Authentication and authorization work together to prevent a multitude of application security attacks. While the basic concepts behind these two methods may be simple, the technology is not. There is a vast array of authentication and authorization techniques available. The articles, tips, definitions and expert advice in this learning guide will help you sort them out.
|TABLE OF CONTENTS
Two-Factor & Multifactor Authentication
Digital Certificates & PKI
- Definition: Authentication
- Guide: OWASP guide to building secure Web applications and Web services, Chapter 9: Authentication
Secure authentication methods for Web applications are discussed in this chapter of the OWASP Guide to Building Secure Web Applications and Web Services. Java and .NET are both covered. SAML, biometrics, SSL, forms-based authentication and other methods are included.
- Article: Stronger authentication needed for Web applications
In today's world of sophisticated attacks, Web application developers and security experts need to consider strengthening their authentication processes.
- Expert advice: How to create a secure login page using ASP.NET
A secure ASP.NET login page is easier to create than one might assume. Expert Dan Cornell explains how to use authentication and authorization to ensure your login page is safe.
- Article: Authenticate use of Web applications via user profiles
One technique you can use to authenticate users to the HTTP server is to request and validate an OS/400 user profile and password. In most cases, however, you'll want to use this method only if the Web application user population is limited to people in your company who already have OS/400 user profiles.
- Tip: How to avoid authentication bypass attacks
Strong authentication methods may not fully protect your applications. George Wrenn offers some tips for avoiding authentication bypass attacks.
The authentication process used to consist of a username and password. Naturally, authentication technology has evolved with time. Now there are dozens of authentication methods, many of which overlap. Below are a few of the most common techniques.
- Definition: password
- Definition: graphical password
- Definition: password cracker
- Definition: brute force cracking
- Article: 5 Tips for Top-Notch Password Security
Some quick tips from Microsoft's Small-Business Center on how to make the most secure passwords you can.
- Article: The simplest security: A guide to better password practices
Passwords are the foundation of authentication, which is often the first line of security. This article will provide a brief overview of how to create and maintain strong, effective passwords.
|Two-Factor & Multifactor Authentication|
- Definition: two-factor authentication
- Definition: security token
- Definition: key fob
- Tip: Two-factor authentication and compliance: What it is and isn't
The Federal Financial Institutions Examination Council has mandated that federal institutions deploy two-factor authentication for online banking. But what constitutes two-factor authentication is open to interpretation.
- Article: Moving towards two-factor authentication
Recent years have seen a rise of commercial hacking. One way to prevent such breaches is with two-factor authentication.
- Expert advice: How two-factor authentication and layered authentication differ
Learn how two-factor authentication and layered authentication differ and whether there a difference in the deployment and implementation of these two systems.
- Article: Phishers rip into two-factor authentication
Banks have been urged to adopt two-factor authentication as a means to combat the growing problem of online account fraud, but phishers are finding ways around it.
- Article: Two-factor authentication could stem rising tide of identity theft
Two-factor authentication may well be the key to stemming the onslaught of identity theft now plaguing businesses and consumers—if you can talk customers into using it, that is.
- Book excerpt: Multifactor authentication
Authentication means proving that a user is who he claims to be -- and then making sure he accesses only what he's allowed to. Mandy Andress discusses the types of authentication available to your organization and tells where they work best.
- Article: Authentication in an Internet banking environment (PDF)
Produced by the Federal Financial Institutions Examinations Council, this report offers guidance for evaluating and implementing authentication systems.
- Definition: biometric verification
- Definition: electro-optical fingerprint recognition
- Definition: voiceprint
- Tip: Biometrics replacing passwords: Does authentication get better or worse?
Biometric authentication eliminates some of the problems we see with password authentication, but it also raises questions.
- Article: Facing biometrics' limits
It may be championed as the highest level of security, but biometrics isn't ready for wide deployment as a consumer application, according to this report.
- Research group: International Biometric Group
IBG research evaluates commercial biometric technologies such as novel iris recognition algorithms, new-to-market vascular recognition systems, and advanced neural-net multimodal algorithms.
- Article: Researcher: Biometrics unproven, hard to test
Just how accurate are the face identification systems being rolled out around the country? It turns out testing them is harder than it looks.
- Article: Building biometric authentication for J2EE, Web and enterprise applications
This article describes the process of enabling biometric authentication for J2EE platform and Web-based enterprise applications by integrating Sun Java System Access Manager and BiObex biometric authentication solution.
- Article: Biometrics comes to life
Fingers, hands, eyes, face, voice -- all are in use and could relegate PIN-based security to history.
- Definition: single sign-on
- White paper: Simplify your life – eliminate passwords
Learn more about implementing IBM's recommended password elimination Single Sign-On architecture and simplify the task of mapping user accounts across multiple systems and servers for all the people in an organization.
- White paper: Selecting an enterprise single sign-on solution
In this white paper you'll learn about eight key factors for evaluating an enterprise single sign-on (ESSO)solution for your company, improved password management practices with ESSO, and integration options for ESSO and two-factor authentication.
- Webcast: Strong authentication and enterprise single sign-on go hand in hand
In recent years, enterprise single sign-on (ESSO) has emerged as an easy, smart, and affordable way for organizations of all types and sizes to strengthen IT security while supporting user productivity. Listen in to hear the findings of Jonathan Penn, principal analyst at Forrester Research. He'll discuss strong authentication options and real world experience of customers successfully implementing a combined enterprise single sign-on with strong authentication solution to further strengthen IT security.
- Definition: smart card
- Article: Smart cards: A primer
This article brings smart cards to life with a real-world example. The techniques presented here will allow you to start building Java applications that are smart-card enabled.
- Web site: Federal smart card Web site
This site helps educate the smart card community on smart card policy, standards and interoperability.
- Web site: Card technology: The smart card news source
Get news about smart cards and such related payment and identification technologies as biometrics, PKI, mobile commerce, physical access control and computer network security.
- Guide: The secure access using smart cards planning guide
Smart cards provide particularly effective security control in two scenarios: to secure administrator accounts and to secure remote access. This guide concentrates on these two scenarios as the priority areas in which to implement smart cards.
|Digital Certificates and PKI|
- Definition: digital certificate
- Definition: certificate authority
- Definition: public key infrastructure (PKI)
- Tutorial: Introduction to digital certificates and PKI
This document introduces Digital Certificates and answers questions you might have about how Digital Certificates are used.
- Overview: Security overview: Digital certificates
Apple developers get an overview of digital certificates, including what they are, how they're created and how they work.
Once a user has been authenticated, authorization dictates what that user is allowed to access. While authorization is often overshadowed by authentication, its importance should not be underestimated. An authenticated user can inflict terrible damage while armed with improper access privileges.
- Definition: privilege
- Definition: access control list
- Definition: Role-based access control (RBAC)
- Guide: OWASP guide to building secure Web applications and Web services, Chapter 10: Authorization
OWASP provides advice on how to ensure only authorized users can perform allowed actions within their privilege level, how to control access to protected resources and how to prevent privilege escalation attacks.
- Article: Secure coding guide: elevating privileges safely
Running code with root or administrative privileges can intensify the dangers posed by security vulnerabilities. This article explains why that is so, suggests techniques you can use to avoid elevating privileges, and describes the safest techniques for elevating privileges when it can't be avoided.
- Article: Using sessions for user authorization
If you're using PHP, here's a look at how you can use sessions to authorize users.
- Article: 5 authorization privileges, roles, profiles and resource limitations
This chapter introduces the basic concepts and mechanisms for placing or removing limitations on users, individually or in groups.
- Article: ASP.NET authorization
- Article: Implementing principle of least privilege
Authorization determines whether an identity should be granted access to a specific resource. In ASP.NET, there are two ways to authorize access to a given resource. Find out what they are in this article.
- Definition: Security Assertion Markup Language
- Tip: What's new with SAML?
In this tip, Ed Tittel discusses the assertions and protocols of SAML 1.1.
- Article: Debunking SAML myths and misunderstandings
Misconceptions about SAML still exist, so this article aims to detail and debunk many of the myths and misunderstandings surrounding SAML.
- Article: Demystifying SAML
As more and more systems are linked through Web services, portals and integrated applications, the need for a standard that allows security information to be shared and exchanged becomes more and more apparent. Learn how SAML fulfills that need.
- Article: SAML 2: The building blocks of federated identity
This article provides an overview of SAML 2.0, highlighting why this version is so important to federated identity.
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send assistant editor Jennette Mullaney an e-mail at firstname.lastname@example.org and let her know what they are.