Selecting an Authentication Mechanism to Secure a Web Resource against Unauthorized Access
Many of those looking to reliably secure a web resource against unauthorized access come across lots of providers and products that can, reportedly, protect against most anything, including snuffles. This creates a mess and makes the selection process a great deal more complicated. Let’s try to sort this mess out and see which authentication mechanisms and means are preferable to use to secure an application against unauthorized access in each of the several typical business situations.
The Role of Authentication in Gaining Access to an Application
First of all, one must note that there are three consecutive stages in the process of gaining access to any web resource: identification, authentication, and authorization.
During the identification stage, the user submits to the system their unique identifier that is then used to distinguish them from any other user of the system. For example, this can be the user’s name and login. The system, in turn, verifies whether the user exists in the system, and if he does, proceeds to the next stage.
During the authentication stage, normally favored by fraudsters, the system checks the user’s identity, thus ruling out the possibility of the user acting under a false identity. After the user is authenticated, the final, authorization stage follows.
During the authorization stage, it is determined which of the system resources the user can gain access to, and to which of the resources access is denied. For instance, the system administrator can view information on all system users, while a regular user cannot gain access to this page. When an authenticated user tries to access this page, the system determines whether he or she is a system administrator or not, and grants or denies access accordingly.
From the viewpoint of software implementation, the identification and authorization processes are quite trivial. In contract to these two processes, the authentication process has a number of subtleties and niceties, and the various authentication systems may be quite different from one another in terms of both reliability and cost.
Let us dwell on these differences and peculiarities.
Authentication in More Detail
So how can one determine that a person is really the one he or she is claiming to be? There are three factors that can help you do so:
Knowledge – the person is in possession of information that can only be available to the person who has the right to access the system, for example, a password, the mother’s maiden name, and so on.
Ownership – the user is in possession of some object only he or she can have, for instance, keys, a bank card, a mobile phone, and so forth.
A physical peculiarity – the user possesses some unique physical characteristic only he or she has. This can be a fingerprint, retina pattern, facial features, and more. All these characteristics are referred to as bio metrics, and the authentication methods based on them are called biometric methods.
There are some other authentication factors, but, one way or the other, all of them can be attributed to the above basic authentication factors. For example, Facebook provides the ability to confirm a user’s identity with the help of his or her friends. This approach can be called social authentication, as its essence is that the user is authenticated by other people. But how can a user confirm the identity of another user? Well, most probably, based on the peculiarities of his or her face, shape, and behavior. In other words, - using the biometric characteristics, - the main authentication factor.
Let us compare the pros and cons of the various authentication factors (Table 1).
Table 1. Advantages and Disadvantages of Authentication Factors
As we can see all the factors have their pros and cons. So what should be done in order to improve the reliability of authentication system?
The answer is obvious, - one should use a combination of several different factors. Under this approach, the disadvantages of one factor are offset by the advantages of another factor, thus making the entire system a great deal more reliable. Authentication systems that use several authentication factors are called multi-factor systems. Most often, such systems use knowledge factors (passwords), and ownership factors (tokens, - devices used to generate one-time passwords).
Selecting an Authentication System
Although we now know that a reliable authentication system must combine several security factors, it is also important to know how to select the combination of the factors that will be optimal for your particular case.
Just like with any other mechanism, while selecting an authentication system, one should proceed from the value associated with the resource to be secured, as well as the consequences breaking into the system could entail. It doesn’t make any sense to install a steel door in a shed that contains nothing but hay. If you run an information and amusement portal and breaking into any of the user accounts cannot potentially inflict any serious damages, using a simple password would be sufficient. In case users have no sensitive data, but breaking into an administrator account is still fraught with damages, you should use regular user passwords, and two-factor authentication for the administrator accounts. However, if breaking into a user account poses a serious threat, the best solution would be multi-factor authentication.
One should also pay attention to the system’s user-friendliness, for the more reliable and complex a system is, the more actions the user must perform to gain access. What matters, incidentally, is how "compelling” your system is to the user. Multi-factor authentication is a must for corporate and financial systems where information leaks may result in serious consequences. The users of a corporate system cannot choose a system to use, and you can make the procedure of gaining access to the system more complex. However, if the users of your resource are free to select between you and your competitors, its just not worth pressing multi-factor authentication on your audience, - just make it available as one of the options with a recommendation to use this option.
One of the important selection criteria is the cost of ownership, but it must influence only the selection of specific security tools and mechanisms, without affecting negatively the overall level of security. For example, it is obvious that the highest level of security is ensured when all the three factors are used in a combination, but biometric authentication systems are quite costly and contribute to an application’s security level only very insignificantly.
For banking, corporate, and other systems that have high security requirements it would be quite sufficient to use two-factor authentication that is based on static and dynamic passwords. Compared with a three-factor authentication system, the total cost of ownership of such a system, is much lower, while its reliability is almost the same and is enough for business purposes.
One should bear it in mind that security is a complex state that hinges on a number of factors, and the weakest link principle works here really well. That is why all the security system components must be well-coordinated, - a steel door is no use if the window on the first floor is not latticed.
About the Author
Denis Shokotko is one of the Software Engineers working on the Protectimus project (http://www.protectimus.com), a powerful technology start-up launched by INSART ( http://www.insart.com) to develop a new-generation, technologically advanced, and affordable two-factor authentication system. Denis’s team has been able to resolve in practice a number of authentication issues to deliver a solution that boasts numerous significant advantages, and has already become an integral part of two payment systems offered by international technology companies.