There are three basic authentication factors (i.e. "something you know", "something you have", and "something you are") commonly referred in an authentication system. Two-factor authentication refers to the use of two authentication factors in combination for verifying the identity of the user, and it is in general more secure than single-factor authentication. While fraudsters may be able to capture a user's password over the Internet, it would be difficult for them to get hold of the user's smart card or mobile phone via the network. As a means to tackle with the increasing threat of identity theft, most local banks have already implemented two-factor authentication for conducting high-risk Internet banking transactions.
The following sections describe some common methods that can be used in an authentications system.
Passwords and PINs based Authentication
Passwords and PINs are most commonly used in a knowledge-based ("something you know") authentication method. The longer the password, the stronger is the protection. A long password is sometimes called a pass-phrase. As a best practice for security, strong passwords that contain combinations of numbers, symbols, and mixed cases should be enabled as far as possible in an authentication system. In order to protect the passwords (and other authentication information) during the course of transmission, the Transport Layer Security (TLS) or Secure Socket Layer (SSL) features, which can create an encrypted channel for data exchange, should also be enabled for the authentication systems.
Currently, most of the security attacks are targeting on password-based authentication systems. Cases have been reported of user IDs and passwords being stolen by fraudsters through phishing emails, fake websites, Trojan software and other malicious software. Since such attacks are focused on the end-user side, raising the awareness of user is very important so that they can protect their own interests in their daily transactions.
Unusual knowledge-based methods can also be adopted based on visual images (graphical password). One example is that a user is presented with a series of five randomly generated life-like faces and the user repeatedly picks out the faces from a series of grids filled with more faces. By picking the correct faces, the user has effectively typed in his password.
Public-key cryptography provides an authentication method that uses a key pair, a private key and a public key. A private key is known to the user only and is never shared with any other server or user. A public key is recognized by a public-key certificate issued by a Certification Authority and is available to any user or server.
Public-key authentication can be implemented as a hardware or software token under different situations. As a soft token, the private key is stored in the keystore of the operating system or as an encrypted file in a data storage device. Some implementations will store the private key in a hard token (such as a smart card) and the possession of the token is mandatory in the authentication process. Since the private key cannot be exported from the hard token (i.e. there will only be one copy of the key), lost of the key can be more easily detected and remedied. The activation of the token will need the entry of a password or biometrics which can verify the legitimate user.
It should be noted that public-key solutions can also provide an additional security protection using 'digital signature' for the critical transaction. By digitally signing the submitted data, the integrity and non-repudiation aspects (in addition to authenticity) of the transaction can be alleviated.
SMS based Authentication
SMS is used as a delivery channel for a one-time password generated by information system. The user receives the password by reading the message in the cell phone, and types back the password to complete the authentication. The unique identification of the SIM card effectively enables the cell phone owner to possess an authentication token, which can be registered and used by different applications. SMS is an effective means for places where cell phones are widely used in the community.
SMS can also be used as an out-of-band authentication mechanism for protection against man-in-the-middle (MITM) attacks. If the MITM makes use of a faked website in the Internet to intercept sensitive information, SMS (which does not pass through the Internet) can be used as an out-of-band channel to confirm the authentication or transactional information. As the MITM cannot obtain the SMS information through the Internet, the attack will become unsuccessful.
Since SMS is a ubiquitous communication channel available in most mobile handsets, SMS based authentication has the advantage that it does not require the users to carry extra portable device when compared with other possession-based authentication devices such as OTP tokens or smart cards. When used with the password authentication, the SMS provides a simple solution for two-factor authentication.
In traditional symmetric key authentication, the user shares a unique, secret key (usually embedded in a hard token) with an authentication server. The user is authenticated by sending to the authentication server his/her username together with a randomly generated message (the challenge) encrypted by the secret key. If the server can match the received encrypted message (the response) using its share secret key, the user is authenticated.
A slight variation of the symmetric-key implementation is the use of OTP tokens. Such OTP tokens use either a clock or counter, sometimes both, to generate the OTP with a symmetric key contained in the device. There are others that use a challenge-response system in which the token combines a random challenge from the authentication server with the shared secret key to generate the response, which is essentially the OTP. Since OTP will only be used once, it can protect the user against password guessing, eavesdropping and replay types of attacks.
When implemented together with the password authentication, this method also provides a possible solution for two-factor authentication systems.
Biometrics is a method by which a person's authentication information is generated by digitizing measurements of a physiological or behavioral characteristic. Biometric authentication verifies user's claimed identity by comparing an encoded value with a stored value of the concerned biometric characteristic.
Common types of biometrics include:
Fingerprint / Palmprint
Recognises the physical structure of a person's fingerprint / palmprint, e.g. the minutiae points that include bifurcations and ridge endings
Recognises the shape of a person's hand
Recognises the patterns of the blood vessels on the backside of the eyeball
Recognises the unique patterns, rings, and corona in the iris, which is the colored portion of the eye
Recognises the electrical signals, pressure used, slant of the pen, the amount of time and patterns captured in creating a signature
Recognises the electrical signals when a person types a certain phrase on a keyboard, such as speed and movement
Recognises the subtle difference in people's speech sounds and patterns
Recognises the attributes of a person's face, bone structure, nose ridges, and eye widths
The assurance level that can be met by a biometric authentication depends on the physical control and security of the biometric device. This method will be most useful for physical access control types of applications (e.g. entrance to a computer centre) where the biometric scanner can be secured and controlled by the business owner.