DeMISTIfying Infosec: Authentication

January 26, 2016
By Katherine Teitler

Authentication

Authentication, as it pertains to computer networking, is the process by which a user is verified onto a system. Authentication differs from authorization in that it matches user credentials to a designated user but does not, in and of itself, grant or deny permission to systems, applications, files, etc.

In an authentication process, each user is assigned or chooses a user ID, which is stored in a database of permitted users, and is assigned or chooses an associated password, PIN, smart card, or some other form of verification, which is also stored (plaintext, encrypted, or hashed). The ID and password (or alternative) combination form the user’s credentials. Each set of credentials is granted permissions (authorization) by the network administrator for what is and what is not allowed once a user is positively confirmed (authenticated) on the system. 

Effective authentication requires an interactive logon process plus a network authentication process. Adding network authentication, which is typically invisible to the user, eliminates the need for users to repeatedly enter credentials each time they want to access new files or applications.

Passwords are most commonly paired with user IDs, although passwords have their limitations and are considered inherently insecure by some infosec experts. Many infosec professionals recommend associating a second factor, at least, of authentication, such as a challenge question, security token, or PIN. 

Attend the Enterprise Identity & Access Management Architecture Workshop at InfoSec World 2016

In order to transfer authentication data between two entities (e.g., client to server), authentication protocols must be established. Some of the more common authentication protocols and methods include:

  • Kerberos
  • SSL/TLS
  • Microsoft NTLM
  • Password Authentication Protocol/PAP and SPAP
  • Challenge Handshake Authentication Protocol/CHAP and MS-CHAP
  • Extensible Authentication Protocol/EAP
  • RADIUS (Remote Authentication Dial-In User Service)
  • Dialed Number Identification Service (DNIS)
  • Certificate services
  • Unauthenticated access
  • Guest access

 

prestitial ad