Authentication

Introduction to Authentication

Authentication is the process of verifying the identity of a user, system, or entity. It answers the question: "Are you who you claim to be?" This is distinct from identification (claiming an identity) and authorization (granting permissions after authentication).

Authentication Factors

Authentication methods are categorized into three factors, based on what the user possesses:

Factor 1: Something You Know

Knowledge-based authentication uses information that the user knows:

• Passwords: Secret words or phrases
• PINs: Personal Identification Numbers
• Security Questions: Pre-arranged questions with secret answers
• Patterns: Graphical passwords or unlock patterns

Factor 2: Something You Have

Possession-based authentication uses physical items the user possesses:

• Smart Cards: Integrated circuit cards with stored data
• Hardware Tokens: Physical devices generating one-time codes
• Mobile Devices: Phones receiving verification codes
• USB Keys: Physical keys like YubiKey

Factor 3: Something You Are

Biometric authentication uses physical or behavioral characteristics:

• Static Biometrics: Fingerprint, iris, face, hand geometry
• Dynamic Biometrics: Voice, handwriting, keystroke dynamics

Password Security

Passwords are the most common authentication method. Proper password storage and handling is critical for security.

Password Storage

• Passwords should never be stored in plaintext
• Use cryptographic hash functions to store password hashes
• Salting: Add random data (salt) before hashing to prevent rainbow table attacks
• Unix historically used 25xDES (25 rounds of DES variant) for password hashing
• Modern systems use bcrypt, scrypt, or Argon2

Password Policies

• Minimum Length: Require at least 8-12 characters
• Complexity: Require mix of character types
• Expiration: Change passwords periodically (though this is debated)
• History: Prevent reuse of recent passwords
• Account Lockout: Lock after failed attempts

Password Attacks

Attackers use various methods to crack or steal passwords:

Dictionary Attacks

Uses a list of common words, names, and passwords to guess credentials. Typical dictionaries contain ~1 million entries.

• At 10 guesses/second: complete in ~28 hours (14 hours average)
• Effective against weak passwords

Brute Force Attacks

Tries all possible character combinations. Time depends on password length and complexity.

Rainbow Table Attacks

Uses pre-computed hash tables to reverse cryptographic hashes. Defeated by salting.

Phishing

Deceptive emails or websites trick users into revealing passwords.

Shoulder Surfing

Observing someone typing their password.

Multi-Factor Authentication (MFA)

MFA combines two or more authentication factors for stronger security. Even if one factor is compromised, attackers still cannot access the account.

Types of MFA

• Two-Factor (2FA): Combines two different factors
• Three-Factor: Combines all three factors
• Multi-Layer: Multiple layers of the same factor

Common MFA Implementations

• SMS Codes: One-time codes sent to phone (less secure)
• Authenticator Apps: TOTP (Time-based One-Time Password)
• Hardware Tokens: Physical devices generating codes
• Push Notifications: Approval requests to registered devices
• Biometric + PIN: Combining factors

Biometric Authentication

Biometrics use unique physical or behavioral characteristics for identification.

Types of Biometrics

Static Biometrics (Physical Characteristics)

• Fingerprint: Most common, high accuracy
• Facial Recognition: Widely used in smartphones
• Iris/Retina: Very high accuracy, used in high-security areas
• Hand Geometry: Used in physical access control
• Vein Patterns: Unique vein structure in hands

Dynamic Biometrics (Behavioral Characteristics)

• Voice Recognition: Analyzing speech patterns
• Keystroke Dynamics: Typing patterns and rhythm
• Signature Dynamics: Writing speed and pressure
• Gait Analysis: Walking pattern recognition

Biometric Performance Metrics