As security professionals, one of the most important things that we do is ensure that only authorised individuals gain access to the information, systems, and networks under our protection. The access control process consists of three steps:
- Identification: this is a claim of who the person is. In electronic system this when you enter your username
- Authentication: this is proof of the identification claim. This is when you are asked to enter your password
- Authorisation: this is the stage that checks if you have access to a system and which parts you have access to. This is often the Access Control List that sets permissions on files or resources.
EXAM TIP: remember the difference in these stages
2. Usernames and Access Cards
2 of the most common identification methods are:
– usually identifies the individual
– often consists of a first initial and last name
– should not be considered secret (they are for identification not authentication
- Access cards:
– often serve as a proof of employment
– may perform both identification and authentication. (EG: you swipe your card to access a restricted area)
– some systems use magnetic stripe. These aren’t very secure as people can copy them
– Smart cards contain a chip that works with the card reader to prove the authenticity of the card
Biometrics provide a means of identifying someone, based upon one or more physical characteristics of that person. They often serve as both identification and authentication mechanisms and fall into a category of authentication factors known as “Something You Are”. Good biometric authentication techniques balance the difficulty of use with the degree of security that they provide.
Effective systems provide:
- Easy enrollment. The initial setup of a user may require administrator assistance, but it is accomplished fairly quickly and with a minimum of fuss. The user completes a self enrollment process when they set up their account, and the fingerprint serves as both an identification and authentication tool
- Low false acceptance rates: They don’t admit unauthorised people inadvertently
- Low false rejection rates: they don’t turn away people who should be admitted
- Low intrusiveness: fingerprint readers pass the “Creepiness” test with users. People tend to not like the retina scanners as much
Fingerprint readers are commonly found on laptops, smartphones, tablets, door readers etc…
Eye scans examine either the colour patterns of the iris or the blood vessel patterns in the retina. Many users dislike eye scans because they feel intrusive, so they are not commonly used outside of high-security physical buildings.
Voiceprint identification asks users to repeat a phrase and compares their voices to a stored sample. Voiceprint identification is subject to replay attacks where an attacker records the user’s voice, so they are not commonly used unless combined with other authentication tools.
Facial recognition technology scans a user’s face and compares it to a stored image. Many users consider this technology pretty creepy. In the past, facial recognition technology had a high false rejection rate, but the technology has improved over the years and is becoming more common.