9 things every business should know about user authentication
DESCRIPTION
Understanding how User Authentication impacts the security of your business is more critical than ever, but knowing where to start can be tough. Good thing we’ve simplified this complex issue into the essential things you need to know in order to make more informed decisions.TRANSCRIPT
Share This:
9 Things Everyone Should Know About User Authentication
Share This:
The Notorious 9 Nine Essential Components of User Authentication User Authentication (UA) is a field that’s constantly evolving; however, staying current doesn’t have to be a full time job, if you master the basics. Despite the appearance of constant change, there are nine basic principles of UA that remain the same, and knowing them will help you make more informed decisions. To make things even easier, we’ve broken the Notorious Nine into three parts:
username
**********
3 Types of UA
3 Delivery Methods of UA
3 Ways to Integrate UALOGIN
Share This:
have been the victim of online crimes due to their accounts
being hacked
600,000FACEBOOK ACCOUNTS
75%OF AMERICANS
90%OF BUSINESSES
have been hacked in the last year
are hacked every day
Source: http://www.clubcloudcomputing.com/2013/01/infographic-on-hacking-statistics/
FACTS
Share This:
Know Your Type The 3 Types of UA Confirming that users really are who they say they are is serious business, especially when the annual cost of identity theft in America is now $10 billion more than all other property crimes combined. The good news is that while there may only be three types of UA, your company can combine their strengths to make the process of identifying, verifying and granting users access to your system as easy as one, two, three. The three types of UA are:
Source: http://www.businessinsider.com/bureau-of-justice-statistics-identity-theft-report-2013-12
1. What You Know
2. What You Have
3. What You Are
Share This:
Well, Whadayaknow? UA Type 1: “What You Know” “What You Know” is the oldest form of UA and is based on secret information that only the user knows — and therein lies the issue. Aside from malicious programs that can guess billions of passwords per second, many users share their passwords and/or post them next to their screens, making this the weakest of all methods. However, it’s also the oldest and cheapest, which explains why it’s still popular.
Examples of “What You Know” UA
Passwords1
2
3
4
5
Phrases
Security Questions
PINs
Patterns (i.e drawn with a finger to access mobile devices)
Share This:
FACTS
Source: http://janrain.com/about/newsroom/press-releases/online-americans-fatigued-by-password-overload-janrain-study-finds/
58% of Americans have 5 or more online passwords
30% of Americans have 10 or more online passwords
8% of Americanshave 21 or more online passwords
Share This:
What You Got There? UA Type 2: “What You Have” “What You Have” is a much stronger UA method than “What You Know” and carries the added bonus of being a fairly economical solution. To use this method, users must possess a hardware token contained on a smart card, USB token, mobile device, etc. Companies seeking to enhance security without sacrificing usability often combine “What You Have” with other types of UA for added strength. An example of this is your debit or ATM card. ‘You have’ the physical card that you must swipe in the machine and ‘you know’ the PIN number to access your account.
1. Public Key Cryptography
2. One Time Password (OTP)
3. Smart Cards
Share This:
FACTS The People’s Choice: How Americans Use Social Network Single-Sign-On to Surf
Source: http://blog.gigya.com/which-identities-are-we-using-to-sign-in-around-the-web-infographic/
FacebookGoogleTwitterYahooMySpaceLinkedInOther
1% 2% 7% 13% 14% 17%
46%
Share This:
Who Do You Think You Are? James Bond? UA Type 3: “What You Are” Often showcased in spy movies, “What You Are” is perhaps the most well-known form of UA and yet is the least used due to its high cost. Because “What You Are” is dependent on an individual’s habits and/or biological characteristics, it is a very strong UA method. It’s also convenient for companies and users since critical information can’t be borrowed, lost or forgotten. When combined with other UA methods, it’s incredibly strong.
1. Biometry – fingerprints, retina scans, voice recognition, etc.
2. Behavior-Based Authentication
3. Physical Unclonable Functions
Share This:
FACTS Fingerprint Facts
Source: http://www.funtrivia.com/en/subtopics/Fingerprints-170308.html
Fingerprint ridges do not change with growth or age
Minor burns, cuts and scrapes don’t affect fingerprints because new skin grows in the original pattern
Koala fingerprints are virtually indistinguishable from human prints
In 1858, Sir William Herschel became the first person to use fingerprints to identify criminals
The FBI's fingerprint database is the largest in the world
1.
2.
3.
4.
5.
Share This:
Cutting Out the Middle-Man 3 Ways to Receive User Info Securing the delivery of user information is critical in preventing hack attacks, such as man-in-the-middle schemes where a malware program intercepts the username, password and passcode of a user as it is being sent. Listed from weakest (1) to strongest (3), the three current UA delivery methods are:
1. Local
2. In-Band
3. Out-of-Band
Share This:
Are You With the Band? The 3 Ways UA Credentials Are Delivered While your company has limitless choices when it comes to the combinations and types of UA available, there are only 3 choices when it comes to how a user’s credentials will be delivered to the authentication system: local, in-band or out-of-band.
1. Local – The system that receives the credentials and the system that matches them are on the same host Examples: Entering a PIN in a smart card reader, swiping a finger on an iPhone, logging into a Windows PC
2. In-Band – Users submit credentials through an app that interfaces with the system after authentication Example: Connecting to a web server using a web browser and logging in via that same browser
3. Out-Of-Band – Users complete part of the UA process through one channel and receive secure information via a second channel that enables them to complete the UA process Example: Connecting to the Internet on a PC and receiving a code via a mobile phone to complete log-in
Share This:
FACTS Calling for Security: Companies Employing Mobile Phone Multi-Factor Authentication
Source: http://mashable.com/2013/07/31/two-factor-authentication/
Google is the first company to offer users multi-factor authentication via mobile codes
Facebook begins using mobile codes for multi-factor authentication
Dropbox, LinkedIn, Apple, Microsoft and Twitter offer users mobile code multi-factor authentication
201020112012
Share This:
Getting with the Program The 3 Ways to Integrate UA Choosing how you will integrate UA with your current system is one that requires your business to find its own sweet spot between retaining control internally and relinquishing elements of control to third parties. The current three UA integration methods are:
1. Embedded Component
2. Callable Web Service
3. Delegation
Share This:
Are You a DIY’er or a Delegator? The 3 Ways UA Can Be Integrated with a System You have three options when it comes to integrating UA into your current system, and all three ways are compatible with all types of UA, so the choice boils down to how much you want to invest and how much control you desire.
1. Embedded Component: UA components are embedded into the server that provides service to users Pros: Instant access and greater control Cons: Companies using their own servers must be vigilant about maintenance and security monitoring, especially since a single security breach could expose all codes
2. Callable Web Service: UA information is passed to a dedicated authentication server via web service calls Pros: Authentication codes are not stored on the service provider’s server Cons: If a company uses one of its servers as the dedicated authentication server, it must be vigilant about the maintenance and security of the server
3. Delegation: UA is delegated to a third party authentication server known as the Identity Provider (IP) Pros: Maintenance costs, updates and compliance are the responsibility of the third-party IP Cons: Less access and control
Share This:
FACTS
LOW - Little or no confidence exists in the user’s identity; usually self-asserted
MODERATE - Confidence exists that the user’s identity is accurate; used for self-service apps
MODERATE - High confidence in the user’s identity accuracy; used to access restricted data
HIGH - Very high confidence in the user’s identity accuracy; used to access highly restricted data
Level 1
Level 2
Level 3
Level 4
The four levels of assurance the U.S. government uses to categorize Identity Providers are:
Source: https://www.cio.wisc.edu/security-initiatives-levels.aspx
Share This:
Hark! Who Goes There? We hope you have enjoyed our ebook, “9 Things Everyone Should Know About User Authentication.” At Gemalto, we provide a powerful portfolio of UA solutions that address a wide range of business needs. To learn more about us, download more ebooks, or register for a free trial, please visit CloudEntr.com/latest-resources.