Authentication & authorization: Secure ID and user privileges

TABLE OF CONTENTS    Authentication Basics    Passwords    Two-Factor & Multifactor Authentication    Biometrics    Single Sign-On    Smart cards    Digital Certificates & PKI    Authorization    SAML

Authentication Basics

[Return to Table of Contents]

• Definition: Authentication
• Guide: OWASP guide to building secure Web applications and Web services, Chapter 9: Authentication
  Secure authentication methods for Web applications are discussed in this chapter of the OWASP Guide to Building Secure Web Applications and Web Services. Java and .NET are both covered. SAML, biometrics, SSL, forms-based authentication and other methods are included.
• Article: Stronger authentication needed for Web applications
  In today's world of sophisticated attacks, Web application developers and security experts need to consider strengthening their authentication processes.
• Expert advice: How to create a secure login page using ASP.NET
  A secure ASP.NET login page is easier to create than one might assume. Expert Dan Cornell explains how to use authentication and authorization to ensure your login page is safe.
• Article: Authenticate use of Web applications via user profiles
  One technique you can use to authenticate users to the HTTP server is to request and validate an OS/400 user profile and password. In most cases, however, you'll want to use this method only if the Web application user population is limited to people in your company who already have OS/400 user profiles.
• Tip: How to avoid authentication bypass attacks
  Strong authentication methods may not fully protect your applications. George Wrenn offers some tips for avoiding authentication bypass attacks.

The authentication process used to consist of a username and password. Naturally, authentication technology has evolved with time. Now there are dozens of authentication methods, many of which overlap. Below are a few of the most common techniques.

Passwords

[Return to Table of Contents]

• Definition: password

• Definition: graphical password

• Definition: password cracker
• Definition: brute force cracking
• Article: 5 Tips for Top-Notch Password Security
  Some quick tips from Microsoft's Small-Business Center on how to make the most secure passwords you can.
• Article: The simplest security: A guide to better password practices
  Passwords are the foundation of authentication, which is often the first line of security. This article will provide a brief overview of how to create and maintain strong, effective passwords.

Two-Factor & Multifactor Authentication

[Return to Table of Contents]

• Definition: two-factor authentication
• Definition: security token

• Definition: key fob
• Tip: Two-factor authentication and compliance: What it is and isn't
  The Federal Financial Institutions Examination Council has mandated that federal institutions deploy two-factor authentication for online banking. But what constitutes two-factor authentication is open to interpretation.

• Article: Moving towards two-factor authentication
  Recent years have seen a rise of commercial hacking. One way to prevent such breaches is with two-factor authentication.
• Expert advice: How two-factor authentication and layered authentication differ
  Learn how two-factor authentication and layered authentication differ and whether there a difference in the deployment and implementation of these two systems.
• Article: Phishers rip into two-factor authentication
  Banks have been urged to adopt two-factor authentication as a means to combat the growing problem of online account fraud, but phishers are finding ways around it.
• Article: Two-factor authentication could stem rising tide of identity theft
  Two-factor authentication may well be the key to stemming the onslaught of identity theft now plaguing businesses and consumers—if you can talk customers into using it, that is.
• Book excerpt: Multifactor authentication
  Authentication means proving that a user is who he claims to be -- and then making sure he accesses only what he's allowed to. Mandy Andress discusses the types of authentication available to your organization and tells where they work best.
• Article: Authentication in an Internet banking environment (PDF)
  Produced by the Federal Financial Institutions Examinations Council, this report offers guidance for evaluating and implementing authentication systems.

Biometrics

[Return to Table of Contents]

• Definition: biometric verification
• Definition: electro-optical fingerprint recognition
• Definition: voiceprint
• Tip: Biometrics replacing passwords: Does authentication get better or worse?
  Biometric authentication eliminates some of the problems we see with password authentication, but it also raises questions.
• Article: Facing biometrics' limits
  It may be championed as the highest level of security, but biometrics isn't ready for wide deployment as a consumer application, according to this report.
• Research group: International Biometric Group
  IBG research evaluates commercial biometric technologies such as novel iris recognition algorithms, new-to-market vascular recognition systems, and advanced neural-net multimodal algorithms.
• Article: Researcher: Biometrics unproven, hard to test
  Just how accurate are the face identification systems being rolled out around the country? It turns out testing them is harder than it looks.
• Article: Building biometric authentication for J2EE, Web and enterprise applications
  This article describes the process of enabling biometric authentication for J2EE platform and Web-based enterprise applications by integrating Sun Java System Access Manager and BiObex biometric authentication solution.
• Article: Biometrics comes to life
  Fingers, hands, eyes, face, voice -- all are in use and could relegate PIN-based security to history.

Single Sign-On

[Return to Table of Contents]

• Definition: single sign-on
• White paper: Simplify your life – eliminate passwords
  Learn more about implementing IBM's recommended password elimination Single Sign-On architecture and simplify the task of mapping user accounts across multiple systems and servers for all the people in an organization.
• White paper: Selecting an enterprise single sign-on solution
  In this white paper you'll learn about eight key factors for evaluating an enterprise single sign-on (ESSO)solution for your company, improved password management practices with ESSO, and integration options for ESSO and two-factor authentication.
• Webcast: Strong authentication and enterprise single sign-on go hand in hand
  In recent years, enterprise single sign-on (ESSO) has emerged as an easy, smart, and affordable way for organizations of all types and sizes to strengthen IT security while supporting user productivity. Listen in to hear the findings of Jonathan Penn, principal analyst at Forrester Research. He'll discuss strong authentication options and real world experience of customers successfully implementing a combined enterprise single sign-on with strong authentication solution to further strengthen IT security.

Smart Cards

[Return to Table of Contents]

• Definition: smart card
• Article: Smart cards: A primer
  This article brings smart cards to life with a real-world example. The techniques presented here will allow you to start building Java applications that are smart-card enabled.
• Web site: Federal smart card Web site
  This site helps educate the smart card community on smart card policy, standards and interoperability.
• Web site: Card technology: The smart card news source
  Get news about smart cards and such related payment and identification technologies as biometrics, PKI, mobile commerce, physical access control and computer network security.
• Guide: The secure access using smart cards planning guide
  Smart cards provide particularly effective security control in two scenarios: to secure administrator accounts and to secure remote access. This guide concentrates on these two scenarios as the priority areas in which to implement smart cards.

Digital Certificates and PKI

[Return to Table of Contents]

• Definition: digital certificate
• Definition: certificate authority
• Definition: public key infrastructure (PKI)
• Tutorial: Introduction to digital certificates and PKI
  This document introduces Digital Certificates and answers questions you might have about how Digital Certificates are used.
• Overview: Security overview: Digital certificates
  Apple developers get an overview of digital certificates, including what they are, how they're created and how they work.

Authorization

[Return to Table of Contents]

Once a user has been authenticated, authorization dictates what that user is allowed to access. While authorization is often overshadowed by authentication, its importance should not be underestimated. An authenticated user can inflict terrible damage while armed with improper access privileges.

• Definition: privilege
• Definition: access control list
• Definition: Role-based access control (RBAC)
• Guide: OWASP guide to building secure Web applications and Web services, Chapter 10: Authorization
  OWASP provides advice on how to ensure only authorized users can perform allowed actions within their privilege level, how to control access to protected resources and how to prevent privilege escalation attacks.
• Article: Secure coding guide: elevating privileges safely
  Running code with root or administrative privileges can intensify the dangers posed by security vulnerabilities. This article explains why that is so, suggests techniques you can use to avoid elevating privileges, and describes the safest techniques for elevating privileges when it can't be avoided.
• Article: Using sessions for user authorization
  If you're using PHP, here's a look at how you can use sessions to authorize users.
• Article: 5 authorization privileges, roles, profiles and resource limitations
  This chapter introduces the basic concepts and mechanisms for placing or removing limitations on users, individually or in groups.
• Article: ASP.NET authorization
• Article: Implementing principle of least privilege
  Authorization determines whether an identity should be granted access to a specific resource. In ASP.NET, there are two ways to authorize access to a given resource. Find out what they are in this article.

SAML

[Return to Table of Contents]

• Definition: Security Assertion Markup Language
• Tip: What's new with SAML?
  In this tip, Ed Tittel discusses the assertions and protocols of SAML 1.1.
• Article: Debunking SAML myths and misunderstandings
  Misconceptions about SAML still exist, so this article aims to detail and debunk many of the myths and misunderstandings surrounding SAML.
• Article: Demystifying SAML
  As more and more systems are linked through Web services, portals and integrated applications, the need for a standard that allows security information to be shared and exchanged becomes more and more apparent. Learn how SAML fulfills that need.
• Article: SAML 2: The building blocks of federated identity
  This article provides an overview of SAML 2.0, highlighting why this version is so important to federated identity.

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send assistant editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.