Authentication is the process of verifying the identity of something or someone, often for security purposes, through some unique characteristic. Although the term has a specific meaning in the context of computer use, authentication is something people do on a regular basis. An object may be identified to an expert as an "authentic" antique by its manufacturer's mark or signature. An individual will be "authenticated" to family and friends by face recognition, or in the case of speaking, voice recognition. So for instance, in a telephone call to a friend, the caller is granted access to information that the call recipient regards as appropriate based on the recipient's recognition of the caller's voice. This is a basic form of authentication. In the computer world, authentication is the process by which a user (a person or a device) is granted access to a computer, a computer network, an application, or another form of information that is contained in or protected by a device or software.
Authentication can take numerous forms, and can require several factors. There are one-, two-, and three-factor authentication methods. A factor is a single representation of a user's identity. For example, in two-factor authentication, a user is required to provide two pieces of information in order to be verified by the requestor. The most common method of two-factor authentication is the use of a user identification name or account, and a password. The more factors that are involved, the higher the reliability of the verification process.
To be permitted access to a computer, a database, or a web site, for example, a user must provide unique credentials in response to a query from a device or requesting resource. This unique information could be a user identifier (userid or ID) and password combination, as mentioned earlier. It could also be a one-time use password or passcode, a token to be read by a special reader or application, or a biometric device used to read biological information that is obviously unique to the user, such as a fingerprint or retinal scan .
In the case of userid and password combinations, the resource being asked to provide access requires that the user present an ID and password that is supposed to be unique to that individual or user. This information has been previously stored in a database or other application, and is generally encrypted for added security. When requesting access to the resource, the user provides this combination of ID and password so that it can be compared to the combination that was previously stored. If they match, then access is granted. If not, the user may be prompted several times for the correct information. Access will not be granted until the correct combination is entered. Access can be blocked indefinitely if the number of failed attempts exceeds a predetermined amount. The purpose of this is to reduce the possibility of access by a non-authorized user who guesses at enough possible combinations to manage an accidental match.
A one-time use passcode or password requires some form of synchronization between the user and resource. For example, a computer system or application performs the duty of generating a passcode at a predetermined interval. The user has a token or other device that also generates the same password or passcode at precisely the same time. When users request access, they must present the generated password or passcode. This pass-code or password is generally valid for a predetermined period of time that usually varies from 30 seconds up to 30 minutes. A security benefit with this method is that the passcode is continually changing and one code is valid only within a limited and specific period of time.
A biometric scanner works differently. It may or may not require a userid. Instead, users, via some device, have a small portion of their bodies scanned—most commonly a fingerprint. This information has been previously recorded, as in the case of the userid/password combination described earlier. The requested resource then compares this information with what is on file. This information can be stored in itself or on another resource, and it is generally encrypted for added security. This form of authentication makes it more difficult for someone to impersonate or masquerade as an authorized user by attempting to pass along credentials belonging to someone else. Biometric devices can be expensive. One of the primary hurdles in their widespread use is arguably the societal fear of having a system or organization that possesses biometric data, such as fingerprints.
Another method of authentication involves the use of a token, which is a device or file that contains information permanently stored on or in it. For example, a typical Automated Teller Machine (ATM) requires the use of a card. The card stores the user's account number, along with other information. In addition to using an ATM card to initiate the transaction— neither a driver's license nor a credit card would work, for example—one must also be authenticated by the machine with the use of a personal identification number (PIN). Without the PIN, the user's ATM card will not provide the desired results, and without the card, the PIN is insufficient to identify the user with the bank's computers.
Another form of a token is a digital certificate. This is a file that contains information pertaining to a user or resource. It is stored on a computer or in an application, and it "invisibly" allows a user authorized access to something like an account, web site, or another computer. Digital certificates are becoming more popular as a form of user authentication for web site access or usage. An organization called Certificate Authority (CA) issues a certificate and, in doing so, verifies the identity of the owner. CAs can issue certificates to individuals, computers, or other CAs. Certificates are usually issued for a specific period of time, after which they expire; however, they can generally be renewed.
Authentication can be accomplished by various means. The most widely used method is by using the operating system of the resource a user wishes to access. Virtually all operating systems are able to require users to verify their identity through authentication mechanisms. Organizations such as large companies and the government may elect to install additional software programs with more advanced authentication mechanisms built in. This adds another layer of security to the authentication process.
see also E-commerce; Networks; Security.
G. Christopher Hall
Oppliger, Rolf. Authentication Systems for Secure Networks. Artech House Inc., 1996.
Smith, Richard E. Authentication: From Passwords to Public Keys. Reading, MA: Addison-Wesley, 2001.
When consumers attempt to withdraw money from a bank, rent movies from a video store, write checks, or obtain passports for international travel, they are required to provide one or more forms of identification that authenticate who they are or prove their identity. These situations usually involve face-to-face encounters with other people in the physical world. E-commerce occurs on the Internet, where a general atmosphere of anonymity pervades. In general, it is possible to do a wide variety of things online without divulging one's identity. However, when it comes to engaging in financial transactions and building trust between buyers and sellers, the issue of authentication is just as important online as it is offline. Put simply, parties engaging in transactions and attempting to access closed systems must be able to prove that they are indeed who they say they are.
Security is a cornerstone of e-commerce, as it helps alleviate fears consumers and businesses may have about conducting transactions online. According to e-tailing, authentication is one of five requirements necessary for secure e-commerce. It must occur prior to authorization, which allows entry and access to a system, and fulfills three critical functions: it ensures confidentiality, maintains data integrity, and provides non-repudiation (making it difficult for entities to deny involvement in electronic transactions).
A wide variety of methods, used alone or in combination, are employed to authenticate online entities of businesses or individuals. User names and passwords are perhaps the most basic means of authenticating users. In this scenario, someone gaining access to privileged information, such as bank-account data or credit-card information, is required to enter a user name, which is normally not secret, as well as a secret password consisting of varying character combinations of letters or numbers. Personal identification numbers (PINs), digital certificates, biometrics, and RSA SecurID tokens were other common methods by which users were authenticated in the early 2000s. Biometrics, an emerging technology, involved a range of equipment—including voice recognition software, retina scanners, fingerprint readers, and cameras—that identified unique physical characteristics. Such devices could be installed on both laptops and desktop computers. As described in Information Security, "SecurID tokens are essentially one-time passwords for user authentication and can be used to authenticate to a Windows domain. The time-synchronized SecurID card has an LCD screen that shows a string of numbers that changes every minute." Along with a PIN number, such numeric strings are used together when users attempt to gain access to certain systems.
Andress, Mandy. "Reach Out and ID Someone." Information Security, April, 2001. Available from www.infosecuritymag.com
Dembeck, Chet. "Equifax Trumpets Online Shopper ID Method." E-Commerce Times, July 14, 2001. Available from www.ecommercetimes.com
Saliba, Clare. "EU Signs Off on E-Signature Initiative." E-Commerce Times, August 1, 2001. Available from www.ecommercetimes.com
The confirmation rendered by an officer of a court that a certified copy of a judgment is what it purports to be, an accurate duplicate of the original judgment. In the law of evidence, the act of establishing a statute, record, or other document, or a certified copy of such an instrument as genuine and official so that it can be used in a lawsuit to prove an issue in dispute.
Self-authentication of particular categories of documents is provided by federal and state rules of evidence. A deed or conveyance that has been acknowledged by its signers before a notary public, a certified copy of a public record, or an official publication of the government are examples of self-authenticating documents.