Chapter: 2 User Authentication

User authentication confirm the identity of an individual by verifying provided

information against stored data.
Generally user use password provided by the system administrator to access
system.
Once user authenticated, system authorize user to access system resources for
the operation or function.
Key principle involves:
Confidentiality : only the intended recipient should have access to this sensitive
information.
Integrity: Ensure data cannot be tampered or altered without user detection.
Availability: Authentication service must be accessible whenever needed. Down
time or failure can disrupt access to system data.
Non- repudiation (denial of the truth): User cannot deny their action. Eg if user
logged into a system, proves that it was really that user who logged in.
Identification and authentication security requirements
To ensure secure identification and authentication, these security measure should be
implemented.
1. Strong Authentication: It emphasise, use of multi-factor authentication to enhance
security of accessing system, application or data.
2. Access control: Limit access to authorized person on system or data. Also apply
least privilege (granting minimum access) access >> necessary to perform their
task.
3. Password management: Apply strong password policies including length, complexity
and periodic change.
4. Session management: Automatically expire user session after certain period of
inactivity.
5. Account lockout: Temporarily lock account after some login failed.
6. Biometric data protection: Ensure that biometric data is securely stored and
transmitted. Use encryption and secure storage method to protect sensitive
information.
7. Auditing and Logging:Maintain logs of activities to monitor for unauthorized access
and potential security incidents.
Means (Factor) of authentication.
Authentication is the process of verifying the user credentials. Authentication can
be done by various means. These means are categorized in to following ways:
1. Knowledge based authentication (Something you know): This type of
authentication depend on information that only the user should know ie
a. password >> a string of character used to verify the identity of user. Strong password are
crucial for security.
b. PIN >> Typically shorter and used in conjunction with another factor.
c. Security questions >> Pre-defined question that user answer during the registration process
and must correctly answer during authentication.
2. Possession-Based Authentication (Something you have) : This type involved
physical objects or device that user have.
a. Smart Card >> Physical card that contain chip used to authenticate the user.
b. Hardware token >> Device that generate one time password or have key for authentication.
c. Mobile device: receive OTP via sms or email or authenticator app like google authenticator.
3. Inherence based authentication (Something you are) : This method uses
biometric data that is unique to the individuals.
1. Fingerprint scanning >> unique fingerprint pattern for auth
2. Facial recognition >> facial feature to verify identity
3. Voice recognition >> analyzes voice patterns for Auth
4. Retina scanning>> uses unique patterns in the retina of the eye
4. Location based authentication (Somewhere you are) : This type of
authentication uses the geographical location of the user to access certain
resources may be granted or denied..
1. IP address: checks the user ip address to verify their location.
2. GPS location: uses GPS data from a user’s device to determine their
location.
1. Password based authentication:
It is the most common method of verifying a user’s identity. A secret key (
Password) is provided to the user to gain access to a system.
When user attempts to login using password, entered password is matched with
the password stored in the database. Authentication is grant when both are
matched.
Password based authentication typically works:
1. User Input: User enter their username along with the password.
2. Credential verification: the system compare the provided password with
the stored password associated to username in its database.
3. Access granting: It the provided password matches the stored one, the
user is granted access to the system or application. Otherwise, access is
denied.
Password vulnerability
Password-based authentication is simple to implement and widely understood by user,
However it has several vulnerabilities.
1. Password guessing: Attacker can attempt to guess password, Weak or commonly
used passwords are particularly vulnerable to this type of attack.
2. Brute force attack: Attacker can attempt to guess password using automated tools,
try all the possible combination of characters until the correct password is discovered.
3. Password Theft: password can be stolen through various means, such as phishing
attack, malware infection or data breaches.
4. Password reuse: User often reuse passwords across multiple accounts, which
increase the risk of compromise. If one account is breached, attackers can use the same
password to access other account belonging to the same user.
5. Keylogging: malicious software installed on a users\s device can record keystrokes,
including password, This information is then sent to the attackers.
6. Dictionary attack: Attacker use list of commonly used password to identify weak
password. User who use easily guessable password, such as dictionary words or
common phrases are vulnerable..
Strategies to prevent password vulnerabilities
1. Enforcing strong password policies >> complexity requirements, length
requirements, prohibit common password, password expiration etc.
2. Use multi-factor authentication(MFA) >> additional verification required such
as OTP or biometric verification like fingerprint.
3. Store password securely>> Do Not store password in plain text, use hash
algorithm to store password data.
4. Limit fail attempts >> Limit the number of login attempts from a single IP even
the user entered correct credentials. Within a specific time frame do not allow
multiple login.
5. Educate user >> Phishing awareness, password creation,complex password
policy, computer generated passwords.
6. Monitor and log activity>> Use automated tools to detect unusual login
patterns or behaviours, such as login from unfamiliar location or device.
Maintain log of all activities.
Password Selection Strategies
User Education: Educate to user about the importance of password, how to
create them and risk of weak password.
Computer generated password: Use automatically generateing strong, random
password for user. These password are typically more secure than created by
user themselves.
Reactive password: checking: Implement mechanism to detect and respond to
weak or easily guessable password.
Complex password policy: Establishing rule and guidelines fore password
creation, such as length, combination of character(upper case, lowercase,
number, symbols) and regular password changes.
Token Based Authentication
Token-based authentication is a process for verifying identity. Traditional methods
rely on single-level authentication with username and password to grant access to
the web resources.
Users want to keep easy passwords or reuse the same password on multiple
platforms for their convenience. The fact is, there is always a wrong eye on your
web activities to take unfair advantage in the future.
Due to the rising security load, two-factor authentication (2FA) come into the
picture and introduced Token-based authentication. This process reduces the
reliance on password systems and added a second layer to security
Token based authentication is a method where authentication is achieved
by using tokens rather than traditional password. This approach is widely
used in modern web applications due to its numerous advantages.
How token-based authentication works.
1. Authentication request:
When a user attempts to login or access a protected resource, they provide their
credentials (eg username and password) to the server.
2. Token Generation: Upon successful authentication, the server generates a
unique token that encapsulates information about the user, such as their identity
and access permissions.
3. Token Issuance: The server send the token back to the client, usually as part of
the authentication response, such as in http header or a response body. The
client stores the token securely, commonly local storage ro http cookies.
4. Token submission: For regular request, the user present the token to the server
instead of their username and password.
5. Token Expiry and renewal: TOkens have a finite lifespan, because of mitigate the
risk of unauthorized access.
Benefits of Token based authentication
Stateless Architecture: Token-based authentication eliminates the
need for server-side storage of session state.
Improved Security: Token are provided by server with the encrypted
form and signed by server. No One can change or read without the
key.
Improved performance: Stateless nature reduce server load and
improves performance, especially in high-traffic application.
Granular(Fine) Access Control : Tokens can include user roles and
permission, It helps to server for authorization decision.
Biometric Authentication
It is method of identifying an individuals based on their unique biological
characteristic. Unlike traditional authentication method such as password or PIN,
which can be forgotten, stolen or shared.
Biometric authentication based on human attributes that are difficult to replicate.
Physical Characteristics used in Biometric Application
1. Finger print : fingerprint are unique on their nature. They are usually used in
biometric authentication system due to their uniqueness.
2. Facial Recognition: It analyze the person’s face such as size, shape and
arrangement of facial characteristics like eye, nose and mouth.
3. Retinal Patterns: Retinal patterns are highly complex and stable over time, it
provides secure biometric authentication method.
4. Voice Print: voice recognition system analyze tone of voice, speech patterns,
intensity of voice.
5. Keystroke: Analyze unique typing pattern such as speed, rhythms, errors,
pressure of key etc
6. Iris recognition: Analyzes the unique pattern in the colored part of the eye(iris)
using infrared light.
7. DNA : DNA based authentication involves analyzing the unique genetic
information of individuals. DNA authentication is highly accurate , it is less
commonly used due to practical limitation such as sample collection and
processing requirements.
Operation of biometric authentication system

The authentication process typically involves the following steps:

Enrollment: During enrollment, the user’s biometric data is captured and
converted in to digital form.
Storage: This data is securely stored in a database or on device.
Authentication: When user attempts to authenticate, they provide their biometric
data ( eg fingerprint , face scan, retina scan etc)
Comparison: The system compare the captured biometric data with the stored
data to verify the user identity.
Benefits of biometric authentication
Enhance security: Biometric are unique to each person, It is difficult to replicate
the data.
Convenience: Biometric authentication is convenient for user, elimination the need
to remember password or carry physical tokens.
Accuracy: Biometric system can achieve high level of accuracy.
Non-repudiation: Biometric authentication provides strong evidence of identity,
user do not deny their action or transaction.
Multi Factor Authentication
Multi factor authentication is a security mechanism which requires user to provide
two or more than two forms of verification for authentication.To gain access to web
resources user login their credential and complete other verification method like as
otp, security question or PIN as well.
Multiple forms of verification include:
1. Something they know ( password, PIN)
2. Something they have (Mobile device, email)
3. Something they are ( biometric forms like fingerprints or facial
recognition)
Some Examples
1. Card + PIN code : In ATM machine user swipe their card (you have) and
enter PIN(you know) associated with the card.
2. Website OTP: After username/ password entry, user input OTP sent back to
their device.
3. Card + Fingerprint + security question: User swipe card (You have) and scan
their fingerprint ( You are) and answer the security questions (You know)
Two Factor Authentication
It is subset of multifactor authentication. It require user to provide two different
form of identification for verification to access the resources.
2FA typically involves a combination of two factor from different categories. Such
as: something the user know (password) , Something they have ( OTP sent to
their phone).
Benefits

Enhance security: It reduce the risk of unauthorized access, as an attacker

would need to know both authentication factor like password and second one otp
or biometric.
Protection against credential theft: even if a password is stolen through
phishing,the additional factor provide extra layer of security
User friendly experience: 2FA method such as push notification or mobile
authenticator app make easy and convenient authentication experience to user.
Kerberos
In this section you will learn about Kerberos and how it works.
Kerberos is a single sign on or SSO network authentication protocol. A session
that allow an authorized user to access a server using ticketing scheme.
The term Kerberos comes from the mythological three-headed dog. That restrict
people from accessing an area.
Like the mythological three headed dog, Kerberos contains three components
such as the user (also known as client), the resources (client want to access) and
a third party called the key distribution center that has an authentication server
and a ticket granting server.
How Kerberos Works?
1. Authentication Request: User send resource access request along with the user name and
password.

2. Authentication Server (AS): Verify the user’s identity by checking their credentials. If the
username and password matched, AS generate a Ticket Granting Ticket (TGT) for the user.

3. Ticket Granting Ticket (TGT) Issuance: Authentication Server sent the encrypted TGT with the
secrete key back to the user.

4. Service request: User sends TGT to the TGT server along with the request for Service Ticket
(ST) for desired resource.

5. Service Ticket (ST) issuance: TGS verify the TGT and user’s identity. If authenticated the TGS
issues a ST encrypted with a secret key shared between the user and the target resources.

6. Service Access: User sent the ST to the target service (Server) along with the service request.
The server verifies the ST, if authenticated grants access to the user for provided limited time.
Kerberos Version 5
Kerberos v5 is an authentication protocol widely used in network security system.
It provide secure authentication for client/server application. It is extension of Kerberos
version 4.
Features of Kerbors Version5
1. Strong Encryption: Kerberos 5 uses storing encryption algorithm including Data
encryption Standard and advance encryption standard to protect data exchange
between clients and server.
2. Support for postdated Ticket: KB5 introduce support for postdated tickets,
allowing user to obtain ticket that are valid at a later time. This is especially used
where user need to access resources at specifi times.
3. Renewable Ticket: KB5 introduce concept of renewable ticket wihch allow user to
renew their authentication ticket without re-entering their credentials.
4. Strong Security Mechanism: KB5 uses stronger cryptographic algoritms and
improved protection against various attacks.
5. Support for cross-realm authentication: Allowing user in Kerberos realm to
authentication and access resource in another realm. This feature faciliatates
collaboration and resources sharing across organizational boundaries.
 Securities Issues For User Authentication
There may be the several security issues can aries which lead to unauthorized access to data,
server or any network resources. Unauthorized access may cause data breach, data thift, data
manupulation etc. Here are som common security issues may hapen with users.
1. Password based attacks: Weak password are always victim of brute force attack, distionary
attack and password guessing. Which lead to unauthorized access to system resource
2. Credentials Thieft: Atackers may steal user credentials through Phishing, Social
Engineering or malware.
3. Weak authentication method: Single factor authentication or weak encryption of data can
make system vulnerable.
4. Poor Passwrod management: user often choose weak password, resuse password across
multiple accounts or share password.
5. Insecure authentication protocols: older authentication protocol such as http may transmit
credentials in plain text make easier to attacker to leack password or importan data.
6. Insider threats: Authorized user with malicious activities may occur security risk. The can
bypaspass authentication process to gain unauthorized access to sensititive data.