Page 231 - DCAP311_DCAP607_WIRELESS_NETWORKS
P. 231

Unit 14: Authentication





          z z  Something held by only the user—Possession-based (for example, security token, smart   Notes
               card, shared soft tokens, mobile device, and so on).
          z z  Something inherent to only the user—Biological or behavior biometric traits (for example,
               facial recognition, fingerprint, voice recognition, keystroke dynamics, signature, and so
               on).

                 Example: Many enterprise extranet/VPN solutions today require both simple credentials
          (something known, such  as ID  and password)  and hardware tokens (something held, such
          as secure ID with time-based one-time password generators, smart cards that use embedded
          PKI solutions, and so on) in order to gain  access. The combination of the  two "known"  and
          "held" factors makes up the multifactor authentication method, and significantly improves the
          authentication strength, as it curtails the threat of stolen digital identities.
          In practice, however, there is a wealth of implementations, methods, and permutations of them—
          all with varying trade-offs in terms of cost, complexity, usability, and security. Next, let's discuss
          viable solution approaches.

          14.1.3 Approaches in User Authentication

          Following are the approaches in User Authentication:
          1.   Solution Approaches: Now, not all of the available strong-authentication options that are
               available today lend themselves well to the Web. Conventional multifactor authentication
               methods (that involve the deployment of custom hardware tokens, such as RSA SecurID,
               smart  cards,  and  so  on)  are  effective  for  closed  communities—such  as  employees  and
               partners—but  they  are  too  costly,  inconvenient,  and  logistically  difficult—for  example,
               distribution,  administration,  management,  support,  and  so  on—for  the  open  consumer
               communities on the Web. In this case, authentication solutions have to work primarily
               within the confines of the browser's security sandbox. Here, we discuss a few solution
               approaches that are relatively cost-effective to implement for online consumers, based on
               today's standards:
                               Figure 14.1:  Knowledge-based Authentication



















          Source: http://msdn.microsoft.com/en-us/library/cc838351.aspx#_Architectural_Perspectives
               Knowledge-based authentication (KBA) (figure 14.1) typically is implemented as extensions
               to existing simple-password authentication. Knowledge-based credentials include chosen
               information, personal and historical information, on-hand information, deductive  and
               derived  responses,  patterns, images,  and  so  on.  However,  it generally boils  down  to
               additional set(s) of challenge-response that allows users to prove that the claimed identities
               belong to them. Some well-known examples include Bank of America's "SiteKey," HSBC's




                                           LOVELY PROFESSIONAL UNIVERSITY                                   225
   226   227   228   229   230   231   232   233   234   235   236