Authentication: know who is who!

A public available website often has no authentication or even so called anonymous access. Well if there are no cookies, all information is public, then indeed. But in most cases the information is not public, and is even often linked to a person like for example a webshop basket, online banking, membership, …

Then it seems logical to know who the user is, but often it is not that straight forward.

In this article we will help you understand how you can identify a person and clarify some vocabulary which is frequently used with this topic.

Vocabulary

• Identity: a natural person who is accountable for his actions.
• Identity Provider or IdP: the system performing the authentication scheme and validating the authentication factors to link the identity to an account (proof of possession.
• Account: a user identification to link a service access to an identity. In general (i) an identity can have more then one account, and (ii) one account can only be linked to one identity.
• Accountability: an identity is liable for the actions executed by an account he/she is responsible for.
• Authentication: a mechanism which serves to identify who owns the account.
• N-factor authentication: the user needs to present N independent and different factor to proof who he/she is to be.
  • Some clarification is necessary here:
  • Independent: meaning that one single threat, for example a compromised workstation cannot affect both authentication factors. A good example here is: on the one hand a password which is being entered on the workstation and vulnerable to key loggers, and a Time-Based One-Time password (TOTP) which’s secret is being stored on your smartphone on an authenticator app.
  • Different factors, based upon NIST-800-63-3 Digital Identity Guidelines there are 3 potential factors:
    1. Something you know, or knowledge: a secret which is to be memorized like a password;
    2. Something you have, or possession: a secret which is physically (incl. digital form) owned like TOTP, Yubikey, Public/Private key certificate, …
    3. Something you are, or inherence: typically the biometrics like fingerprint, iris scan, palm scan, voice, …

• Strong: a strong factor is a factor which is compliant to the industry standards being defined. The most well known and used standard is the https://pages.nist.gov/800-63-3/sp800-63b.html. As well as the https://csrc.nist.gov/publications/detail/sp/800-175b/rev-1/final which defines which cryptography is good enough to serve the purpose of authentication algorithms.

!!! Watch out for the processing of biometrics, as this is processing sensitive personal information based upon Article 9 of the GPDR where biometrics are used to identify an individual. There is no legal base currently in Belgium to process this information. Consult you Data Protection Officer for more information.

Why does authentication strength matter?

In general the industries’ good practice is to have strong and 2 factor authentication to identify users, admins, etc.

The threats which do apply to authentication compromise are multiple, some examples:

• User impersonation: somebody else succeeds in identifying another user. The issue here is the attacker gets the privileges of the user and also the audit will depict the user as culprit.
• Data leakage: unauthorized access to the hacker can lead to exposing or leaking information.
• Integrity compromise: a hacker can perform the business functions of the user he succeeded to impersonate.
• System outage: when an admin account is being compromised, then the entire infrastructure/services can be reconfigured or broken.

Like always in cyber and information security, measures need to be taken to prevent a threat from materializing. The stronger the authentication process is, the harder it gets for a malicious actor or hacker to compromise the authentication of a user account.

NoCode-X to the rescue!

NoCode-X offers out of the box adequate user authentication which is:

• NIST compliant cryptography.
• E-mail based account linked to a single identity.
• 2-factor authentication:
  • Something you know, password compliant with NIST-800-63-3B.
  • Something you have, Time Based One Time Password (TOTP) or Yubikey.

• A self-service account management, which relieves your organization of the administration of factor reset etc.

Is your organization mature enough to serve as Identity Provider (Idp), then NoCode-X does support you by implementing the single-sign-on through OpenID 1.0, Oauth-2.0 and SAML connectors.

Now you know who the identity is behind the account. What a user can do with his account is described the blogpost concerning authorization which can be found here: https://www.nocode-x.com/user-management-its-all-about-protecting-your-data/.

Do you need more information do not hesitate to contact us [email protected] or through our website www.nocode-x.com.