Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

Authentication is the process of validating the identity of the entity in question. Usually we think of authenticating users, but systems, programs, data, etc., also have a need for authentication.

Authentication information is that piece of information which can be used to verify the accuracy of the identity. This information which is used to authenticate the user 's identity must be protected so that it cannot be used to forge an identity. The factors that can be used to authenticate the identity of an entity are those factors that are unique to that specific entity. The factors must be known or derivable to both the entity being authenticated and the process authenticating the entity. The following are three basic factors that are used in authentication. These basic factors are available to all types of entities.

• Something you know ” a shared secret, a password, something both the user and the authenticator know. Password authentication is relatively inexpensive and easy to implement, which is why almost all systems that perform authentication use passwords. The most common password problem is a weak password ” if users can select them, they are generally not long enough, not random enough, or not changed often enough, to keep them secure. In addition, many systems do not store passwords in a secure location or with strong enough protections to prevent common password attacks.

• Something you have ” a physical ID (e.g., an identification card). Using a physical item increases the likelihood that its loss or theft will be noticed and reported .

• Something you are ” a measurable feature (e.g., fingerprint , facial characteristics, voiceprint). The measuring of a physical characteristic is called biometrics. If the entity that is being authenticated is a program or a system, the measurement can be a cryptographic checksum.