Although they sound elementary, these two processes, called identification and authentication (I&A), involve some of the trickiest information security problems. Why? For most people, entering a username and password to log on to a computer or application is the most visible and intrusive information security mechanism they encounter. Because this act of authenticating a digital identity is so common, many of the security issues surrounding the creation of digital identities are overlooked.
Creating Digital Identities
Digital identities can be created by a business, such as an employee's company; an Internet service provider (ISP) that provides a network connection to the Internet; or an online application vendor, such as an airline reservation Web site. The degree to which businesspeople and their companies can trust digital identities depends on how well the business that created the identity performs two tasks:
At the other end of the spectrum is the process companies go through when issuing digital identities to new employees. By the time an employee is hired, the company has interviewed the employee, checked professional references, and, in some cases, checked criminal and driving records. In short, the company knows who the employee is when it issues digital identifiers such as a username for company applications and an e-mail address. The amount of due diligence a company performs in establishing an employee's real-world identity more closely resembles the process for issuing a passport than a grocery store club card.
The other part of creating a digital identity is creating and protecting the evidence-typically a password-that a person will use to authenticate that identity. The primary concern is how the issuing business protects the evidence while it is stored and while it is transmitted between a user and the application authenticating the user. Although it is standard security practice to encrypt passwords that travel over the Internet, many companies and online applications don't encrypt passwords consistently, or at all. For example, one popular enterprise application encrypts passwords when users log on, but not when they change their passwords. Another enterprise commerce application does encrypt changed passwords, but negates this protection by sending unencrypted e-mail to confirm these new passwords. Similarly, the protections companies afford stored passwords vary significantly. Some companies encrypt passwords on computers that they protect with firewalls and intrusion detection, while other companies provide little protection.
A lack of protection for authentication evidence undercuts a company's trust in the validity of digital identities. Does this username or e-mail address really belong to the person who is using it?
Authenticating Digital Identities
Authenticating a digital identity involves two tasks: determining that the digital identity is valid and that the digital identity's owner is the person using it. Verifying the validity of a digital identity is straightforward when a person is logging on to a company application. All the application has to do is check to see if the person's username is on the list of valid accounts. This is similar to checking a person's name on the guest list at a party.
Determining that a digital identity belongs to the person trying to use it consists of comparing the authentication evidence the person provides to the evidence created when the digital identity was established. Authentication evidence falls into three basic categories commonly called factors:
Want to read the full seventeen-page excerpt from Thomas J. Parenty's Digital Defense: What You Should Know About Protecting Your Company's Assets? Click here for the entire clip, courtesy of BNET.com.