More Related Content
Similar to App Authentication (20)
App Authentication
- 1. Understanding Authentication Methods A deep-dive into how we authenticate users and what options are available.
- 2. Network-level authentication is how a network confirms that users are who they say they are. It’s a system for differentiating legitimate users from illegitimate ones. When a user attempts to login to a network, they indicate their identity with a username. A system then cross-checks the username with a list of authorized users to ensure they are cleared to access the network. What is Network Authentication Username + Password Username & Password Match Username & Password don’t Match https://www.solarwindsmsp.com/blog/network-authentication-methods
- 3. Types of Authentication Passwords: Username + Password; most basic authentication method where login credentials are checked against a database and if a match is found, access is given to the user. Two-factor authentication (2FA): A more robust security solution that requires a username & password, and possession of a specific physical object. ATMs were an early system to use two-factor authentication. To use an ATM, customers need to remember a “password”—their PIN—plus insert a debit card. Neither one is enough by itself. Password + SMS = Access Password + App Notification = Access + + Username + Password Password Password Card SMS + Password App
- 4. Token Authentication: Some companies prefer a more secure approach by using a physical token generation device that is purpose built. This is also considered 2FA. Methods: USB Dongle + Password = Access (physically inserted into the USB port of the laptop or computer) RFID Smart Card + Password = Access (A smart card containing a radio frequency identification or near-field communication chip) Password + Dongle + Password RFID Smart Card
- 5. Biometric Authentication: Using an individuals biometrics to identify them. Most widely used methods are as listed below. Fingerprint Scan + Password (pre-validated) = Access Retinal Scan + Password (pre-validated) = Access Iris Scan + Password (pre-validated) = Access Voice Recognition + Password (pre-validated) = Access Face detection + Password (pre-validated) = Access + Stored Password Fingerprint + Stored Password Retinal Scan + Stored Password Iris Scan + Stored Password Voice Scan + Stored Password Facial Scan
- 6. Transaction authentication: This authentication uses a different approach and instead of relying on the users information, it compares the users characteristics with what is knows about the user looking for discrepancies. Above the standard Username + Password, the authentication inspects details such as: • IP address • Location • Time • Etc. Username + Password Inspection If any of these and other fail, a red flag is raised and Two-factor (2FA) authentication is triggered. Computer Recognition authentication: This authentication check to see if the user is on a particular device. A small software plugin is installed in the users computer on first login. This contains a cryptographic device marker. • Its invisible to the user who simply uses a Username + password • Verification is done automatically • A small problem is that the user may use the system on another device and a verification method must be used to add that device. Username + Password Inspection and software cryptograph +
- 7. CAPTCHAs CAPTCHAs are designed to neutralize Hackers that pose a threat to standard authentication methods. This method is not focused on verifying a particular user; rather, it seeks to determine whether a user is in fact human. CAPTCHA is an acronym for “completely automated public Turing test to tell computers and humans apart.” The system displays a distorted image of letters and numbers to the user, asking them to type in what they see. + Username + Password CAPCHA This can cause some problems as some individuals with disabilities (such as blind people using auditory screen readers) may not be able to get past a CAPTCHA. Even nondisabled users sometimes have trouble figuring them out, leading to frustration and delays.
- 8. Single sign-on (SSO) Single sign-on (SSO) is a useful feature to consider when deciding between device authentication methods. SSO enables a user to only enter their credentials once to gain access to multiple applications. If sites are linked with SSO, the user will automatically have access to other linked sites. SSO saves time and keeps users happy by avoiding repeatedly entering passwords. A security risks that must be considered is if an unauthorized user gains access to one system they can penetrate others. A related technology, single sign-off, logs users out of every application when they log out of a single one. This bolsters security by making certain that all open sessions are closed. Username + Password Sign Out Sign Out Username + Password Sign In Sign In
- 9. These are specific technologies designed to ensure secure user access. Kerberos and SSL/TLS are two of the most common authentication protocols. Kerberos Kerberos is named after a character in Greek mythology, the fearsome three-headed guard dog of Hades. It was developed at MIT to provide authentication for UNIX networks. Kerberos relies on temporary security certificates known as tickets. The tickets enable devices on a nonsecure network to authenticate each other’s identities. Each ticket has credentials that identify the user to the network. Data in the tickets is encrypted so that it cannot be read if intercepted by a third party. It works as follows: First, the client contacts the authentication server, which transmits the username to a key distribution center. The key distribution center then issues a time-stamped access ticket, which is encrypted by the ticket-granting service and returned to the user. Now the user is ready to communicate with the network. When the user needs to access another part of the network, they send their ticket to the ticket-granting service, which verifies that it’s valid. The service then issues a key to the user, who sends the ticket and service request to the actual part of the server they need to communicate with. This is all invisible to the user, happening behind the scenes. Kerberos has some vulnerabilities—it requires the authentication server to be continuously available, and it requires clocks on different parts of the network to always be synchronized. Still, it remains a widespread and useful authentication technology. Most common authentication protocols
- 10. SSL/TLS Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) is another important authentication protocol. In SSL/TLS, clients and servers use digital certificates to authenticate each other before connecting. Client certificates and server certificates are exchanged to verify each party’s identity in a process known as mutual identification. The server certificate is a small data file saved on the web server. The certificate links a cryptographic key to the details of the organization that owns the server. A web browser checks the validity of the certificate before connecting to the server. SSL/TLS support is built into all major current web browsers, including Internet Explorer, Chrome, Firefox, and Safari. This makes it easy and inexpensive to implement since it does not require special software. All traffic in SSL/TLS is encrypted so that it’s inaccessible to eavesdroppers. SSL/TLS has become an integral part of web technologies and continues to be refined and updated. If your clients use it, make certain that they choose a more secure TLS implementation, as SSL is out of date and has significant vulnerabilities.