Authentication — different techniques to authenticate your apps
Authentication can be defined as checking the validity of something if it’s genuine or fake. It is an access policy which is used to indicate that someone is authorized to perform an activity or not. It specifies the privileges to resources given to a user in the computer.
In real life, you may see prohibited area warning at various places. For example, in a university’s data centre, you may see a warning like “Students are not allowed to enter data center”. If someone from staff enters data centre, no one will raise objection because a staff member is authorized to enter data centre to perform his duties, but in case a student tries to data center, it will be unauthorized access. The university can take disciplinary action or any legal action against student depending upon the situation.
Similarly, when you will see your friend trying to unlock his car, you will not pay any attention. However, if you will see someone unknown trying to unlock your friend’s car, you will inform your friend or call the police. Authentication is also adopted in computers to avoid unauthorized access; however, computer is a machine so, scenario and ways can be different.
Authentication and authorization in Cyber Security:
Cyber Security has become the most important part of computer science because of the online systems. Most of the organizations and enterprises have their databases and websites. In an office multiple people are connected to a common network connection and accessing a single database via web application or any desktop application. However, a Support Manager should not be able to connect router as CEO. Hence, authentication will verify identity if the user of system is CEO or Support Manager. The data available to CEO should not be available to a Support Manager. Hence, authentication will follow authorization rules to check if the user is allowed to access that particular module or not. You may be interested in reading Cybersecurity in Cloud Computing
In computer, we employ different techniques to separate authorized and unauthorized access to various resources. This is also called security access control. Because in computers, we can’t tell our friend who is trying to access his computer. Even we can’t tell if someone is authorized to use a file or not without checking the security rules defined in our computer.
To avoid unauthorized access to the computer, we define various security rules for different types of access. On the basis of these security rules, data, flow and patterns, a computer tries to recognize the person. The computer identifies the person and then authenticates if he is the one who he is claiming to be. Then the computer authorizes him to access the resources which are allowed for access to him.
A small example of this can be cookies and sessions used in web applications. When you have logged in previously to a website in the browser and you try to log in again, it uses the stored cookies to give you suggestions for auto-completion. If the session is available, it does not ask you anything and authenticates using session and simply redirects you to authorized dashboard. Hence, computer can identify and authenticate the person. Similar techniques are used by various platforms for detection of unusual activities. On the basis of outliers, the platform prompts precautionary steps for authenticating the user strictly.
Now let’s clarify the difference between identification and authentication. Your name is your identity and your friend know your name so, he can enter your username and forces the computer to accept that he is you. Now the computer will ask him to enter password to authenticate you, there are very few chances that your friend enters right password for your username, so on entering wrong password, the computer will not authorize your friend to access anything in your account.
What are the identities?
Identities get revealed either by guessing or searching publicly. Identity can be your username, email, debit card number, data of birth, your school name, your parent’s name, your first car or anything like that. In short, such secret security questions can be easily guessed by your close friends. Hence, authentication should be private and secret. For example, a password should not be your date of birth or your school name. It should be a randomly generated key, password, PIN, passphrase, handshake etc.
For more sensitive information systems, authentication through eye retina, face recognition, fingerprint and voice recognition can be employed. You can enable double authentication factor to enhance security for authentication. You may be interested in reading CIA Triads
Working of authentication:
During process of authentication, the user is asked to provide something for his identity. After confirmation of his identity, the computer asks to provide authentication credentials. The provided identity and credentials are searched in database or files and matched. If the provided information matches with the information available in files or database, the user is authenticated and authorized to use the system according to available access rights.
There are various techniques for authenticating access. You can introduce any of them or combination of more than one depending on the needs of your system. Remember, introduction of each technique in your system will cost you. So, selection should be according to the sensitivity of the information.
Authentication code is used to verify identity and validate the data information. An entity decrypts the message with public key found in digital certificate and sends back the correct authentication code.
Passwords are commonly used technique for authentication in almost all types of applications including web, mobile and desktop. A good password has good length and contains alphanumeric and special characters. Though it is good method for securing any application. But if you set small and commonly used password or dictionary keyword, it would be easy to break it for the attackers.
In multi factor authentication, two or more methods are incorporated. For example, after validation of password, an authentication code is sent to mobile number for verifying phone.
One Time Password:
A method to authenticate with one-time password. This technique is usually used in places where we make financial transactions or resetting password. A temporary password is generated which can be used once for setting up a new password.
Now-a-days, biometric authentication is very common because in most of the smart phones, fingerprint is available. There are also such devices which support face recognition, voice recognition, eye retina recognition etc. You may be interested in reading Computer Security Threats.
Mobile authentication is also very common. When someone tries to access, a message prompt is generated on phone to confirm. For example, when you login to your iCloud account, before marking your computer trusted, a popup appears on your screen to enter the confirmation code.
The type of authentication which means stronger authentication. This term is used for more reliable and resistant to attack.
Sessions helps in authentication. If session time is not out, the computer will automatically authenticate you after identification.
Smart cards are mostly used in IoT devices. However, it is also used with computer for high level security applications.
There are a lot of other techniques and new techniques are emerging with the passage of time. You can choose any of them.
- You can secure any application by following identification, authentication and authorization.
- Always choose the optimized technique for the security of your application or computer.
Originally published at www.imarslan.com on February 26, 2019.