Who are you? Authentication technologies ensure users are who they claim to be

California CPA, May, 2005 by David Cieslak

Today, more than ever, protecting your electronic identity is a top priority. In addition to normal security precautions, such as using antivirus software and keeping system patches up to date, computer users must be on guard against phishing scams and other high-tech methods used by identity thieves, who seek to coax you into surrendering your personal information.

So, how can you combat this problem and better protect your vital information?

Meet authentication technologies.

Authentication technologies are not new. In fact, a number of products and strategies have been around since the early days of computing.

However, a heightened awareness and increased affordability of these technologies is pushing them to the forefront.

In simplest terms, authentication technologies ensure that individuals are who they claim to be. The technologies fall under three broad categories: something you know, something you have and something you are.

Passwords, tokens, public key infrastructure and biometrics are all examples of authentication technologies that can help verify identity and control access to resources--and each falls within one of these three broad classifications.

PASSWORDS

Passwords are the least expensive and most common type of authentication technology and are based on "something you know."

Passwords require users to remember a string of characters and enter this information when prompted to gain access to a desired resource. Unfortunately, passwords also are one of the weakest forms of authentication technology and users themselves are typically at the root of this weakness.

Often, users share passwords, making them a poor means of individual identification. Or, passwords are left blank, not changed for long periods of time, re-used across multiple accounts or overly simplistic, leaving your password vulnerable to hacking via freely available tools.

While passwords should continue to play a role in user authentication, they should not be overly relied upon because of their inherent limitations.

TOKENS

Under the "something you have" category, token-based authentication technologies--such as magnetic strips (credit cards), smart cards, SecurID cards or USB keys--hold longer, harder-to-break "secrets" that are more difficult to hack or reproduce.

The weakness with authentication technologies is that tokens afford little protection if they are lost or stolen.

And similar to passwords, simple possession of these objects often serves as the only means to distinguish the owner.

The effectiveness of tokens can be significantly enhanced, however, by combining their use with "something you know." For example, requiring the use of a PIN code or password along with the possession of the physical token.

PUBLIC KEY INFRASTRUCTURE

PKI refers to a system where digital certificates are used to verify user identity for e-mail messages and e-commerce transactions, and also is an example of "something you have."

Digital certificates often are issued by an independent certificate authority that then acts as a third-party reference regarding the owner's identity. These certificates are attached to e-mail messages or referenced by a web browser during an e-commerce transaction as a means of identification.

[ILLUSTRATION OMITTED]

When applications encounter these certificates, the origin can be verified by inquiring with the issuing certificate authority to ensure the identity of the sender or website owner.

Digital certificates also provide a means for users to exchange encrypted information using a combination of a private key (owned by the sender) and public key (freely shared with recipients) to encrypt and decrypt message text.

PKI uses highly secure encryption standards and third-party verification to help ensure information integrity and end-user identity, but as yet, has only seen limited adoption in the marketplace.

BIOMETRICS

The final category of authentication technology is based on "something you are" and uses biometrics to examine physical characteristics to differentiate individuals.

Some of the more common biometric technologies include:

Fingerprint Recognition--Fingerprint identification systems take a digital scan of an individual's fingertip(s) and record their unique physical characteristics. Data is then either stored as an image or encoded as a character string.

To prevent fooling the system, some fingerprint ID systems also measure blood flow to the finger so that "fake" fingers can't be used.

Of all the biometric technologies, fingerprint recognition is becoming the most commonplace and is being incorporated into a number of new devices coming to market, from PDAs and thumb drives to mice and keyboards. These devices actually require users to swipe their finger prior to unlocking these devices.

In addition, a number of vendors sell external USB-based devices that can be plugged into any desktop or laptop computer to inexpensively ($50 to $100) add fingertip biometric authentication capabilities.

Fingerprints also are being used with a number of other devices including time clocks, cell phones, door locks and safes.