Authentication Requirements
A
authentication requirement is any
access control
requirement that specifies a required amount of the security
quality subfactor
authentication.
The typical objectives of authentication requirement are
to:
- Ensure that externals are actually who or what they claim
to be.
- Avoid compromising security to an impostor.
Authentication requirements are typically specified in terms
of the following measurements:
- Minimum percentage of valid identities [by role, group]
authenticated.
- Maximum percentage of invalid identities [by role, group]
authenticated (false positive).
- Mean time for an attacker to become authenticated
[manually, using a computer of given processing power]
The following are typical examples of authentication
requirements:
- “The system shall allow [member of user class X |
client application Y] to perform [list of actions Z] before
being successfully authenticated.”
- “The system shall not allow [member of user class X
| client application Y] to perform [any actions | list of
actions Y] before being successfuly
authenticated.”
- “When under attack, the system shall [detect |
prevent] the use of any forged authentication
data.”
- “When the system detects the use of forged
authentication data, then the system shall [list of actions
X].”
- “The system shall [detect | prevent] the reuse of
authentication data.”
- “The system shall reauthenticate [member of user
class X | client application Y] under [list of
conditions].”
- “The system shall only provide the following
feedback to [member of user class X | client application Y]
during / as a result of authentication.”
- “The system shall authenticate all of its users
before allowing them to update their user
information.”
- “The system shall authenticate all of its users
before accepting a credit card payment.”
- “The system shall authenticate all of its client
applications before allowing them to use its
capabilities.”
- “The data center shall verify the identity of all
personnel before premitting them to enter.”
The following are typical examples of authentication
constraints:
- “The system shall support [list of authentication
mechanisms].”
- “The system shall identify [user class X] according
to [list of authentication processes].”
The preceding examples are written as absolutes and are
therefore theoretically not feasible because no system is 100%
effective against security attacks. To make the requirement
more feasible and testable, a minimum success threshold can be
added as follows:
- “A minimum of 99.9% of the time, the system shall
allow [members of user class X | client application Y] to
perform [list of actions Z] before being successfully
authenticated.”
The following are examples of authentication requirements
from the Global Personal Marketplace (GPM) system, a global
Web-based marketplace bringing together private individuals and
small companies to buy and sell all manner of items:
- Accountant— “A minimum of
99.999% of the time, the GPM shall verify the identity of the
accountant before permitting him or her to perform the
following accountant use cases:
- Accountant Generates Financial Reports
- Accountant Updates Fee Schedule
- Accountant Updates User Restrictions.”
- Buyer— “A minimum of 99.99% of
the time, the GPM shall verify the identity of the buyer
before permitting him or her to perform the following buyer
use cases:
- Buyer Reviews Personal History
- Buyer Registers Feedback About Seller
- Buyer Registers for Notification of Future Sales
- Buyer Places Bid On Item
- Buyer Modifies Bid On Item
- Buyer Buys Item At Direct Sale
- Buyer Places Sealed Offer At Decreasing Price Sale
- Buyer Modifies Sealed Offer”
The following guidelines have been found to be useful when
producing authentication requirements:
- The scope of an authentication requirement can be:
- Many authentication requirements can be identified and
specified in term of the following:
| Component of
Requirement |
Possibile Values |
| External Authenticated |
Various Types of Users
Various Types of External Systems
Various Senders of Messages |
| State |
Normal processing
Degraded mode
Under attack |
| Authentication Type |
Repeated Sign-on
Single Sign-on |
| Prior to Execution of |
User Task
Use Case
Transaction
Interaction |
| Measurement |
Percent of valid identities
authenticated
Percent of invalid identities not
authenticated |
- Authentication depends on identification. If identity is
important enough to specify, then so is authentication.
- Authentication requirements are typically insufficient by
themselves, but they are necessary prerequisites for
authorization
requirements.
- Do
not analyze and specify authentication
mechanisms with essential use cases. A very common
requirements mistake is to specify the use of user
identifiers and associated passwords using design-level logon
use cases.
- Because of the close relationship between identification
and authentication requirements, they are sometimes grouped
together in requirements specifications
- Authentication requirements should
not be specified in terms of the types of
security architecture mechanisms that are typically used
to implement them.
- Note that some of the above authentication security
architecture mechanisms can be used to simultaneously
implement both identification and authentication
requirements.