What is authentication

User Authentication
1.1 What is authentication and what is it used for?
Authentication is a process used to establish the identity of a particular user trying to access data or information on a web server. Authenticating users is a common part of most web applications. It is an important security measure used to protect confidential data i.e, bank details. Without a means of verifying a potential user, data access may be grantedto an unauthorised user which can lead to serious consequences if used for malicious purposes.Authentication can be achieved through using authentication credentials along with a user ID and a password and is done through an authentication server this is explained more here:
“An authentication server is an application that facilitates authentication of an entity that attempts to access a network. Such an entity may be a human user or another server. An authentication server can reside in a dedicated computer, an Ethernet switch, an access point or a network access server. When a potential subscriber accesses an authentication server, a username and password may be the only identifying data required. In a more sophisticated system called Kerberos, the subscriber must request and receive an encrypted security token that can be used to access a particular service. RADIUS (Remote Authentication Dial-In User Service) is a commonly used authentication method. TACACS+ (Terminal Access Controller Access Control System Plus) is similar to RADIUS but is used with Unix networks. RADIUS employs UDP (User Datagram Protocol) and TACACS+ employs TCP (Transmission Control Protocol.Some specialized authentication servers employ smart cards or biometric verification in addition to one or more of the above mentioned technologies “ (Margaret Rouse July 2007) http://searchsecurity.techtarget.com/definition/authentication-server

1.2 Figure 1. Authentication process diagram:

This image was taking from the address below:

http://www.cisco.com/en/US/docs/telepresence/cts_admin/1_10/admin/guide/ctsadmin_cfg.html

1.3 What are Authentication credentials?
Authentication credentials are the mechanisms that an individual can use to provide the identity needed to access an application or a system. Mostly these credentials fall into three basic factors:
1. Something the user knows; a secret pin number, password or a security question that only the user knows the answer to
2. Something the user has; a smart card, atm card, or a password token.
3. Something the user is; finger print, hand print,voice print or a face scan thereare many different types of authentication but they all are used for the same purpose.

The factors of authentication are explained below:

1.4 Single factor authentication (SFA)
To log onto a computer or network a user must provide an account name and the users chosen password, (aka) single factor authentication,which is the use of the first factors from above (something the user knows)this information is then checked against a database which contains all its authorized users account names and passwords onlythen, if verified will the user gain access to the resource.Password authentication unfortunately is the most unreliable form of authentication, as most users will use a password that is easy for them to remember for example a relative’s name, a date of birthor a pet name which makes it extremely easy for a hacker to crack. There are many types of password hacking tools available on the Internet and the most common types are brute-force attack and dictionary guessing tools. If these tools fail to crack the password a password sniffing tool will be applied to collect all information that is not encrypted coming to and from the network.Password sniffing is explained more here;

1.5 What is a password sniffer?
“A password sniffer is a software application that scans and records passwords that are used or broadcasted on a computer or network interface. It listensto all incoming and outgoingnetwork traffic and records any instance of a data packet that contains a password.A password sniffer installs on a host machine and scans all incoming and outgoing network traffic. A password sniffer may be applied to most network protocols, including HTTP, Internet Message Access Protocol (IMAP), file transfer protocol (FTP), POP3, Telnet (TN) and related protocols that carry passwords in some format. In addition, a password sniffer that is installed on a gateway or proxy server can listen and retrieve all passwords that flow within a network. A password sniffer is primarily used as a network security tool for storing and restoring passwords. However, hackers and crackers use such utilities to sniff out passwords for illegal and malicious purposes”. (Cory Janssen) http://www.techopedia.com/definition/8798/password-sniffer To ensure the security of single factor authentication users have to have a strong password, in order to do this the password is advised to be at least 8 to 15 characters long and contain upper, lower case numbers, numeric characters or symbols. As it is so easy for hackers to crack password codes it is advised to use a more safe form of authentication.
1.6 Two factor authentication (2FA)

Stronger security can be implemented with the use of two factor authentication; this authentication is more suited where a high level of security assurance is needed such as online banking services. Two factor authentication, also known as two step authentication it is a process that requires two steps or credentials to gain access to the resource, which is two of the above three factors of authentication (something the user has and something the user knows) which is generally some type of a security token and a security pin or a password. ATM cards are a form of two factor authentication as it requires something the user has, which is the bank card and something the user knows which is the secret pin, some online web sites have now also started to use this form of authentication. Google is one example of this, the process requires the user to enter their account name and password then the website will send the user a security code to the users mobile phone by text when received the user will enter the received security code to the website and if correct the user will gain access to the account. This type of authentication will be time consuming for users, but the security effect will be a lot tighter as not only will the hacker need to crack the users password but would also need access to the users mobile phone in order retain the security code from the website.
1.7 Figure 2. Two factor authentication diagram:

This image was taking from the address below: http://techpp.com/2010/09/20/two-factor-authentication-coming-to-google-apps/ 1.8 Three factor authentication (TFA)
Three factor authentication is achieved by combining three credentials of the above three factors; something the user knows (password or a pin) something the user has (smart card or password token) and something the user is (biometric verification) this type of authentication is costly and used for the protection of very important data. Three factor authentication is very effective as a hacker would need to discover
1. The users password
2. The users smart card or security token
3. Replicate the users fingerprint, eye print etc.
To gain access to the account ,this would be a very hard task to complete and take a lot of time, as the user could not lose DNA where as a password could easily be forgotten or hacked and a smart card or token could easily be lost or stolen.

1.9 Figure 3. Biometric enrolment and authentication process diagram:

This image was taking from the address below: http://flylib.com/books/en/3.211.1.173/1/