Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Apr 2, 2011

Introduction to authentication

The last couple of months large players such as Microsoft, Google, and Facebook have announced changes to their login procedures and how they authenticate their users. Facebook and Hotmail offer single-use codes to avoid compromise of users' regular passwords. Google has rolled out a new (optional) two-step verification for access to Google accounts. These are interesting changes in functionality to increase the security for users on the Internet.

I'll be blogging about some of these authentication procedures. To lay the foundation for my upcoming blog posts on authentication I figured it would be a good idea to give a quick rundown of what authentication is, just to get the basics out of the way. Here it goes:

Authentication defined
If you consult the Oxford dictionary on your iPhone you'll learn that:
prove or show (something) to be true, genuine, or valid;
When we authenticate users of computer systems, what are we trying to prove? In short, that the correct people are logged in to the correct user accounts. So, for computer systems we'll see that it makes sense to use the following definition:
Authentication is the process carried out to show that a user is who she claims to be
To explain what this means we'll break a typical authentication procedure into two phases: the user claims to be the owner of a digital identity, and we need to verify that the claim is true before the user is allowed to assume the claimed identity.

The claim — The user usually presents a username as her digital name (or identifier) to associate her with a particular user account. Imagine a user logging into Facebook with her username and password. She will enter her username, claiming that this is her Facebook account. To give Facebook some assurance that she in fact is the person behind that particular username, she must also back her claim with some proof. She therefore also enters her password, a secret shared only between her and Facebook.

Verifying the claim — Facebook looks up the account the user claims belongs to her, and verifies that the password presented matches the one they have on file for the account. If the password is correct, Facebook believes the claim to be true and will log in the user. If the password is wrong, authentication fails because the user's claim could not be shown to be true.

That was a short introduction to the concept of authentication, next we'll have a look at the authentication factors used to back up a claim. Just remember: Authentication is all about proving that you are the person corresponding to a digital identity in a computer system.

Who Goes There?: Authentication Through the Lens of PrivacyIf you want to dig deeper into the topic of authentication, I recommend a great book on the subject: "Who Goes There? Authentication Through the Lense of Privacy." Clicking on the image will bring you straight to Amazon. This book touches upon the more fundamental aspects of authentication, and will give you a deeper understanding of what authentication really is. I've read it several times myself, every time I learn something new.

A word of advice: Don't drink wine while you read it, you'll suddenly find yourself in a very philosophical mood — asking yourself existential questions and wondering about who you really are. You've been warned.

Authentication factors
You can authenticate to a computer system in various ways. Computer systems are often said to use single-factor, or two-factor authentication. The authentication factors are the different types of evidence presented during authentication. To better grasp what this means, we'll have a look at the common categorization of authentication factors. These are so important that they deserve to be in a list before we explain them:

  • Something you know
  • Something you have
  • Something you are

Something you know — usually refers to a shared secret such as a PIN code or a password. If you're warned that "you must never write down this code/passord/PIN" it's definitely a "something you know" factor. The answer to a personal question falls into this category as well. Examples would be classic password reset "security" questions such as: "Mother's maiden name?", "Name of your dog?", "Where did you go to school?"

*Update: See separate post on security questions: Why security questions are not.

Something you have — means that you can prove possession of a physical token. A well known example is RSA's SecurID tokens shown in the picture. All code generating dongles fall into this category. Mobile phones are increasingly being used for authentication as "something you have" elements, either through code generating apps or by receiving one time passwords by SMS.

Something you are  — biometrics. Iris scans, fingerprint scans and so on falls into this category. This is the least popular category of authentication factors, and it's not usually widely deployed in computer systems.

How many factors?
This brings us right to single-factor vs. two-factor authentication. The difference might seem apparent, but there are some subtleties. To make it a two-factor authentication, you need to use two different types of authentication factors. That means, if you supply a username and a code from your RSA Securid to log in, then it's a single-factor authentication procedure. You've only used the "something you have" factor to back up your claim. If you in addition supply a PIN or password, it becomes a two-factor authentication scheme since you also present a "something you know" factor.

Note that the username does not count as a factor! A common flaw in authentication systems is to e.g. use social security numbers as some sort of "password". It's not, it's an identifier often no more secret than your name. You can claim that it's your number, but you better back it up with some proof!

"Something you have" goes mobile
It is increasingly popular to rely on mobile phones when authenticating users. This is quite natural, since your mobile phone is usually "something you have" with you. There are several ways to leverage mobile phones when authenticating users. One approach is to send the user a one time password by SMS. When the user enters the password on her computer, you get assurance that the mobile phone was present during authentication. Similarly, the user might install an app to generate codes, making the mobile phone a replacement for dongles such as the RSA SecurID.

However, the very reason for a user to bring her mobile phone everywhere — to use it all the time for all sorts of things — also constitutes the biggest security challenge when relying on it as an authentication factor. People surf the web with their phone, they often uncritically download apps, and the phone is usually always online. The broad use of mobile phones, combined with their sophistication, make them an increasingly interesting target for malware writers. As a recent example, there were malicious software circulating on the Android market store, and there were also reports on how users could be tricked into installing apps on their Android phones. In February I blogged how the procedure to purchase and install apps through Android market would reduce two-factor authentication to single-factor authentication if an Android phone was used as an authentication factor.

As more and more websites build on the mobile phone as an authentication factor, efforts to attack mobile devices will only intensify. It will be interesting to see how it plays out.

The end
That concludes this post. I've laid out the basics of authentication, which authentication factors we have and how we count them, and we've touched upon the growing use of mobile phones as the "something you have" factor. I'll be blogging more about authentication procedures, and now that the foundation is in place I can focus more on the specifics.


  1. Something tells me that you should visit this site for some info on how to write great essay. This could be good

  2. Hey everyone! I think, there is very useful and interesting post! I am a student of the IUR college and for me the greatest way to write my essays is to use this online papernow company that I have found a few months ago via web searching. I no longer strain when I get writing tasks in the form of essays and instantly go for help to professionals to make an order. I can say, this greatly facilitates my student life. I can recommend this fantastic servicey for every pupil, who needs help, like me.

  3. I really like your blog and I think you will be interested to read examples of my work. I also work as a writer and specialize in writing academic papers. If you are interested, you can see examples of my texts and reviews on the site https://rankmywriter.com/samedayessay-com-review

  4. That's so many factors mapquest driving directions It's so good introduction.

  5. Nice post! This is a very nice blog that I will definitely come back to more times this year!

  6. Authentication is very important and I am very happy that the financial service I use has dual authentication. I recently read on https://affirm.pissedconsumer.com/review.html that a lot of people are happy with the protection, but I saw one helpful tip. You can not take the phone on which you conduct double authentication anywhere to exclude the possibility of losing it.

  7. I am working as a technical writer at Assignment Help Australia. I feel so blessed that I have found the best assignment writing service. Everyone here is so cooperative. The healthy environment of the company helps me to give my best. I have research and exploration skills and a critical thinker, and very good writing skills. I have a unique style of writing. I am good at single sourcing. I know basic web designing.

  8. Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. 사설토토

  9. Nice information and useable. I look forward to your next post

  10. Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. This blog is very informative and also if you want more information on HOW TO MAKE A GAY GUY FALL IN LOVE WITH YOU then this source is really helpful.

  11. Hey there! Howya doing.. its really amazing that you have given us a very informative blog Keep sharing Godbless!!
    abogados de bancarrota a mi alrededor!

  12. This article is really informative and full of knowledge and also more information visit on he looks into my eyes when he talks to me

  13. Unlock the full potential of your messaging with
    Plus WhatsApp download , offering a plethora of enhanced features and customization options. Upgrade your communication game with Plus WhatsApp today!

  14. This comment has been removed by the author.

  15. Amazing WA mod in replcement of GB WA , click and download !


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts