Authentication of a human, a software or an hardware system against a relaying party.
Authentication mechanisms based on
Knowledge
Ownership
Inherence
Different mechanism of authentication can be
combined to obtain higher levels of authentication
Nota:
Multi-factor authN: more factors are combined (do not use the same factor twice e.g. two passwords).
One-factor authN
Two-factor authN
Three-factor authN
Password-based Authentication
One problem is the storage of the
password on the server side
in clear -> anyone can access it
encrypted -> the key should be
saved
Hashed -> unprotected digests are subject to
dictionary attacks
Hashed with salt -> unpredictable digests are
stored. Dictionary attacks and rainbow tables
are made impossible
Challenge-Response Authentication
Symmetric CRA
Asymmetric CRA
One-time password Authentication
Nota:
a simple authentication technique where the password is used only once as authentication information to verify the identity
Synchronous
Nota:
password depends on time
RSA SecurID
Nota:
It is a proprietary solution intrinsically connected with the producer.
Asynchronous
S/KEY
Event-based OTP
OOB OTP
Nota:
A sort of Password-based authN that increments security by using an out of band OTP exchange (SMS, PSTN are deprecated)
Different solutions that are
not interoperetable is not
good. A common standard
has been developed
OATH
HMAC OTP
TOTP
OCRA
PSKC
DSKPP
Biometric Authentication
Captcha
Biometric Techniques
API/SPI standardized by CDSA
FIDO
Zero Knowledge Password Proof
SSO - Single Sign-On
Fictious
Nota:
Different services require different authentication passwords that are provided by a manager that asks for a global password (like the password wallet, that automatically manages pwds and authNs).
Integral
Multi-application
Nota:
asymmetric challenge-response systems.
All the services are able to recognize the same user credential.
Kerberos
Multi-domain
Nota:
A service accepts the credential of a service in another domain (like the access with google account on different websites).