Page 234 - DCAP311_DCAP607_WIRELESS_NETWORKS
P. 234
Wireless Networks
Notes 2. Architectural Perspectives: We've just discussed how strong user authentication can be
implemented as a component of a Web application architecture. Are there other areas of
concerns and challenges that we should pay attention to, and how does this component
affect or relate to the rest of the architecture?
From an architectural perspective, strong user authentication involves more than just
ensuring an effective identity and credentials verification at the point of user sign-on. A
fully integrated and highly coordinated architecture is required to deliver an effective
strong user authentication.
3. Identity Proofing Approach: Identity proofing is the process of verifying user identities
(for example, if a user is indeed who the individual claims to be) before provisioning user
credentials. A strong user-authentication implementation is ineffective, and the identity
infrastructure becomes unreliable, if verifiable identity assurance cannot be ensured.
In-person identity proofing that is based on valid IDs and credentials remains one of the
more reliable methods today, and is commonly used by various financial, government,
and healthcare organizations. On the other hand, in self-service scenarios in which identity
proofing is handled completely online, organizations typically use knowledge-based
systems to verify user identities. However, in this case, the pieces of information that are
requested from an individual for identification purposes should be resistant to social-
engineering attacks.
Furthermore, the same level of identity proofing is required also when reissuing credentials
(for example, resetting passwords, recovering forgotten IDs, requesting elevated access,
and so on) and terminating credentials. Compromising the level of strength in identity
proofing in any stage of an identity's life cycle will affect adversely the overall effective
authentication strength.
The point at which user provision occurs is also where additional authentication factors
should be registered and associated with a new user's profile; these factors are used then to
support strong user authentication—for example, answering sets of challenge-response to
support KBA, registering/verifying a mobile phone number to support out-of-band OTP
delivery, capturing voice recordings to support speech recognition, and so forth.
4. Integration Architecture Approach: A comprehensive, robust, and reliable user-
authentication system is becoming more than a database-driven component of one
stand-alone application. A strong-authentication system must be tightly integrated
and synchronized with the security infrastructure in an organization, such as identity
management (IdM), Web access management (WAM), enterprise single sign-on (ESSO),
certificate and key management (PKI), vulnerability management, audit management,
policy management, user directories/repositories, and so on. In some cases, these systems
provide capabilities that can be leveraged to implement a strong-authentication system,
while some downstream systems depend on the authentication system to pass relevant
contextual information and authenticating decisions (for example, role-mapping) that are
needed for user authorization and access control.
Increasingly, an organization's security infrastructure will include capabilities that live
in the cloud (or are hosted by other service providers). Although these services do not
reside in an organization's own infrastructure, the same integration concerns and security-
access policies and requirements still must be applied consistently, in order to maintain a
uniformly reliable security architecture.
5. Layered Approach: The initial logon page does not have to be the only point at which users
are authenticated. A layered approach can be implemented, so that different strength levels
of authentication are implemented in different areas, according to the varying levels of
data confidentiality and/or value. When it is implemented with a balanced design between
228 LOVELY PROFESSIONAL UNIVERSITY
