There are three basic authentication factors (i.e. “what the user knows”, “what the user has”, and “what the user is or does”) commonly referred to in an authentication system. Two-factor authentication refers to the use of two authentication factors in combination for verifying the identity of the user, and it is in general more secure than single-factor authentication. While fraudsters may be able to capture a user’s password over the Internet, it would be difficult for them to get hold of the user’s smart card or mobile phone via the network. As a means to tackle the increasing threat of identity theft, most local banks have already implemented two-factor authentication for conducting high-risk Internet banking transactions.
The following sections describe some common methods that can be used in an authentication system.
Password- and PIN-based Authentication
Passwords and PINs are most commonly used in a knowledge-based (“what the user knows”) authentication method. The longer the password, the stronger is the protection. A long password is sometimes called a pass-phrase. As a best practice for security, strong passwords that contain combinations of numbers, symbols and mixed cases should be enabled as far as possible in an authentication system. In order to protect the passwords (and other authentication information) during the course of transmission, the TLS feature, which can create an encrypted channel for data exchange, should also be enabled for the authentication systems.
Currently, most of the security attacks are targeting password-based authentication systems. Cases have been reported of user IDs and passwords being stolen by fraudsters through phishing emails, fake websites, Trojan software and other malicious software. Since such attacks focus on the end-user side, raising the awareness of users is very important so that they can protect their own interests in daily transactions.
Unusual knowledge-based methods can also be adopted based on visual images (graphical password). One example is that a user is presented with a series of five randomly generated life-like images and the user repeatedly picks out the images from a series of grids filled with more images. By picking the correct images, the user has actually typed in his/her password.
Only a managed password system governed by a proper password policy is considered sufficient for applications that require Assurance Level 2.
Public key infrastructure (PKI) is a management framework for enabling deployment of public key cryptography. Public-key cryptography provides an authentication method that uses a key pair, a private key and a public key. A private key is known to the user only and is never shared with any other servers or users. A public key is recognised by a public-key certificate issued by a Certification Authority and is available to any users or servers.
Public-key authentication can be implemented as a hardware or software token under different situations. As a soft token, the private key is stored in the keystore of the operating system or as an encrypted file in a data storage device. Some implementations will store the private key in a hard token (such as a smart card) and the possession of the token is mandatory in the authentication process. Since the private key cannot be exported from the hard token (i.e. there will only be one copy of the key), loss of the key can be more easily detected and remedied. The activation of the token will need the entry of a password or biometrics which can verify the legitimate user.
It should be noted that public-key solutions can also provide an additional security protection using “digital signature” for critical transactions. By digitally signing the submitted data, the integrity and non-repudiation aspects (in addition to authenticity) of the transaction can be ensured.
In conjunction with multi-factor hard cryptographic tokens, PKI can be used at Assurance Level 4. If only soft cryptographic token is available, PKI can still be used at Assurance Level 3 or below.
SMS is used as a delivery channel for a one-time password generated by information system. The user receives the password by reading the message in the mobile phone, and types back the password to complete the authentication. The unique identification of the SIM card effectively enables the mobile phone owner to possess an authentication token, which can be registered and used by different applications. SMS is an effective means for places where mobile phones are widely used in the community.
SMS can also be used as an “out of band” authentication mechanism for protecting against man-in-the-middle (MITM) attacks. If the MITM makes use of a fake website on the Internet to intercept sensitive information, SMS (which does not pass through the Internet) can be used as an “out of band” channel to confirm the authentication or transactional information. As the MITM cannot obtain the SMS information through the Internet, the attack will become unsuccessful.
Since SMS is a ubiquitous communication channel available in most mobile phones, SMS-based authentication has an advantage over other possession-based authentication means in which it does not require the users to carry extra portable devices such as OTP tokens or smart cards. When used with the password authentication, SMS provides a simple solution for two-factor authentication.
For traditional symmetric key authentication, the user shares a unique, secret key (usually embedded in a hard token) with an authentication server. The user is authenticated by sending to the authentication server his/her user name together with a randomly generated message (the challenge) encrypted by the secret key. If the server can match the received encrypted message (the response) using its shared secret key, the user is authenticated.
A slight variation of the symmetric-key implementation is the use of OTP tokens. Such OTP tokens use either a clock or counter, sometimes both, to generate the OTP with a symmetric key contained in the device. There are others that use a challenge-response system in which the token combines a random challenge from the authentication server with the shared secret key to generate the response, which is essentially the OTP. Since OTP will only be used once, it can protect the user against password guessing, eavesdropping and replay types of attacks.
When implemented together with the password authentication, this method also provides a possible solution for two-factor authentication systems, which is considered sufficient for applications that require Assurance Level 3.
Biometrics is a method by which a person’s authentication information is generated by digitising measurements of a physiological or behavioural characteristic. Biometric authentication verifies a user’s claimed identity by comparing an encoded value with a stored value of the biometric characteristic concerned.
Common types of biometrics include:
Recognises the physical structure of a person’s fingerprint / palmprint, e.g. the minutiae points that include bifurcations and ridge endings
Recognises the shape of a person’s hand
Recognises the patterns of the blood vessels on the backside of the eyeball
Recognises the unique patterns, rings, and corona in the iris, which is the colored portion of the eye
Recognises the electrical signals, pressure used, slant of the pen, the amount of time and patterns captured in creating a signature
Recognises the electrical signals when a person types a certain phrase on a keyboard, such as speed and movement
Recognises the subtle difference in people’s speech sounds and patterns
Recognises the attributes of a person’s face, bone structure, nose ridges and eye widths
The assurance level that can be met by a biometric authentication depends on the physical control and security of the biometric device. If the biometric device is not under control, such mechanism can only be used for applications at Assurance Level 1. However, the assurance level can be adjusted if the biometric authentication is implemented with other mitigation measures, like the physical control of the biometric device. This method will be most useful for physical access control types of applications (e.g. entrance to a computer centre) where the biometric scanner can be secured and controlled by the business owner.