A whole new range of techniques has been developed to identify people since the 1960s from the measurement and analysis of parts of their bodies to DNA profiles. Forms of identification are used to ensure that citizens are eligible for rights to benefits and to vote without fear of impersonation while private individuals have used seals and signatures for centuries to lay claim to real and personal estate.[1] Generally, the amount of proof of identity that is required to gain access to something is proportionate to the value of what is being sought.[2] It is estimated that only 4% of online transactions use methods other than simple passwords. Security of systems resources generally follows a three-step process of identification, authentication and authorization.[2] Today, a high level of trust is as critical to eCommerce transactions as it is to traditional face-to-face transactions.[3]
Identification, authentication and authorization
editIdentification
editIt is a scheme established and maintained, whereby users are properly, consistently, effectively and efficiently identified before systems are accessed. An identity verification service is often employed to ensure that users or customers provide information that is associated with the identity of a real person.
Authentication
editAuthentication is verification of the identity of the entity requesting access to a system.[4] It is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. The weakness in this system for transactions that are significant (such as the exchange of money) is that passwords can often be stolen, accidentally revealed, or forgotten.
For this reason, Internet business and many other transactions require a more stringent authentication process. The use of digital certificates issued and verified by a Certificate Authority (CA) as part of a public key infrastructure is considered likely to become the standard way to perform authentication on the Internet. Logically, authentication precedes authorization (although they may often seem to be combined).[5]
Authorization
editAuthorization is the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, amount of allocated storage space, and so forth). Assuming that someone has logged into a computer operating system or application, the system or application may want to identify what resources the user can be given during this session. Thus, authorization is sometimes seen as both the preliminary setting up of permissions by a system administrator and the actual checking of the permission values that have been set up when a user is getting access. Logically, authorization is preceded by authentication. ).[5]
Types of ecommerce authentication
edit- One-time password/Single sign on - It is process where a user's password and information is used for logon and then, becomes invalid after a set time.
- Two-factor authentication - This requires two forms of authentication before access can be granted to a user.
- Multi-factor authentication - Multi-factor authentication requires that the user uses a user id, password combined with any other form of authentication method as smartcard or biometric. Using this method decreases the likelihood that an unauthorized person can compromise your electronic security system, but it also increases the cost of maintaining that system.[2]
- Electronic access card/Smart card - Smart card are credit card-sized plastic cards that house an embedded integrated circuit. They can be used in electronic commerce for providing personal security, stored value and mobility. At the functional level, smart cards can be categorised as either memory cards or microprocessor cards. Memory cards, such as disposable pre-paid payphone cards or loyalty card, are the most cheapest form of smart card. They contain a small amount of memory in the form of ROM (read only memory) and EEPROM (electrically erasable programmable read only memory). Microprocessor cards are more advanced than simple memory cards in that they contain a microprocessor CPU (central processing unit) and RAM (random access memory) in addition to ROM and EEPROM. The ROM contains the card's operating system and factory-loaded applications.[6]
- Security token - It is an authentication device that has been assigned to a specific user by an appropriate administrator”.[2] It uses what the user has such as, Passport, driver's license etc. to identify them. “Most security tokens also incorporate two-factor authentication methods to work effectively”.[2]
- Keystroke dynamics - It is an automated form of authentication based on something the user does. It authenticates the user based keyboard typing pattern.
- Biometric - Biometric based systems enable the automatic identification and/or authentication of individuals. Authentication answers the question: "Am I who I claim to be?". The system verifies the identity of the person by processing biometric data, which refers to the person who asks and takes a yes/no decision (1:1 comparison). On the other hand, identification answers to the question: "Who am I?". The system recognizes the individual who asks by distinguishing him from other persons whose biometric data is also stored in the database. In this case the system takes a l-of-n decision, and answers that the person who asks is X, if her/his biometric data is stored in the database or that there is no match at all. Although the identification function should be regarded as distinct from authentication from an application perspective, often systems using biometrics integrate both identification and authentication functions, since the former is a repetitive execution of the latter.[7]
Types of biometric authentication
edit- Fingerprint recognition - Fingerprint is the most widely used form of authentication where the pattern of a user's fingertip is used. It can be deployed in a broad range of environments and provides flexibility and increased system accuracy by allowing users to enrol multiple fingers in the template system.[2]
- Facial recognition - It uses data related to the unique facial features of a user. It involves analyzing facial characteristics. It is a unique biometric in that it does not require the cooperation of the scanned individual; it can utilize almost any high-resolution image acquisition device such as a still or motion camera.[2]
- Voice pattern - This a form of authentication uses the unique pattern of a user's voice. it relies on voice-to-print technologies, not voice recognition. In this process, a person's voice is transformed into text and compared to an original template. Although this is fairly easy technology to implement because many computers already have built-in microphones, the enrollment procedure is more complicated than other biometrics, and background noise can interfere with the scanning, which can be frustrating to the user.[2]
- Handwritten Signature - Signature verification analysis the way a person signs their name, such as speed and pressure, as well as the final static shape of the signature itself.[2]
- Retina recognition - It is a method of biometric authentication that uses data related to unique characteristics associated with the pattern of blood vessels located at the back of an individual's eyes.[2] This technology is personally invasive and requires skilled operators. It results in retina codes of 96 bytes when used for authentication to some Kbytes in the case of identification. Facial recognition techniques exploit characteristics such as relative eyes, nose and mouth positioning, and the distances between them.[7]
- Iris recognition - A form of authentication that uses data linked to features associated with the colored part of the eye of a user. It involves analyzing the patterns of the colored part of the eye surrounding the pupil. It uses a fairly normal camera and does not require close contact between the eye and the scanner. Glasses can be worn during an iris scan, unlike a retinal scan.[2]
Other forms of authentication
edit- Mutual Authentication - is the process by which each party in an electronic communication verifies the identity of the other. For instance, a bank clearly has an interest in positively identifying an account holder prior to allowing a transfer of funds; however, the bank customer also have a financial interest in knowing he is communicating with the bank's server prior to providing any personal information.[2]
- Digital certificate - A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys. ).[8] Digital certificates are used in a variety of transactions including e-mail, electronic commerce, and the electronic transfer of funds. When combined with encryption and digital signatures, digital certificates provide individuals and organizations with a means of privately sharing information so that each party is confident that the individual or organization with which they are communicating is in fact who it claims to be.[2]
- Hand Geometry Authentication - Hand geometry techniques exploit hand shape characteristics, such as finger length and width. This leads to quite a small amount of data (about 9 bytes), thus restricting their application to simple authentication purposes only. Also, their behaviour related to the fulfilment of the above properties is moderate. The iris, the circular coloured membrane surrounding the pupil of the eye, is a unique structure consisting of specific characteristics such as striations, furrows, rings, crypts, filaments, and corona. Iris patterns are characterised by very high distinctiveness, even twins have different ones. The probability that two individuals have the same iris pattern is about 10^sup -52^. The probability that two distinct iris patterns result to the same iris-code used (about 256 bytes) by a biometric system is negligible (about 10^sup -78^), thus allowing almost perfect matching accuracy.[7]
- Kerberos authentication - This is a form of authentication that provides a mechanism for authenticating a client and a server or server to a server.[citation needed]
- CHAP authentication - This is form of peer-to-peer protocol (PPP) mechanism used by an authenticator to authenticate a peer.[2]
- Quantitative authentication - Quantitative authentication is an authentication approach where someone requesting access is required to attain a certain "authentication level" before being granted access. Detailed discussions on quantitative authentication have been undertaken.[9]
See also
editReferences
edit- ^ Higgs, Edward (2011). Identifying the English: A History of Personal Identification 1500 to the Present. Bloomsbury Publishing. pp. 2–3. ISBN 978-1-4411-3560-5.
- ^ a b c d e f g h i j k l m n Campbell, Paul; Calvert, Ben; Boswell, Steven (2003). Security+ in Depth. Thomson/Course Technology. p. 17. ISBN 978-1-59200-064-7.
- ^ Morrison, Rodger (2 October 2007). "Commentary: Multi-Factor Identification and Authentication". Information Systems Management. 24 (4): 331–332. doi:10.1080/10580530701586052. S2CID 32272683. ProQuest 214125680.
- ^ Electronic Ecommerce, Thompson Course Technology, 2004. ISBN 978-1418837037
- ^ a b Margeret Rouse, 2006. TechTarget. Authorization. http://searchsoftwarequality.techtarget.com/definition/authorization
- ^ Trask, N. T.; Meyerstein, M. V. (1 July 1999). "Smart Cards in Electronic Commerce". BT Technology Journal. 17 (3): 57–66. doi:10.1023/A:1009624303146. S2CID 61144928.
- ^ a b c Zorkadis, V.; Donos, P. (February 2004). "On biometrics‐based authentication and identification from a privacy‐protection perspective: Deriving privacy‐enhancing requirements". Information Management & Computer Security. 12 (1): 125–137. doi:10.1108/09685220410518883.
- ^ Loshin, Peter (August 2018). "What is digital certificate?". SearchSecurity.
- ^ Pearce, Michael; Zeadally, Sherali; Hunt, Ray (8 June 2010). "Assessing and improving authentication confidence management". Information Management & Computer Security. 18 (2): 124–139. doi:10.1108/09685221011048355.