Chapter 16 – |
Identification and Authentication |
Ravi Sandhu
Chapter Contents:
|
16.1 |
|
Introduction
|
|
16.2 |
|
Four Principles of Authentication
|
|
16.2.1 |
|
What You Know
|
|
16.2.2 |
|
What You Have
|
|
16.2.3 |
|
What You Are
|
|
16.2.4 |
|
What You Do
|
|
16.3 |
|
Password-based Authentication
|
|
16.3.1 |
|
Access to User Passwords by System Administrators
|
|
16.3.2 |
|
Risk of Undetected Theft
|
|
16.3.3 |
|
Risk of Undetected Sharing
|
|
16.3.4 |
|
Risk of Weakest Link
|
|
16.3.5 |
|
Risk of Online Guessing
|
|
16.3.6 |
|
Risk of Offline Dictionary Attacks
|
|
16.3.7 |
|
Risk of Password Replay
|
|
16.3.8 |
|
Risk of Server Spoofing
|
|
16.3.9 |
|
Risk of Pas[s]word Reuse
|
|
16.4 |
|
Token-based Authentication
|
|
16.4.1 |
|
One-Time Password Generators
|
|
16.4.2 |
|
Smart Cards and Dongles
|
|
16.4.3 |
|
Soft Tokens
|
|
16.5 |
|
Biometric Authentication
|
|
16.5.1 |
|
Binding Biometrics to a Known Identity
|
|
16.5.2 |
|
Input of Biometric Data
|
|
16.5.3 |
|
Power of Discrimination
|
|
16.5.4 |
|
Loss of Biometric Identifier
|
|
16.5.5 |
|
Security of Templates
|
|
16.5.6 |
|
Privacy Concerns
|
|
16.6 |
|
Concluding Remarks
|
|
16.7 |
|
Summary
|
|
16.8 |
|
For Further Reading
|
|
|
|