Overview

Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that are significant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten.

For this reason, Internet business and many other transactions require a more stringent authentication process. The use of digital certificates issued and verified by a Certificate Authority (CA) as part of a public key infrastructure is considered likely to become the standard way to perform authentication on the Internet.

Logically, authentication precedes authorization (although they may often seem to be combined).

 
There are 3 types of Authentication

What You Have...

Keys, badges, ID, passcards, tokens. These are physical objects and go towards identifying you by what you physically *own*. The obvious problem here is that objects can be taken and are not tied or “signed” to any particular person. This makes it easy to loan your verification for temporary uses like valet parking, but objects can be stolen. Keys can be duplicated, IDs can be faked, and nobody knows what the heck a valid badge looks like anyway.

What You Are...

Your DNA, fingerprints, voice match, cadence of your typing, your walk, talk, act. Your smell, shoeprints, aura, your retinal scan, your vein patterns. Anything that leaves the impression of YOU, but nothing that can come from someone else. These are things that can be taken from you. They cannot be faked but can be stolen. Secondary level of security, What you are is better than what you have, but is nothing compared to what you know.

What You Know

Passwords, passphrases.Things that cannot be beaten out of you. Passwords cannot be compelled to be told, they cannot be stolen (from your mind), they cannot be duplicated. Other examples include your memories.

Authentication Solutions

RSA SecurID
Symantec VIP

 

RSAoffers the only complete portfolio of Authentication, access control 

and key management solutions that extend protection and ownership across the lifecycle of sensitive data, as it is created, accessed, shared, stored and moved. From the datacenter to the cloud, organizations can remain protected, compliant and in control, no matter where their business takes them.

Solution Description

The RSASecurID authentication mechanism consists of a “token” — either hardware (e.g. a USB dongle) or software (a soft token) — which is assigned to a computer user and which generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card’s factory-encoded random key (known as the “seed”). The seed is different for each token, and is loaded into the corresponding RSASecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased.

The token hardware is designed to be tamper-resistant to deter reverse engineering. When software implementations of the same algorithm (“software tokens”) appeared on the market, public code has been developed by the security community allowing a user to emulate RSASecurID in software, but only if they have access to a current RSASecurID code, and the original RSASecurID seed file introduced to the server. In the RSASecurID authentication scheme, the seed record is the secret key used to generate one-time passwords. Newer versions also feature a USB connector, which allows the token to be used as a smart card-like device for securely storing certificates.

A user authenticating to a network resource—say, a dial-in server or a firewall—needs to enter both a personal identification number and the number being displayed at that moment on their RSASecurID token. Some systems using RSASecurID disregard PIN implementation altogether, and rely on password/RSASecurID code combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Symantec is one of the largest and most well-known security vendors in the IT industry.

Solution Description

The Symantec Validation and ID Protection (VIP) Service is a multifactor authentication (MFA) product that uses biometrics and smartphones to supplement standard username/password logins on a variety of servers and services.

Symantec VIP Manager and MFA products like it prevent unauthorized logins to company resources, applications and services, even when passwords have been compromised or shared among a number of different services by the end user. It is appropriate for medium-sized and large enterprises, especially those that want to make use of a variety of external software-as-a-service-based services.

Symantec doesn’t use a version number to identify its software releases, but claims it upgrades its cloud-based VIP Manager service every quarter.

Currently, there are three support levels: Basic Maintenance (business hours only), Essential Support Services (24/7) and Business Critical Services, which includes a dedicated support manager for each customer account.