Back to Insights

Identification, Authentication and Authorisation

11/06/2012 Article

BG

Before I go into detail about specific access controls its important to note three steps that lots of access controls have. Those are Identification, Authentication and Authorisation. In essence, the access control needs to complete these steps for it to be effective. 

Definition of Identification, Authentication and Authorisation

Identification is who

Authentication is to show a third party agrees that you are who you claim to be

Authorisation is the joining of that agreed identity to the rights to perform certain actions. 

In a coming article, I will write about multi-factor authentication.  Each is highlighted: Something you know, Something you Have, Something you Are.

Identification, Authentication and Authorisation in Access Control Techniques

Below is a list of a range of specific access control techniques, detailing those three steps for each and any extra notes appropriate:

  • Identification Badge
    • Identify – Has name printed on it or a photo
    • Authenticate – Organisation carry out authentication, thus observers know that all the checks are complete before issuance
    • Authorisation – Can be colour coded or contain other distinctive marks indicating areas, jobs, times allowed
  • Access Badge
    • As above but with extras:
    • Identify – ownership of the card indicates to automated systems which identity
    • Authenticate – the automated card reader systems agree that this is a specific person
    • Authorisation – the automated systems allow or disallow access through a door based on the agreed identity
  • User ID and Password
    • Identify – the user ID says who
    • Authenticate – if the password is correct as supplied, indicates a person is as claimed
    • Authorisation – system allows user to interact as permitted with that user ID
  • User ID and/or Passphrase
    • Very similar to the User ID and Password except has the potential to be far more secure.
    • Commonly used as encryption keys
  • Account Number or PIN
    • We can use it in places of both a user ID and a password depending on the situation:
      • Chip and PIN – PIN takes place of a password
      • Credit Card Provider – PIN takes place of a user ID (a.k.a account number)
    • It uses the counterpart (user ID or password) to Authenticate
  • Duress Codes
    • When in forced situations such as a kidnapping the user can indicate to a system or third party that they are under duress.  Typically we can complete this by submitting one of two code words.  Both will allow access to a system so as not to alert a potential aggressor but one will initiate further actions not immediately obvious.
  • MAC Address
    • Identify – Originally was unique, read by network devices
    • Authenticate – compared against a database or ACL
    • Authorise – Follow the rules set out in the DB or ACL
    • Consider use loosely, MAC’s can be spoofed with the majority of devices since ~ late 90’s
  • IP Address or Network Address
    • Similar to MAC address as can still be spoofed, under some circumstances harder to spoof due to network routing constraints
    • Unlike MAC addresses, can be used in groups (Network Address)
  • RFID
    • Identify – We can use it to transmit a specific ID
    • Authenticate – Should be unique amongst a data set, not necessarily coupled with further information however so should be considered on an application by application basis
    • Authorise – Follows allowable actions as set out in DB or ACL etc.
    • Some famous RFIDs have been cracked such as London Transport’s Oyster card.
  • Barcodes(One dimensional as well as multidimensional)
    • Similar in nature to RFID but easier to forge (basic attack vector requires a printer)
  • Email Address
    • Identify – production email addresses are unique (though can be spoofed both for receiving and sending mail), ownership (or at least access to) can be confirmed by complex codes or links sent to an email address to be received by the user
    • Authenticate – used as a user ID and usually combined with a password
    • Authorise – Follows allowable actions as set out in DB or ACL etc.
    • Piggy back’s on the identification and authentication process employed by the email hosting provider, therefore must trust the thoroughness and integrity of this process
  • Mobile Number
    • Very similar to Email Address
    • Potentially have a greater ability to assert the identity of a user due to credit checks and payment methods that use a large number of mobile phone users – we can avoid this by using “Pay As You Go” sim cards, supplying false user details and paying for phone credit with cash at a shop that does not use CCTV.
  • Token- synchronous (time synced)
    • Identify – ownership indicates the pre-agreed identity
    • Authenticate – completed by supplying currently generated access code
    • Authorise – as per DB or ACL
  • Token- asynchronous (challenge-response)
    • Identify – ownership indicates the identity
    • Authenticate – completed by server generating a code (challenge), the user enters a code into a token, the token generates a response.  User supplies response to the server, if the server receives expected response the user is considered authenticated.  Can be combined with
    • Authorise – as per DB or ACL
  • Smart Cards(Chip)
    • Identify – based on ownership and the data contained in memory
    • Authenticate – card readers allow automated systems to agree on the identity of the card holder.  This is combined with a PIN number that allows access to the data on the card
    • Authorise – again, because its a fairly advanced technique it can be combined with ACL’s and DB that specifies the users allowed actions etc
    • Comes in many flavours and all have memory whether that be a volatile memory or stable memory.  Very adaptable.
    • Communications can be encrypted
  • Magnetic Cards
    • Identify – through ownership and the data (usually ID numbers) stored in the magnetic strip passed to a card reader
    • Authenticate – can be combined with a PIN etc to help prove correct ownership
    • Authorise – usually quite limited as the technology is not thought of as being very secure due to the ease with which it can be forged, despite this it can be combined with ACLs and DB driven rules.
  • SSH Key
    • Identify –  Depending on the cryptographic length of the certificate can be considered unique.  Often used as a replacement for passwords.  To achieve the equivalent of a 3072-bit (asymmetric) SSH Key would be a password around 22 characters long.  It is not uncommon or unreasonable to have 8192-bit SSH keys or much larger.
    • Authenticate – The key is asymmetric and so an algorithm is completed against both the public and private sections of the key.  The result of the algorithm determines whether the user is authorised.  For further security password secured symmetric encryption can be applied to the private portion of the key so that the user must decrypt the key before use.  This is not the equivalent of a second factor of authentication as the password is not part of the authentication procedure with the target system.
    • Authorise –  Typically used to login to specific user accounts on a Linux server. which is linked to the file systems access control.  This method can be deployed in any number of ways.
  • VPN or Trusted Path
    • Identify – Once the user has authenticated onto the VPN using any number of methods the user is then further identified as part of a network similarly to by IP or Network Address.  More secure however as requires authentication as opposed to just being plugged in and therefore gains an allowed IP address.
    • Authenticate – Mostly network based, follows ACLs.  Can be adapted for use in other applications.
    • Authorise –  Based on those same ACLs is allowed to perform certain operations and gain access to certain resources.
  • Biometrics
    • Tend to have the same Authenticate and Authorise steps:
    • Authenticate – sample collected and analysed against a whole database of people. Because of its high level of uniqueness can act as both the identifier and the validator
    • Authorise – Able to be integrated into advanced ACLs and DB controlled rights systems
  • Finger Prints
    • Identify – considered unique to the attached human.
  • Hand Geometry (Palm Measurements)
    • Identify – used to further enhance fingerprint access control methods by adding extra vectors such as finger length, bone length, tendon tension, hand layout, dimensions etc.
  • Iris Scans
    • Identify – iris’ measurements, pigmentation and “folds” that produce the ripple like effects.
  • Odour
    • Identify – each individual has a unique smell and combination of pheromones etc that can be analysed.  Use is fairly rare and due to its potential for being perceived as invasive is only used in extreme situations.
  • Weight
    • Identify – though subject to change over time can indicate whether the person is changing his/her form dramatically over a short period of time.  We Can use it to compare entry to a building with exist of a building to help ensure the user is not stealing.
  • Vascular Scans
    • Identify – heat scans of a users face or hands show location, size and route of veins which is believed to be unique
  • Voice
    • Identify – It analyses the wave forms of a users voice in some depth.  Considered unique.  We can also use it to indicate the level of stress in the user which can be used similarly to Duress Codes.

Learn how you can increase your cybersecurity

Register interest or Get in touch