Web Security - Authentication Factors

Web Security – Authentication Factors

11 August, 2009 - 07:00 AM - 6 Comments

Are you curious to know about what web sites are doing to authenticate and validate you are who you say you are?Â First you need to understand what an Authentication Factor is:

An authentication factor is a piece of information used to authenticate or verify a person’s identity on appearance or in a procedure for security purposes and with respect to individually granted access rights.
Basically factors of the category of authentication factors are applied. Such authentication factors mostly are so called human authentication factors, but not exclusively.
Factors are generally classified into three classes (in the order of strength of allocation):

Something You Own -Â Something the user has (e.g., wrist band, ID card, security token, software token, phone, or cell phone)

Something You Know – Something the user knows (e.g., a password, pass phrase, or personal identification number (PIN))

Inherence - Something the user is or does (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature or voice recognition, unique bio-electric signals, or another biometric identifier).

Most websites you visit online strictly deal with Something You Know factor, which is merely knowing your account username and/or password.Â Some sites try to increase this level with something called One Plus Factor security and have security questions, or have you memorize and save an image with a passphrase in addition to knowing the username/password to login.

True Two Factor authentication requires a combination of at least one from each category listed above, having two “Knowledge” based authentication factors is not true two factor authentication.

Two factor authentication is primarily used for the highest level of security systems and is wisely used by financial institutions worldwide, in most two factor solutions you are using some kind of physical KEY FOB which contains a predetermined sequence of numbers which change rapidly that you must enter, in addition to a username and password.Â These are often RSA or OATH tokens but many vendors exist.Â Digital certificates are another method used in combination with something you know to create two-factor authentication.

Biometrics is the latest round of two factor authentication and is useful except you often have to train the system to recognize each unique person’s biometrics if it is a shared system, which can be time consuming.Â Typing Pattern technology which tries to recognize you based on how quickly you type or your style of typing are unproven and I would not recommend them yet at this time.

-Dragon Blogger

-some of this articles source comes from Wikipedia

WordPress 2.8.4 Security Update Yesterday I updated all 7 of my blogs to WordPress 2.8.4 to address the security fix that was mentioned below...
Tips to Reduce Security Risks in Wireless Networks Ways to reduce security risk when working on insecure wireless networks in public access locations....
Manage All of Your Passwords Online Security with Clipperz Online Password Management and direct password login are rapidly becoming an essential in today's world, you need a password manager...
Find System Statistics with WP Security Scan Wordpress plugin WP Security Scan can tell you some great information about your system settings for your blog, like memory...
Safety Benefits of Closed Circuit Security Cameras cctv or closed circuit security camera's with built in DVR's help you monitor your house or surrounding area to keep...

Written by Justin Germino (1518 Articles Published)

Working in the IT Industry for over 10 years and specializing in web based technologies. Dragon Blogger has unique insights and opinions to how the internet and web technology works. An Avid movie fan, video game fan and fan of trying anything and everything new.

Follow Justin Germino on Twitter @dragonblogger

Sentry Safe

I think there are a lot of options in true factor. Voice recognition in addition to personal PINS and passwords is becoming very popular in online banking.

share flag

spam
offensive
disagree
off topic

Dragon Blogger 132 pts moderator

Identity Profiling based on history is also gaining in popularity, look at any credit bureau login to see what it looks like.

My latest conversation: Short Weekend and a Happy Halloween

Nakkiran

Hi, have a look at FireID. Instead of carrying hardware fobs, your OTP is generated on your mobile phone itself, ie., no SMS's. And the application is PIN protected, ensuring a secure two-factor authentication method using everyone already has :)

dragonblogger

I should have mentioned OTP (One Time Passwords) as an additional layer of security, though it is still in the "Something You Have" category and is not true two-factor unless combined with one other category.

Damien

This is quite an interesting topic, one I haven't thought about too much until now. I have a question, a lot of banks and credit card sites I visit are getting this "personal image" thing when you log in. You select it when you register and then when you log in it shows you the image (mine is an electric guitar at B of A) and says: "If this is not your security image ...." What extra security does that offer?

This is called 1+ Factor authentication and leverages two "Something you Know" items. It is the same category as having a username/password and some security questions, it is not true 2-factor authentication, in most cases it is completely useless since you often already entered the username/password and just accept past the image, it doesn't prompt you for another passphrase. From a web security perspective there is no additional security benefit by showing you a picture with a little phrase (ING does it as well), it is more to throw up a warning in case you logged into a different account or site, or if your image doesn't match what you remember it could mean someone changed it, but that is extremely unlikely.