Who are you? Authentication technologies ensure users are who they claim to be.
So, how can you combat this problem and better protect your vital information?
Meet authentication technologies.
Authentication technologies are not new. In fact, a number of products and strategies have been around since the early days of computing.
However, a heightened awareness and increased affordability of these technologies is pushing them to the forefront.
In simplest terms, authentication technologies ensure that individuals are who they claim to be. The technologies fall under three broad categories: something you know, something you have and something you are.
Passwords, tokens, public key infrastructure and biometrics are all examples of authentication technologies that can help verify identity and control access to resources--and each falls within one of these three broad classifications.
Passwords are the least expensive and most common type of authentication technology and are based on "something you know."
Passwords require users to remember a string of characters and enter this information when prompted to gain access to a desired resource. Unfortunately, passwords also are one of the weakest forms of authentication technology and users themselves are typically at the root of this weakness.
Often, users share passwords, making them a poor means of individual identification. Or, passwords are left blank, not changed for long periods of time, re-used across multiple accounts or overly simplistic, leaving your password vulnerable to hacking via freely available tools.
While passwords should continue to play a role in user authentication, they should not be overly relied upon because of their inherent limitations.
Under the "something you have" category, token-based authentication technologies--such as magnetic strips (credit cards), smart cards, SecurID cards or USB keys--hold longer, harder-to-break "secrets" that are more difficult to hack or reproduce.
The weakness with authentication technologies is that tokens afford little protection if they are lost or stolen.
And similar to passwords, simple possession of these objects often serves as the only means to distinguish the owner.
The effectiveness of tokens can be significantly enhanced, however, by combining their use with "something you know." For example, requiring the use of a PIN code or password along with the possession of the physical token.
PUBLIC KEY INFRASTRUCTURE
PKI refers to a system where digital certificates are used to verify user identity for e-mail messages and e-commerce transactions, and also is an example of "something you have."
Digital certificates often are issued by an independent certificate authority that then acts as a third-party reference regarding the owner's identity. These certificates are attached to e-mail messages or referenced by a web browser during an e-commerce transaction as a means of identification.
When applications encounter these certificates, the origin can be verified by inquiring with the issuing certificate authority to ensure the identity of the sender or website owner.
Digital certificates also provide a means for users to exchange encrypted information using a combination of a private key (owned by the sender) and public key (freely shared with recipients) to encrypt and decrypt message text.
PKI uses highly secure encryption standards and third-party verification to help ensure information integrity and end-user identity, but as yet, has only seen limited adoption in the marketplace.
The final category of authentication technology is based on "something you are" and uses biometrics to examine physical characteristics to differentiate individuals.
Some of the more common biometric technologies include:
Fingerprint Recognition--Fingerprint identification systems take a digital scan of an individual's fingertip(s) and record their unique physical characteristics. Data is then either stored as an image or encoded as a character string.
To prevent fooling the system, some fingerprint ID systems also measure blood flow to the finger so that "fake" fingers can't be used.
Of all the biometric technologies, fingerprint recognition is becoming the most commonplace and is being incorporated into a number of new devices coming to market, from PDAs and thumb drives to mice and keyboards. These devices actually require users to swipe their finger prior to unlocking these devices.
In addition, a number of vendors sell external USB-based devices that can be plugged into any desktop or laptop computer to inexpensively ($50 to $100) add fingertip biometric authentication capabilities.
Fingerprints also are being used with a number of other devices including time clocks, cell phones, door locks and safes.
Iris Recognition--Iris-scan systems analyze and map numerous points of the iris. Eyeglasses, contact lenses and eye surgery do not change the characteristics of the iris, so this method is very reliable, even as a person ages.
Iris recognition systems often vary the light during the scanning process to verify that the pupil dilates, so that a fake eye can't be used to fool the system.
Retina Recognition--Retinal scanning systems shine a light into the eye and looks at the pattern of blood vessels on the retina. Retina recognition systems are among the most accurate of all biometric technologies and are virtually impossible to fool. This technology is used routinely in high-risk applications--and also is relatively expensive.
Face Recognition--Facial recognition measures and analyzes the physical attributes of a person's face, including its overall structure and shape, and distances between the eyes, nose, mouth and jaw edges. Facial recognition systems can accurately verify the identify of a person standing a few feet away in a matter of seconds.
Other biometric technologies include hand recognition, voice recognition, skin surface pattern identification, typing pattern recognition and signature dynamics.
Of the three types of authentication technology, biometrics are considered the most secure since physical characteristics are unique to each individual and can't be easily spoofed. Similar to the other types of authentication, the reliability of biometrics can be further strengthened by combining several forms of biometric recognition, known as multiple biometric, or by requiring users to enter a PIN code to uniquely identify a user--combining "something you are" with "something you know."
As users increasingly rely on electronic means of conducting business and exchanging information, the need for authenticating user identity and ensuring reliability will grow. Authenticating technologies will continue to evolve and play a greater role in helping safeguard users.
BY DAVID CIESLAK, CPA, CITP
David Cieslak, CPA, CITP, GSEC is a principal with Information Technology Group, Inc. in Simi Valley. You can reach him at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||USER IDENTIFICATION|
|Date:||May 1, 2005|
|Previous Article:||At your service: FTB ruling looks at "personal services," time-spread method.|
|Next Article:||You talkin' to me? Voice recognition software quickly making a name for itself.|