Authentication: Are You Who You Say You Are

What Is Authentication?

In general terms authentication is “the process or action of proving or showing something to be true, genuine, or valid”. In Computer science it means “the process or action of verifying the identity of user of process”

Why does authentication matter?

Human to human interaction is via an in-built authentication mechanism. Our communication and transaction with another person is driven by who the other person is. We do not share personal information with a stranger unless we know who the person is. What we converse with a close friend or family member is quite different from what we do with a stranger. Our conversation(information sharing) is unique with each person. This is vastly different to how humans interact with computers. While authentication is inbuilt in a human to human interaction, it is an explicit step in human to computer interaction. While you visit facebook.com, to access your information, check friend updates etc. you have to tell the computer who you are and prove you are who you say you are by providing password which only you know. While password authentication continues to be the most dominant form of authentication, over time the explicit authentication are giving away to more seamless face recognition, retina scans and finger print scanning. 

User Authentication

User Authentication is the process of authenticating self with computer to get exclusive access to information or transact. This is done by letting the computer know who you are and then proving you are who you say you are. There are few ways (factor) this is done:

1.Something you know: This is most commonly used authentication form where you enter userid and password or a PIN. Password is something you alone know so no one else can authenticate on your behalf. 

2. Something you have: This factor refers to you having something like Secure Token or ID card with a chip etc. There are two open standards for generating these tokens: HMAC-based One-Time Password (HOTP) and Time-based One-Time Password (TOTP). Essentially, HOTP generates a token which does not expire until the user uses it for the first time (after which a new token will need to be generated). TOTP generates a token every 30 seconds. If a user does not use it within 30 seconds, a new token will be automatically generated. Tokens are not classified as something you know because, you don’t know the token until you actually see it!

3. Something you are: Biometric scans used for authentication like facial recognition, finger print scanners, retina scanners fall under this form of authentication. These are things unique to you. Something you are  is the most seamless form of the authentication however they typically require additional devices and specialized hardware to implement. 

4. Somewhere you are : You may be allowed or denied access to system/application/platform etc. based upon your location. This form of authentication is generally coupled with other forms of authentication in 2-factor or multi factor authentication. When you use your credit card in the location/country where you generally do not transact, banks use the location information to deny the transaction to avoid frauds. Time restricted access i.e. access during certain hours or on certain days also falls in this form of authentication.

5. Something you do: This is rarely used form of authentication. Gesture based authentication falls in this form of authentication. These rely on traits individual exhibits like voice pattern, keyboard typing characteristics, handwriting etc.

Single Factor, 2-Factor and Multi-factor Authentication

Single factor authentication uses one of the above authentication form; Something you know being the most common. Generally #4 and #5 are not used for single factor authentication. 2 factor authentication uses 2 of the above factors to improve protection. Asking user to enter the password (Something you know) and then to enter OTP sent over mobile phone (Something you have)  is an example of 2-factor authentication. Please note, 2 different forms within same category like OTP sent via Phone and ID scanning is not called 2 factor as both fall under Something you have. Same is the case if finger tip scanning and retina scanning are used for authentication, as they both fall in Something you are category. 

Single Sign On (SSO)

Single Sign on is the process of signing in once and allowing user to access related yet independent applications without having to sign in again. Good example of this is Google or Facebook sign in process to access other apps. Most of the organizations have central Identity service so that employees can login once and use all the systems and services. Benefits of using SSO include:

• Mitigate risk for access to 3rd-party sites (user passwords not stored or managed externally)
• Reduce password fatigue from different username and password combinations
• Reduce time spent re-entering passwords for the same identity
• Reduce IT costs due to lower number of IT help desk calls about passwords

Implementing your own password based authentication

Password based authentication is the most commonly used authentication mechanism. If you plan to build your own password based authentication then the first rule is do NOT do it. You should ideally rely on central identity provider of your organization and implement SSO rather than implementing your own password handling. If you don’t have an alternative and have to implement password solution, your system should not store passwords in plaintext. You must hash the password using one of the standard hash algorithms used for passwords like Scrypt, Bcrypt, Argon2. Also use salt along with encryption/hashing. Do not use other hashing algorithms which are not deemed safe for passwords like MD5, SHA-1 and SHA-2. Please refer Password Storing Cheat Sheet from OWASP  for some interesting ideas for storing passwords.

Implementing Single Sign On (SSO)

There are 3 web security standards for implementing SSO

OpenID

OpenID is well suited to implement SSO for modern single page javascript based apps and mobile apps. Google, Yahoo, Wordpress use OpenID standard for SSO. Open Ids functioning is simple. First, OpenID Connect will redirect a user to an identity provider (IdP) to determine the user’s identity, either by seeing if they have an active SSO session or by asking the user to authenticate. Then, once the IdP authenticates the user and authorizes them to access a particular application, the IdP redirects back to that app. This redirect also passes information about the user back to the app that it can use to confirm the user’s identity.

OAuth2

OAuth2 is actually an Authorization protocol, however it can be used as for authentication, hence it is called pseudo-authentication. OpenID protocol is also built on top of OAuth2. OAuth2 is well suited for application to application authentication. 

OAuth2 provides secure delegated access, meaning that an application, called a client, can take actions or access resources on a resource server on the behalf of a user, without the user sharing their credentials with the application. OAuth2 does this by allowing tokens to be issued by an identity provider to these third-party applications, with the approval of the user. The client then uses the token to access the resource server on behalf of the user.

SAML

SAML is the oldest of the three protocols and used widely for enterprise SSO. 

SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents.