Get started Bring yourself up to speed with our introductory content.

Authentication & authorization: Secure ID and user privileges

Authentication and authorization work together to prevent a multitude of application security attacks. While the basic concepts behind these two methods may be simple, the technology is not. There is a vast array of authentication and authorization techniques available. The articles, tips, definitions and expert advice in this learning guide will help you sort them out.

Authentication and authorization work together to prevent a multitude of application security attacks. While the basic concepts behind these two methods may be simple, the technology is not. There is a vast array of authentication and authorization techniques available. The articles, tips, definitions and expert advice in this learning guide will help you sort them out.


 

TABLE OF CONTENTS
   Authentication Basics
   Passwords
   Two-Factor & Multifactor Authentication
   Biometrics
   Single Sign-On
   Smart cards
   Digital Certificates & PKI
   Authorization
   SAML
 

 

  Authentication Basics  

[Return to Table of Contents]

  • Definition: Authentication
  •  

  • Guide: OWASP guide to building secure Web applications and Web services, Chapter 9: Authentication
    Secure authentication methods for Web applications are discussed in this chapter of the OWASP Guide to Building Secure Web Applications and Web Services. Java and .NET are both covered. SAML, biometrics, SSL, forms-based authentication and other methods are included.
  •  

  • Article: Stronger authentication needed for Web applications
    In today's world of sophisticated attacks, Web application developers and security experts need to consider strengthening their authentication processes.
  •  

  • Expert advice: How to create a secure login page using ASP.NET
    A secure ASP.NET login page is easier to create than one might assume. Expert Dan Cornell explains how to use authentication and authorization to ensure your login page is safe.
  •  

  • Article: Authenticate use of Web applications via user profiles
    One technique you can use to authenticate users to the HTTP server is to request and validate an OS/400 user profile and password. In most cases, however, you'll want to use this method only if the Web application user population is limited to people in your company who already have OS/400 user profiles.
  •  

  • Tip: How to avoid authentication bypass attacks
    Strong authentication methods may not fully protect your applications. George Wrenn offers some tips for avoiding authentication bypass attacks.

The authentication process used to consist of a username and password. Naturally, authentication technology has evolved with time. Now there are dozens of authentication methods, many of which overlap. Below are a few of the most common techniques.

 

  Passwords  

[Return to Table of Contents]

 

  Two-Factor & Multifactor Authentication  

[Return to Table of Contents]

 

  Biometrics  

[Return to Table of Contents]

  • Definition: biometric verification
  •  

  • Definition: electro-optical fingerprint recognition
  •  

  • Definition: voiceprint
  •  

  • Tip: Biometrics replacing passwords: Does authentication get better or worse?
    Biometric authentication eliminates some of the problems we see with password authentication, but it also raises questions.
  •  

  • Article: Facing biometrics' limits
    It may be championed as the highest level of security, but biometrics isn't ready for wide deployment as a consumer application, according to this report.
  •  

  • Research group: International Biometric Group
    IBG research evaluates commercial biometric technologies such as novel iris recognition algorithms, new-to-market vascular recognition systems, and advanced neural-net multimodal algorithms.
  •  

  • Article: Researcher: Biometrics unproven, hard to test
    Just how accurate are the face identification systems being rolled out around the country? It turns out testing them is harder than it looks.
  •  

  • Article: Building biometric authentication for J2EE, Web and enterprise applications
    This article describes the process of enabling biometric authentication for J2EE platform and Web-based enterprise applications by integrating Sun Java System Access Manager and BiObex biometric authentication solution.
  •  

  • Article: Biometrics comes to life
    Fingers, hands, eyes, face, voice -- all are in use and could relegate PIN-based security to history.

 

  Single Sign-On  

[Return to Table of Contents]

  • Definition: single sign-on
  •  

  • White paper: Simplify your life – eliminate passwords
    Learn more about implementing IBM's recommended password elimination Single Sign-On architecture and simplify the task of mapping user accounts across multiple systems and servers for all the people in an organization.
  •  

  • White paper: Selecting an enterprise single sign-on solution
    In this white paper you'll learn about eight key factors for evaluating an enterprise single sign-on (ESSO)solution for your company, improved password management practices with ESSO, and integration options for ESSO and two-factor authentication.
  •  

  • Webcast: Strong authentication and enterprise single sign-on go hand in hand
    In recent years, enterprise single sign-on (ESSO) has emerged as an easy, smart, and affordable way for organizations of all types and sizes to strengthen IT security while supporting user productivity. Listen in to hear the findings of Jonathan Penn, principal analyst at Forrester Research. He'll discuss strong authentication options and real world experience of customers successfully implementing a combined enterprise single sign-on with strong authentication solution to further strengthen IT security.

 

  Smart Cards  

[Return to Table of Contents]

  • Definition: smart card
  •  

  • Article: Smart cards: A primer
    This article brings smart cards to life with a real-world example. The techniques presented here will allow you to start building Java applications that are smart-card enabled.
  •  

  • Web site: Federal smart card Web site
    This site helps educate the smart card community on smart card policy, standards and interoperability.
  •  

  • Web site: Card technology: The smart card news source
    Get news about smart cards and such related payment and identification technologies as biometrics, PKI, mobile commerce, physical access control and computer network security.
  •  

  • Guide: The secure access using smart cards planning guide
    Smart cards provide particularly effective security control in two scenarios: to secure administrator accounts and to secure remote access. This guide concentrates on these two scenarios as the priority areas in which to implement smart cards.

 

  Digital Certificates and PKI  

[Return to Table of Contents]

 

  Authorization  

[Return to Table of Contents]

Once a user has been authenticated, authorization dictates what that user is allowed to access. While authorization is often overshadowed by authentication, its importance should not be underestimated. An authenticated user can inflict terrible damage while armed with improper access privileges.

  • Definition: privilege
  •  

  • Definition: access control list
  •  

  • Definition: Role-based access control (RBAC)
  •  

  • Guide: OWASP Guide to Building Secure Web Applications and Web Services, Chapter 10: Authorization
    OWASP provides advice on how to ensure only authorized users can perform allowed actions within their privilege level, how to control access to protected resources and how to prevent privilege escalation attacks.
  •  

  • Article: Secure coding guide: elevating privileges safely
    Running code with root or administrative privileges can intensify the dangers posed by security vulnerabilities. This article explains why that is so, suggests techniques you can use to avoid elevating privileges, and describes the safest techniques for elevating privileges when it can't be avoided.
  •  

  • Article: Using sessions for user authorization
    If you're using PHP, here's a look at how you can use sessions to authorize users.
  •  

  • Article: 5 authorization privileges, roles, profiles and resource limitations
    This chapter introduces the basic concepts and mechanisms for placing or removing limitations on users, individually or in groups.
  •  

  • Article: ASP.NET authorization
  •  

  • Article: Implementing principle of least privilege
    Authorization determines whether an identity should be granted access to a specific resource. In ASP.NET, there are two ways to authorize access to a given resource. Find out what they are in this article.

 

  SAML  

[Return to Table of Contents]

  • Definition: Security Assertion Markup Language
  •  

  • Tip: What's new with SAML?
    In this tip, Ed Tittel discusses the assertions and protocols of SAML 1.1.
  •  

  • Article: Debunking SAML myths and misunderstandings
    Misconceptions about SAML still exist, so this article aims to detail and debunk many of the myths and misunderstandings surrounding SAML.
  •  

  • Article: Demystifying SAML
    As more and more systems are linked through Web services, portals and integrated applications, the need for a standard that allows security information to be shared and exchanged becomes more and more apparent. Learn how SAML fulfills that need.
  •  

  • Article: SAML 2: The building blocks of federated identity
    This article provides an overview of SAML 2.0, highlighting why this version is so important to federated identity.



 

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send assistant editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

SearchCloudComputing

SearchAppArchitecture

SearchITOperations

TheServerSide.com

SearchAWS

Close