Authentication
The
security
quality subfactor,
authentication, is the degree to which the
claimed identities of externals is verified before allowing
them to request and receive services (e.g., perform functions,
obtain data).
Authentication is typically measured in terms of:
- The percentage of the time that authentication of a
specified external [type] occurs in a specified
situation.
See
authentication requirements.
Typical mechanisms for implementing support for
authentication include:
- What You Have:
- Digital possessions:
- Digital certificate
- Token
- Physical possessions:
- Employee ID card
- Hardware key
- Smart card enabled with a public key infrastructure
(PKI)
- What You Know:
- Password or pass-phrase
- Personal identification number (PIN)
- Relatively private personal information:
- The last four digits of your social security
number
- Your mother’s maiden name
- The name of your pet
- Who You Are:
- Behavioral Characteristics (What You Do):
- Keystroke dynamics
- Signature style
- Voice pattern
- Physiological Traits (What You Are):
- Finger print
- Hand (palm) print
- Face recognition
- Iris recognition
- Retina scan
- Vein recognition (infrared scan of the back of the
hand)
- Where You Are:
- Dedicated LAN line
- Network address verification
The following guidelines have been found to be useful
regarding authentication:
- Authentication verifies that the claimed identity is
legitimate and belongs to the claimant.
- Authentication depends on identification.
- Authentication is typically insufficient by itself, but
is a necessary prerequisite for authorization.
- Note that many of the above authentication security
architecture mechanisms can also be used for
identification.
- Authentication is required in order to ensure
accountability of the external.
- The scope of authentication may include the identity of: