Monday, 20 August 2007

Identification and Authentication

What is the I&A?

It is the process by which the user provides his claimed identity to the system and the credential needed to authenticate this identity and the system validate both information provided. If the information is correct then the user gain access as legitimate user otherwise he denied getting access.

What are the common vulnerabilities of I&A?

  • Weak authentication method.
  • The potential for users (like System Administrators) to bypass the authentication mechanism.
  • Lack of confidentiality and integrity for the stored authentication information..
  • Lack of encryption and protection of information transmitted over the network.
  • User’s lack of the risks associated from sharing his authentication information.

Is I&A different?

Yes, Identification is completely different from Authentication because of the following:

  • Meaning of each of them is different.
  • Methods and techniques supporting them is different.
  • Requirement in terms of secrecy and management of each one is different.
  • The identity has attributes such as, name, validate date but the authentication doesn’t have attribute.
  • The identity doesn’t normal change, while authentication tokens bound to secrecy must be regularly changed.

What is the type of I&A?

  • Logon IDs and Passwords
  • One Time Passwords, Token Devices
  • Biometrics
    • Palm
    • Hand geometry
    • Iris
    • Retina
    • Fingerprint
    • Face
    • Signature recognition
    • Voice recognition

Reference: ISACA

No comments: