.
– Ensure that the generator includes options for specifying password length
and the types of characters to include (uppercase, lowercase, numbers,
and symbols).
• Character Variety:
– Include a mix of character types in your passwords. Use uppercase letters,
lowercase letters, numbers, and special symbols.
• Length:
– Longer passwords are generally more secure. Aim for a minimum of
12-16 characters or more if the system allows.
– Longer passwords are harder to crack through brute force attacks.
• Avoid Dictionary Words:
– Do not use complete words found in dictionaries, as these can be
easily guessed or cracked using dictionary attacks.
– If you want to include a word, misspell it or combine it with other
unrelated words and symbols.
• Unpredictability:
– Make your passwords as unpredictable as possible. Avoid using easily
guessable information such as birthdays, names, or common phrases.
• Avoid Repeated Characters:
– Do not use repeated characters or patterns in your password (e.g.,
"1234" or "aaaaaa").
– Repeating characters make passwords weaker.