2.4 Summarize authentication and authorization design concepts

  • Authentication Methods
    • Directory Services
    • Federation
    • Attestation
    • Technologies
      • Time-Based One-Time Password (TOTP)
      • HMAC-Based One-Time Password (HOTP)
      • Short Message Service (SMS)
      • Token Key
      • Static Codes
      • Authentication Applications
      • Push Notifications
      • Phone Call
    • Smart Card Authentication
  • Biometrics
    • Fingerprint
    • Retina
    • Iris
    • Facial
    • Voice
    • Vein
    • Gait Analysis
    • Efficacy Rates
    • False Acceptance
    • False Rejection
    • Crossover Error Rate
  • Multifactor Authentication (MFA) Factors and Attributes
    • Factors
      • Something You Know
      • Something You Have
      • Something You Are
    • Attributes
      • Somewhere You Are
      • Something You Can Do
      • Something You Exhibit
      • Someone You Know
  • Authentication, Authorization, and Accounting (AAA)
  • Cloud vs On-Premises Requirements

Authentication Methods

How do we know that you are who you say you are?  How can we authenticate you?  When I log in to a computer, how does the organization know that I am Hazim Gaber?

The most common way is with a Directory Service.  The original idea behind a directory service was to create kind of like a phone book for a network.  A Directory Service keeps track of users and their privileges.  It may also keep track of devices including computers and mobile phones.  Most of the popular directory services use a protocol called LDAP, which we will discuss later.

Some popular Directory Services

  • Microsoft Active Directory.  Microsoft AD integrates well with Windows computers.  It also integrates with Azure Active Directory, which is the cloud-based version.

  • Apple Open Directory.  Apple Open Directory runs on an Apple server.

  • 389 Directory Server.  389 is open source and runs on most Linux operating systems.

  • OpenDJ.  OpenDJ was created by Sun Microsystems and is open source.  It runs on Windows, Apple, and UNIX operating systems.

Some benefits of Microsoft Active Directory

  • Allows us to centralize the management of user accounts.  A user account is no longer linked to a specific computer, but a central database.

  • Allows us to create groups of users and assign them permissions.

  • Allows us to centralize the management of computers and other devices.

Federation is a process where two computer systems establish a trust relationship.  Federation allows a user to access resources located in multiple domains.

For example, a user working at Google can use Skype for Business to communicate with users working at Yahoo.  The Skype system at Google and the Skype system at Yahoo are connected (federated) to allow users to exchange information.

Even though two systems may be federated, an administrator may limit or control the type of information they are allowed to exchange.

Attestation is a process that allows a device to prove that it is authentic.  When a user connects their corporate laptop to the network, how does the network know that it is legitimate?  The network may send the device a challenge (kind of like a math equation that only a legitimate device can solve).  Or the device may present the network with a certificate that authenticates it.

Let’s look at some technologies we can use to authenticate users.  These technologies may be combined with a username/password to produce multi-factor authentication.

  • Short Message Service (SMS).  The user logs in with a username/password combination.  If the username/password combination is correct, the user is prompted to enter a short code.  We then send the user a text message with a one-time code, which is generated by the server.  If the user enters the correct code, then he is authenticated.

    The problem with SMS is that it can be hacked.  SMS is not a secure system.  SMS messages can be intercepted.  Also, a hacker could call the phone company, impersonate the subscriber, and move his phone service to a SIM card that is controlled by the hacker.  Then the hacker would have access to all the user’s text messages.

  • Phone Call.  The user logs in with a username/password combination.  If the username/password combination is correct, the user is prompted to enter a short code.  We then call the user and provide him with a one-time code, which is generated by the server (the call is automated).  If the user enters the correct code, then he is authenticated. 

    Like SMS, phone calls are not secure.  They can be intercepted, and cellular SIM cards can be hijacked.

    If a hacker has possession of the user’s phone, he will also be able to answer the call or view the text messages.  Most phones allow users to answer phone calls and view new text messages even when the device is locked.

  • Push Notifications.  In response to the lack of security posed by automated phone calls and text messages, vendors created the push notification security.  The user logs in with a username/password combination.  If the username/password combination is correct, the user’s phone is sent a notification.  The notification tells the user that he is attempting to log in and asks him to verify whether the login should be authorized.  If the user accepts, then the login is authorized. 

    Assuming that the push notification is sent to the authorized user’s device, and is encrypted, then the push notification is more secure than an SMS or phone call-based password.  The problem with most push notification implementations is that the user is always offered an option to receive a code via SMS or telephone if he didn’t receive the push notification.

  • Time-Based One Time Password (TOTP).  The user logs in with a username/password combination.  If the username/password combination is correct, the user is prompted to enter a short code.  How do we generate this code?  The user will have a token, which could be a physical device or a software application.

    • The token and the server know about a secret key, known as a seed; the seed is used to generate the token key

    • The token and the server also know what the current date and time is

    • The token generates a new key every 30 or 60 seconds

    • Each key is only valid for 30 or 60 seconds

    • The server can also generate keys, so that it can validate that the correct key has been entered

    • If date/time is not correct on either the server or the token, then the server will not accept the key generated by the token.  The token may give the server a key that is too far in the future or too far behind.  The server will be expecting a different response.  Since time cannot perfectly synched, the server may be programmed to accept keys that are a few minutes early or a few minutes late.
  • HMAC-Based One-Time Password (HOTP).  The user logs in with a username/password combination.  If the username/password combination is correct, the user is prompted to enter a short code.  How do we generate this code?  The user will have a token, which could be a physical device or a software application.

    • The token and the server know about a secret key, known as a seed; the seed is used to generate the token key

    • The token and the server also have a counter

    • The server increments the counter when a user attempts to enter a token key and the token increments the counter when a new key is generated.  If a user generates a key on the token and does not enter it into the server, then the counter on the server will be out of sync with the counter on the token.  The server can be set to accept keys that are several “counts” away.  If the counts are too far apart, the server and the token must be resynched.

    • An HOTP token key is valid until it is used

    • Both the server and the token can generate keys, so that the server can validate that the user has provided the correct key

  • Token Key.  The Token Key is a small physical device that generates one-time passwords.  It does so via the TOTP or HOTP algorithm.

    A popular token is made by RSA

A more advanced token looks like a calculator.  When the user logs in, the server provides the user with a seven-digit code.  The user unlocks the token with a PIN, and then enters the seven-digit code.  The token responds with a six-digit code, which it calculates from the seven-digit code.  The user enters this code back into the website or computer to log in.  The server performs the same calculation as the calculator, and if the result matches what the user entered, then the user is authenticated.

  • Authentication Applications.  We can take the token key idea and turn it into an app that runs on your computer or phone.  The most popular authenticator apps are Google Authenticator and Microsoft Authenticator.  The benefit is that each one can generate codes for multiple services.

  • Static Codes.  When the user account is first created, the server uses an algorithm to generate a set of static codes.  Each of these codes works as a one-time code, with no expiry date.  The user normally keeps these static codes somewhere safe and can use one of them to log in in the event that his token or cell phone is unavailable.  A code will expire upon use.

Smart Card Authentication

A Smart Card is a credit card sized device with a microchip.  The smart card can hold a certificate issued by the organization.  The certificate is associated with the user account.

How does it work?  Typically, the user inserts his smart card into the smart card port on his laptop or desktop computer (you can purchase a keyboard with an integrated smart card reader).  The Smart Card then presents its certificate to the server, and the user is authenticated.  Authentication may take place with the following credentials

  • Smart Card alone identifies and authenticates the user
  • Smart Card and PIN entered by user
  • Smart Card and username entered by user
  • Smart Card, username, and password entered by user


Physical access control can be combined with biometric factors to improve security.  Biometrics are better because a physical access card can be lost or stolen, in which case, an unauthorized user can use it to gain access.

A biometric device takes a photograph of a human bodily attribute (or generates a sound file) and then converts it into a mathematical model.  For example, a fingerprint reader might understand the bumps and ridges on a fingerprint and compares their relative sizes.  There are many different algorithms that each biometric device can use, and each one is different.

A biometric reader does not (and cannot) create a pixel-by-pixel comparison of a person.  Imagine taking a photograph of your face 100 times.  Each photo will be slightly different.  The lighting, the reflection, the angle of your head, and the position of your hair will be slightly different each time.  That is why we must use a mathematical model to obtain an approximation.  That is also why you must scan your fingerprint multiple times when you first register it.  The device must view and analyse your fingerprint from multiple angles to obtain a clear picture.

Biometrics are not perfect.  Most biometrics have a false positive because of the algorithm.  The false positive rate in a fingerprint reader is approximately 1 in 50,000.  It varies from device type to device type.  That is why many phones lock after several invalid fingerprint scans but continue to unlock with a password.

The different types of biometric errors.  We may be able to adjust the sensitivity of a biometric device to allow more errors of one type or another.

  • False Acceptance Rate.  A false acceptance is when an invalid user is authenticated.  If the false acceptance rate is increased, more legitimate users will be accepted, but many unauthorized users will also be accepted.  If too many legitimate users are being rejected, we might want to increase the False Acceptance Rate.

  • False Rejection Rate.  A false rejection is when a valid user is rejected.  If the false rejection rate is increased, more unauthorized users will be rejected, but many authorized users will also be rejected.

  • Crossover Error Rate.  The Crossover Error Rate is when the False Acceptance Rate and the False Rejection Rate are equal.  An administrator can adjust the system’s rejection threshold so that the two rates are equal.  At the Crossover Error Rate, the system operates efficiently.

Some types of biometrics

  • Fingerprints

    • A fingerprint scanner maps a person’s fingerprint and converts it into a mathematical signature.  This signature is stored.

    • It later compares new scans to the original mathematical signature.

    • Advanced fingerprint scanners can verify that a real finger has been scanned (as opposed to a mold of a finger)

    • Each time the user scans his fingerprint, advanced scanners can “learn” more about the fingerprint and update their model.

    • Fingerprint scanners are cheaper than other biometric sensors

    • Fingerprint sensors are integrated into many smartphones

    • There are limitations because we can’t authenticate people who are missing fingers

  • Retinal Scan

    • A retinal scan uses a laser to examine the blood vessels in the back of the eye.  No two people have the same retinal pattern.

    • Retinal scans are unpopular because they require a user to have a laser shined into his eye; the user must also put his eye up against the sensor

  • Iris

    • An iris scan photographs the front of the eye from a distance.  No two people have the same iris scan.  The scanner develops a mathematical model of the patterns in the iris.

    • If we look at a photograph of a human iris, we can see patterns created by melanin pigments.  No two people have the same pattern.

  • Iris scanners are more popular than retinal scanners and are considered the best biometric.  Why?
    • A fingerprint gets worn out over the years, especially in people who use their hands for work.  That makes it more difficult to read fingerprints in older people.  The iris is well protected by the cornea and the eyelid, so that it does not wear out.  The iris continues to appear the same after many decades.

    • The shape of the iris is predictable.  It is usually circular and flat.  That makes it better than facial recognition because faces come in many shapes.

    • Most of the iris recognition devices use an algorithm called IrisCode.  IrisCode is so good that even if an iris scan has only a 74% match to the original, it can be declared a match.  That means that any two irises in the world differ by at least 26%.

    • The iris sensor can work in low light conditions.  It can identify a person who is wearing sunglasses and standing in a dark room.

    • A person can scan his iris without touching anything, unlike a fingerprint reader.

  • Voice Recognition

    • Voice recognition measures traits in your voice such as accents, pauses, tone, and volume to identify you.

    • The voice recognition may require you to repeat the same phrase each time, or you may be permitted to say anything you want.

    • Voice recognition is difficult to implement, but the technology is improving.

    • Some banks and phone companies are using voice recognition to authenticate customers over the phone.

    • Voice recognition sensors have a high rate of false positives and false negatives

  • Facial Recognition

    • Facial recognition scans features that are present on the user’s face.  A facial recognition algorithm might analyse the size, shape, and/or location of a person’s lips, eyes, and/or nose.

    • The software must be able to separate the face from its background.  It must also be able to filter items such as glasses.

    • Facial recognition may function in 2D or in 3D.

    • Facial recognition is integrated into many newer smart phones and computers.  It does not require specialized hardware; only software and a camera.  Facial recognition in computers and smart phones has a much higher error rate than that of dedicated hardware.

    • Facial recognition is integrated into many surveillance camera software applications, especially those used by law enforcement.  It can be linked to crawlers that analyse social media posts to positively identify a person.

    • Some American cities have banned the use of facial recognition by law enforcement.

    • Facial recognition systems work well

  • Vein

    • Vein biometrics uses a scanner to view the vein pattern in a person’s hand.  The device shines a near-infrared light-emitting diode at a person’s hand and views the image.

    • The technology is still under development.

  • Gait Analysis

    • Gait Analysis identifies a person by the way that he walks

    • The science of gait analysis is still under development and it is not clear how accurate it is

    • One benefit of gait analysis is that we can use a camera to identify people without their consent or knowledge

In general, when a user is first enrolled in an authentication scheme, his biometrics are captured.  A successful capture might require the user’s biometrics to be scanned multiple times.  This ensures that the capture device has seen the feature from multiple angles.  The captured biometrics may be stored on a central server or encrypted onto the user’s smart card. 

When stored on a smart card, the user’s privacy is better maintained.  The user presents his smart card to the reader.  The reader scans the user’s feature and compares it with what is stored on the smart card.  The user has no way to read or modify the contents of the smart card, which is digitally signed (and verified by the reader).

Privacy advocates do not like biometrics.  They are concerned with the risk that the biometric data is leaked or misused.

When you choose a biometric authentication mechanism, consider

  • How you will combine it with another type of authentication such as a password or smart card

  • Whether the technology you are purchasing is reliable

  • The privacy laws in your jurisdiction.

Multifactor Authentication (MFA) Factors and Attributes

The principles of multifactor authentication (formally two-factor authentication) are important.  The three main factors are Something You Are, Something You Have, and Something You Know.  Basic authentication methods combine Something You Have (a username/access card) with either Something You Know (a password) or Something You Are (biometric).

  • Something You Are – something you are refers to a biometric identity such as facial recognition, fingerprints, voice recognition, or a retinal scan.  Select the best type of biometric for your environment.

  • Something You Have – something you have refers to a smartcard, identification card, or username; it could also refer to a randomly generated password (such as an RSA SecurID or authenticator app)

  • Something You Know – something you know refers to a password or PIN

  • Somewhere You Are – somewhere you are refers to your physical location.  In the case of connecting to the internet, somewhere you are is your IP address. 

    If a hacker compromises a username/password and logs in through a computer or network location that is not recognized, then the login may be denied.  Websites have sophisticated ways of detecting users – IP address, web browser version, computer version, date/time of the login, other user behaviors.  If the username/login is correct, but the other factors aren’t, it could be that the account was compromised, or it could be that the user is travelling/bought a new computer.  The site can ask the user for additional verification (such as through an automated phone call).

  • Something You Do – something you do is an observation of the user’s action’s or behaviors.  In Windows a user can choose a picture password; in an Android phone the user can interact with a pattern.

  • Something You Exhibit – something you exhibit is a personality trait.  This is not very reliable.

  • Someone You Know – someone you know means that another person in your organization can verify your identity.  If you forgot your identification card at home, then security might give you a temporary pass if another employee verifies that you are who you say you are.

Identification, Authentication, Authorization and Accounting (AAA)

How does a secure system provide access to an individual?  Through IAAA – also known as AAA (Authentication, Authorization, and Accounting)

  • Identification is the process of identifying a person.  The person has presented credentials to the system (such as a smart card, an access card, an identification card, or a username).  It is possible that the credentials have been compromised, so the system has not verified the person’s identity at this stage.

  • Authentication is when the person has been positively identified.  Examples where authentication takes place

    • User presented a smart card and entered their PIN correctly

    • Presented an identification card to a security guard who positively compares the photograph on the card with the face of the individual

    • Entered the correct username and password into a computer

    • Scanned an access card at a card reader (the access card is a weak form of authentication because a lost/stolen access card can be used by an unauthorized individual)

  • Authorization is the process of providing the user with access to the resources that he requested.  Just because a user requested access and entered the correct username/password does not mean that the user is entitled to access.

    • For example, a user comes to work on a weekend but does not have permission to access the building outside of normal business hours.  The security guard recognizes the employee as a legitimate employee and verifies his identification but does not permit access.

    • The company uses Single Sign On (a user can access multiple resources with the same username/password).  A user logs in to an HR system with the correct username and password but is not authorized to access the system because he is not part of the HR department.

  • Accounting is the process of keeping track of who accessed what.  Accounting is important for audits, and to ensure that all access attempts are legitimate.  For example, patients have the right to know who accesses their personal health data.  A nurse at a hospital may have the ability (authorization) to access the electronic health records of any patient at the hospital but should only do so if she has a legitimate need (and not because she is curious).  The system should be able to track every time a patient record was accessed.

  • We should log the following

    • What credentials were used (username, password, etc.)?

    • What system did they log in to (computer, door, entrance, etc.)?

    • What resources did they access (shared folder, printer, etc.)?

    • When did the access take place?