March 12, 2012
Posted by on
Authentication is a process to conform the reality or genuinity of a certain act, attribute or entity. Trust, authentication, and authorization are the essential elements of human relationships for centuries. Trust is something that can be exploited easily; the act of authentication is to ensure that no one can exploit the trust.
Over the time, a single way of authentication becomes insufficient and multiple ways are evolved. Today a multi-factor authentication is required to verify the truth of a person. These factors include verification of:
- something that a person knows like personal identification number, secret code, passphrase etc
- something that a person owns like property, account number, ATM or credit card etc
- something that defines a person like hair/eye color, mark of identification, fingerprint and other biometrics etc.
- something verified by a third person already known to the public e.g a document attested by a government officer etc.
These factors have been proven over time and today are in use in the social world such as banking
industry. Computing industry is also moving in the same direction to adapt similar multi-factor authentication methodologies. This is however in its early stage especially the security in distributed and networked computing technology such as cloud computing still has a long way to go.
The computing industry, once started with username and password based authentication, is now moving toward two-factor authentication. For instance, Google 2-way
two-factor authentication; in both cases a user enters a username and password and then performs mutual authentication as an additional step. The second step normally involves a mobile device to manually authorize the remote service to accept the username and password. This is similar to a typical bank transaction; you send a check with your signature and banking officer verifies your signature and also calls you back on you cell phone to mutually verify yourself as well as the check amount as an additional security measure.
In a cloud computing environment multi-factor authentication is a good step forward but cloud has other security issues that cannot be addressed just with a sophisticated authentication methodology. The additional security issues include confidentially of data in the cloud, key management for data encryption, geographical location, and monitoring etc.
Multi-factor authentication is a big step in the right direction in both social and digital worlds. However, multi-factor alone is not enough and emphasis needs to be put in other areas as well. A series of sophisticated social engineering attacks can break multiple layers of authentication. Digital world has solved various ancient problems but the security is among those yet to be solved.
Security is often merely an illusion, an illusion sometimes made even worse when gullibility, naïveté, or ignorance come into play; the human factor is truly security’s weakest factor (Kevin Mitnik).
Security is not a product, it’s a process (Bruce Schneider).
Only two things are infinite, the universe and human stupidity, and I’m not sure about the former (Einstien).