User Authentication Mechanism (Method)
User authentication mechanism can use one of above factors or combine multiple factors to form strong authentication. The following are major user authentication mechanisms (methods):
· Badge and identity card: Identification badges are usually used for physical access authentication, either by a security system automatically or by a security guard manually. They commonly include bar codes, magnetic strips, or RFID tags. These typically contain fixed information that can be used as tokens. Badges and cards are relatively easy to forge and duplicate, but mechanisms such as holographic impressions or plastic laminate coverings, size and shape variations, unique colorings, micro-printing, and unique materials make forgery more difficult.
· Password : Passwords remain the dominant identification and authentication method. They require a user or application to enter a character string, which is then submitted over the network and matched against a passwords database or file maintained by an authenticating program. This is one factor authentication.
· Smart Card : The term “smart cards” describes cryptographic devices capable of generating digital signatures that prove possession of a private key or credential. These devices take a number of different physical forms. Most smart cards are similar in size and material to credit cards, with the addition of small, dime-size memory chips or microprocessors. ISO 7816, PC/SC, EMV, GSM are the main standards for smart card. Cards that comply with these standards are intelligent, read/write devices capable of storing different kinds of data and operating at different ranges. Standards-based smart cards can authenticate a person's identity, determine the appropriate level of access, and admit the cardholder to a facility, all from data stored on the card. These cards can include additional authentication factors (such as biometric templates or PINs) and other card technologies, including a contactless/RFID, to satisfy the requirements of legacy applications or applications for which a different technology is more appropriate. A smart card reader is required hardware to read and write to the smart card. Usually, users enter a PIN to access the private key protected by the smart card. The combination of smart card and PIN is commonly known as two factor authentication.
· Contactless/Wireless Smart Card : This is a variation of the aforementioned smart card technology. It does not need reader insertion, and is primarily used for physical access. There are three primary contactless technologies considered for physical access control applications: 125 kHz, ISO 14443, and ISO 15693 technologies. For future applications, IEEE 802.15.4/ZigBee is also considered.
125 kHz read-only technology is used by the majority of today's RFID access control systems and is based on de facto industry standards vs. international standards. Contactless smart card technology is based on the Mifare (14443A equivalent), ISO 14443B and ISO 15693 standards.
ZigBee is a new wireless technology better than Bluetooth in terms of system requirements and cost. It opens a door for wireless smartcards. The planned Microsoft SPOT SmartBadge will use ZigBee.
A card containing two chips, contact smart card and contactless smart card/RFID tag, is defined as a hybrid card. A card with a single chip supporting both contact and contactless smartcard interfaces is called a dual-interface card.
Contactless Technology Comparison
Technology |
Frequency |
Max Range |
On card power |
Dual Interface support |
Hybrid ID Card support |
125kHz |
126kHz |
1 meter |
no |
No |
Yes |
ISO 14443 |
13.56mHz |
10 cm |
no |
Yes |
Yes |
ISO 15693 |
13.56mHz |
1 meter |
no |
No |
Yes |
ZigBee |
868/915mHz 2.4gHz |
5m – 500m configurable |
yes |
Unknown |
Unknown |
The combination of contactless smartcard and PIN is considered as two factor authentication.
· USB Token: USB Tokens are another variation of a contact smart card. The technology combines both smart card and smart card reader in the same unit. Users insert the USB token (usually in key fob format) into an available USB port and smart card reader hardware is no longer required (only the reader driver software is required). The combination of USB Token and PIN is considered as two factor authentication.
· TPM: Trusted Platform Modules (TPM) are isolated chips that reside on the computer’s motherboard and use digital signatures to verify that the operating system and other components of the software environment have not been compromised. IDC Worldwide PC 3Q03 Forecast Update 2003-2007 (#30607) estimates that 30 million TPM chips will have shipped for PC desktop and notebook computers in 2005, and over three times that number in 2007. This forecast indicates that over 55% of all PCs and Notebook computers will be TPM-capable by the end of 2007. TPM is capable of both user and device (PC, PDA, Cell Phone) authentication, and is a good replacement for smartcard and reader. Microsoft Hypervisor in Longhorn/Vista will use TPM to simulate smart cards. The combination of TPM and PIN is considered as two factor authentication.
· OTP Device: One Time Password (OTP) is a hardware device/token, typically with liquid crystal display panel devices that display number sequences (such as RSA Security’s SecurID). These sequences create one-time passwords with PINs or challenge users to calculate passwords using numeric keypads, such as those on ActivCard One. The one time password is time synchronized with backend authentication system. The combination of OTP device and Password (or PIN) is considered as two factor authentication.
· Biometrics
Biometric authentication compares a digital sample of some physical characteristic of a user against a stored sample in a database record or file. Common methods include retinal, palm, or fingerprint scans, as well as voice authentication. After years of development, these systems are becoming more reliable, yielding lower FAR and FRR. Prices are also falling, making biometrics increasingly practical. Biometric solutions are seeing particular success in physical facilities authentication and government applications such as border security and law enforcement. Biometric authentication itself is one factor authentication. It can only be considered as two factor authentication if Biometrics is combined with a PIN (or another factor).
· Behavior/Cogmetrics/Cognitive
This is usually based on something one can do. Behavior authentication tests user usage dynamics and other behaviors and it is an offshoot of biometric techniques that develop profiles based upon normal user actions or use patterns. Cogmetrics or cognitive authentication tests user’s visual memory for objects (such as familiar faces) trained during user setup. This is one factor authentication when used without a PIN.
· Software Tokens and Client Side PKI
Software tokens operate like hardware tokens, except that a software program installed on a user’s workstation or other computing device (e.g., PDA or Pocket PC) provides a token generator or the challenge/response system. Client-side Public Key Infrastructure (PKI) systems also operate like smart cards, except that special workstation or other device-resident software protects the private keys. This is one factor authentication without PIN.
Other mechanisms employed are usually more variations on the above, such as knowledge based authentication and mobile phone/PDA tokens.