The first user interface element most subjects encounter when accessing an information system is the identification and authentication challenge. The identification phase allows a subject to claim to be a specific entity by presenting identifying credentials. These credentials could be as simple as a user ID or personal identification number (PIN), or more complex, such as a physical attribute. Once a subject has claimed an identity, the system validates that the user exists in the user database, and then authenticates that the subject really is who she claims to be. The authentication phase asks the subject to present additional information that matches stored information for that subject. These two phases, often called two-factor authentication, provide reasonable protection from unauthorized subjects accessing a system. After a subject has been authenticated, the access control system then evaluates the specific rights or permissions for the subject to grant or deny object access requests. This phase is called the authorization phase.
There are three general categories, or types, of authentication information. Best security practices generally dictate that the identification and authentication phases require input from at least two different types.
Type 1 authentication is that you must encourage subjects to create challenge phrases that are very difficult for others to guess, but not so complex that they cannot be easily remembered. If your requirements are so stringent that passwords (or passphrases or PINs) cannot easily be remembered, you will start to see notes stuck to monitors and keyboards with passwords written on them. That negates any value of the password. The same result can occur when administrators require that passwords be changed so often users do not have time to memorize the new ones. Keep passwords safe and secret. The following rules are a good starting point for creating secure passwords:
- Passwords should be at least six characters in length.
- Passwords should contain at least one number or punctuation character.
- Do not use dictionary words or combinations of dictionary words.
- Do not use common personal data, such as birth date, social security number, family member or pet name, or favourite song or hobby.
- Never write down your password.
- Try to make your password easy to remember but hard to guess.
Type 2 authentication data solutions are more complex to administer because subjects are required to carry a device of some sort. The device generally is electronic in nature and either generates a time-sensitive value or generates a value in response to input data. Although Type 2 authentication is more complex, it is almost always more secure than Type 1 authentication.
The most sophisticated authentication type is Type 3, or biometrics. Biometrics describes the detection and classification of physical attributes. There are many different biometric techniques, including:
- Fingerprint/palm scan
- Hand geometry
- Retina/iris scan
- Voice print
- Signature/keyboard dynamics