Editing Authentication (section)

== In computer science ==
The process of authentication is distinct from that of [[authorization]]. Whereas authentication is the process of verifying that "you are who you say you are", authorization is the process of verifying that "you are permitted to do what you are trying to do". While authorization often happens immediately after authentication (e.g., when logging into a computer system), this does not mean authorization presupposes authentication: an anonymous agent could be authorized to a limited action set.<ref>{{cite web |date=31 August 2016 |title=Best Practices for Creating a Secure Guest Account |url=https://technet.microsoft.com/en-us/library/ff687018.aspx |url-status=live |archive-url=https://web.archive.org/web/20171107060852/https://technet.microsoft.com/en-us/library/ff687018.aspx |archive-date=2017-11-07 |access-date=2017-11-06}}</ref> Similarly, the establishment of the authorization can occur long before the [[authorization]] decision occurs.

A user can be given access to secure systems based on user credentials that imply authenticity.<ref>{{Cite journal |last1=Ranjan |first1=Pratik |last2=Om |first2=Hari |date=2016-05-06 |title=An Efficient Remote User Password Authentication Scheme based on Rabin's Cryptosystem |url=http://link.springer.com/10.1007/s11277-016-3342-5 |journal=Wireless Personal Communications |language=en |volume=90 |issue=1 |pages=217–244 |doi=10.1007/s11277-016-3342-5 |issn=0929-6212 |s2cid=21912076}}</ref>  A network administrator can give a user a [[password]], or provide the user with a key card or other access devices to allow system access. In this case, authenticity is implied but not guaranteed. 

Most secure internet communication relies on centralized authority-based trust relationships, such as those used in [[HTTPS]], where public [[Certificate authority|certificate authorities]] (CAs) vouch for the authenticity of websites. This same centralized trust model underpins protocols like OIDC ([[OpenID Connect]]) where identity providers (e.g., [[Google]]) authenticate users on behalf of relying applications. In contrast, decentralized peer-based trust, also known as a [[web of trust]], is commonly used for personal services such as secure email or file sharing. In systems like [[Pretty Good Privacy|PGP]], trust is established when individuals personally verify and sign each other’s cryptographic keys, without relying on a central authority.

These systems use [[Cryptographic protocol|cryptographic]] [[Cryptographic protocol|protocols]] that, in theory, are not vulnerable to [[Spoofing attack|spoofing]] as long as the originator’s private key remains uncompromised. Importantly, even if the key owner is unaware of a compromise, the cryptographic failure still invalidates trust. However, while these methods are currently considered secure, they are not provably unbreakable—future mathematical or computational advances (such as [[quantum computing]] or new algorithmic attacks) could expose vulnerabilities. If that happens, it could retroactively undermine trust in past communications or agreements. For example, a [[Digital signature|digitally signed]] [[contract]] might be challenged if the signature algorithm is later found to be insecure..{{Citation needed|date=December 2016}}

=== Authentication factors ===
[[File:US Navy 050308-N-2385R-029 Master-at-Arms Seaman Carly Farmer checks an identification card (ID) before allowing a driver to enter the gate at U.S. Fleet Activities Sasebo, Japan.jpg|thumb|A military police officer checks a driver's identification card before allowing her to enter a military base.]]
The ways in which someone may be authenticated fall into three categories, based on what is known as the factors of authentication: something the user knows, something the user has, and something the user is. Each authentication factor covers a range of elements used to authenticate or verify a person's identity before being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.

Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified.<ref>{{Cite web |url=http://www.ffiec.gov/pdf/authentication_guidance.pdf |title=Authentication in an Internet Banking Environment |author=Federal Financial Institutions Examination Council |year=2008 |access-date=2009-12-31 |url-status = live|archive-url=https://web.archive.org/web/20100505203410/http://www.ffiec.gov/pdf/authentication_guidance.pdf |archive-date=2010-05-05 }}</ref><ref>{{Cite journal |last=Lee |first=Robert D |date=Winter 2007 |title=Authentication in Internet Banking: A Lesson in Risk Management |url=https://www.fdic.gov/bank-examinations/authentication-internet-banking-lesson-risk-management |journal=Supervisory Insights |publisher=[[Federal Deposit Insurance Corporation]] |pages=42}}</ref> The three factors (classes) and some of the elements of each factor are:

# Knowledge: Something the user knows (e.g., a password, [[partial password]], [[pass phrase|passphrase]], [[personal identification number]] (PIN), [[challenge–response]] (the user must answer a question or pattern), [[security question]]).<ref name=":2">{{Cite journal |last1=Wang |first1=Chen |last2=Wang |first2=Yan |last3=Chen |first3=Yingying |last4=Liu |first4=Hongbo |last5=Liu |first5=Jian |date=April 2020 |title=User authentication on mobile devices: Approaches, threats and trends |url=https://linkinghub.elsevier.com/retrieve/pii/S1389128618312799 |journal=Computer Networks |language=en |volume=170 |pages=107118 |doi=10.1016/j.comnet.2020.107118}}</ref>
# Ownership: Something the user has (e.g., wrist band, [[ID card]], [[security token]], [[Microchip implant (human)|implanted device]], cell phone with a built-in [[hardware token]], [[software token]], or cell phone holding a [[software token]]).<ref name=":2" /> 
# Inherence: Something the user is or does (e.g., fingerprint, [[Retinal scan|retinal pattern]], [[DNA]] sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other [[biometric]] identifiers).<ref name=":2" /> Historically, fingerprints have been used as the most authoritative method of authentication, but court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability.<ref>{{cite book |last1=Moenssens |first1=Andre A. |url=https://www.ojp.gov/pdffiles1/nij/225333.pdf |title=The Fingerprint Sourcebook |last2=Meagher |first2=Stephen B. |date=2014 |publisher=CreateSpace Independent Publishing Platform |isbn=9781500674151 |location=United States |language=en-us |chapter=13 |access-date=3 November 2022 |archive-url=https://web.archive.org/web/20220522184117/https://www.ojp.gov/pdffiles1/nij/225333.pdf |archive-date=22 May 2022 |url-status=live}}</ref> Outside of the legal system as well, fingerprints are easily [[spoofing attack|spoof]]able, with [[British Telecom]]'s top computer security official noting that "few" fingerprint readers have not already been tricked by one spoof or another.<ref>[https://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated ''The Register'', UK; Dan Goodin; 30 March 2008; ''Get your German Interior Minister's fingerprint, here''. Compared to other solutions, "It's basically like leaving the password to your computer everywhere you go, without you being able to control it anymore", one of the hackers comments.] {{webarchive|url=https://web.archive.org/web/20170810131615/https://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated|date=10 August 2017}}</ref> Hybrid or two-tiered authentication methods offer a compelling{{According to whom|date=December 2016}} solution, such as private keys encrypted by fingerprint inside of a USB device.

==== Single-factor authentication ====
As the weakest level of authentication, only a single component from one of the three categories of factors is used to authenticate an individual's identity. The use of only one factor does not offer much protection from misuse or malicious intrusion. This type of authentication is not recommended for financial or personally relevant transactions that warrant a higher level of security.<ref name="Turner-DigitalAuthentication-Basics">{{cite web |last1=Turner |first1=Dawn M. |date=2 August 2017 |title=Digital Authentication: The Basics |url=http://www.cryptomathic.com/news-events/blog/digital-authentication-the-basics |url-status=live |archive-url=https://web.archive.org/web/20160814214552/http://www.cryptomathic.com/news-events/blog/digital-authentication-the-basics |archive-date=14 August 2016 |access-date=9 August 2016 |publisher=Cryptomathic}}</ref>

==== Multi-factor authentication ====
{{Main|Multi-factor authentication}}

Multi-factor authentication involves two or more authentication factors (something you know, something you have, or something you are). Two-factor authentication is a special case of multi-factor authentication involving exactly two factors.<ref name="Turner-DigitalAuthentication-Basics" />

For example, using a bank card (something the user has) along with a PIN (something the user knows) provides two-factor authentication. Business networks may require users to provide a password (knowledge factor) and a pseudorandom number from a security token (ownership factor). Access to a very-high-security system might require a [[mantrap (access control)|mantrap]] screening of height, weight, facial, and fingerprint checks (several inherence factor elements) plus a PIN and a day code (knowledge factor elements),<ref>{{Cite book |last1=Ali |first1=Saqib |title=Cyber Security for Cyber Physical Systems |last2=Al Balushi |first2=Taiseera |last3=Nadir |first3=Zia |last4=Khadeer Hussain |first4=Omar |publisher=[[Springer Nature]] |year=2018 |isbn=978-3-319-75879-4 |series=Studies in Computational Intelligence |language=en |chapter=ICS/SCADA System Security for CPS |doi=10.1007/978-3-319-75880-0 |eissn=1860-9503 |issn=1860-949X}}</ref> but this is still a two-factor authentication.

=== Authentication types ===
[[File:KAL-55B Tactical Authentication System (Vietnam War era) - National Cryptologic Museum - DSC08013.JPG|thumb|NSA KAL-55B Tactical Authentication System used by the U.S. military during the [[Vietnam War]] – [[National Cryptologic Museum]]]]

==== Strong authentication ====
The United States government's [[National Information Assurance Glossary]] defines strong authentication as a layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information.<ref name="NCSC-StrongAuthentication">{{cite web|last1=Committee on National Security Systems|title=National Information Assurance (IA) Glossary|url=https://www.ncsc.gov/nittf/docs/CNSSI-4009_National_Information_Assurance.pdf|publisher=National Counterintelligence and Security Center|access-date=9 August 2016|url-status = live|archive-url=https://web.archive.org/web/20161121224542/https://www.ncsc.gov/nittf/docs/CNSSI-4009_National_Information_Assurance.pdf|archive-date=21 November 2016}}</ref>

The European Central Bank (ECB) has defined strong authentication as "a procedure based on two or more of the three authentication factors". The factors that are used must be mutually independent and at least one factor must be "non-reusable and non-replicable", except in the case of an inherence factor and must also be incapable of being stolen off the Internet. In the European, as well as in the US-American understanding, strong authentication is very similar to multi-factor authentication or 2FA, but exceeding those with more rigorous requirements.<ref name="Turner-DigitalAuthentication-Basics" /><ref name="ECB-Recommendations">{{cite web|last1=European Central Bank|title=Recommendations for the Security of Internet Payments|url=https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf|publisher=European Central Bank|access-date=9 August 2016|url-status = live|archive-url=https://web.archive.org/web/20161106212218/https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf|archive-date=6 November 2016}}</ref>

The [[FIDO Alliance]] has been striving to establish technical specifications for strong authentication.<ref>{{Cite news |last=Seals |first=Tara |date=5 April 2016 |title=FIDO Alliance Passes 150 Post-Password Certified Products |url=https://www.infosecurity-magazine.com/news/fido-alliance-passes-150/ |url-status=live |archive-url=https://web.archive.org/web/20240926182246/https://www.infosecurity-magazine.com/news/fido-alliance-passes-150/ |archive-date=26 September 2024 |work=Infosecurity Magazine}}</ref>

==== Continuous authentication ====
Conventional computer systems authenticate users only at the initial log-in session, which can be the cause of a critical security flaw. To resolve this problem, systems need continuous user authentication methods that continuously monitor and authenticate users based on some biometric trait(s). A study used behavioural biometrics based on writing styles as a continuous authentication method.<ref name="BROC2017">Brocardo ML, Traore I, Woungang I, Obaidat MS. "[http://onlinelibrary.wiley.com/doi/10.1002/dac.3259/full Authorship verification using deep belief network systems] {{webarchive|url=https://web.archive.org/web/20170322015517/http://onlinelibrary.wiley.com/doi/10.1002/dac.3259/full |date=2017-03-22 }}". Int J Commun Syst. 2017. {{doi|10.1002/dac.3259}}</ref><ref name="Patel 49–61">{{Cite journal|last1=Patel|first1=Vishal M.|last2=Chellappa|first2=Rama|last3=Chandra|first3=Deepak|last4=Barbello|first4=Brandon|date=July 2016|title=Continuous User Authentication on Mobile Devices: Recent progress and remaining challenges|journal=IEEE Signal Processing Magazine|volume=33|issue=4|pages=49–61|doi=10.1109/msp.2016.2555335|bibcode=2016ISPM...33...49P|s2cid=14179050|issn=1053-5888}}</ref>

Recent research has shown the possibility of using smartphones sensors and accessories to extract some behavioral attributes such as touch dynamics, [[keystroke dynamics]] and [[gait recognition]].<ref>{{Cite book|last1=De Marsico|first1=Maria|last2=Fartade|first2=Eduard Gabriel|last3=Mecca|first3=Alessio|chapter=Feature-based Analysis of Gait Signals for Biometric Recognition - Automatic Extraction and Selection of Features from Accelerometer Signals |date=2018|title=Proceedings of the 7th International Conference on Pattern Recognition Applications and Methods|pages=630–637|publisher=SCITEPRESS - Science and Technology Publications|doi=10.5220/0006719106300637|isbn=978-989-758-276-9|doi-access=free}}</ref> These attributes are known as behavioral biometrics and could be used to verify or identify users implicitly and continuously on smartphones. The authentication systems that have been built based on these behavioral biometric traits are known as active or continuous authentication systems.<ref name="MAHFOUZ201728">{{Cite journal |doi = 10.1016/j.jisa.2017.10.002|title = A survey on behavioral biometric authentication on smartphones|journal = Journal of Information Security and Applications|volume = 37|pages = 28–37|year = 2017|last1 = Mahfouz|first1 = Ahmed|last2 = Mahmoud|first2 = Tarek M.|last3 = Eldin|first3 = Ahmed Sharaf|arxiv = 1801.09308|s2cid = 21265344}}</ref><ref name="Patel 49–61" />

==== Digital authentication ====
The term digital authentication, also known as [[electronic authentication]] or e-authentication, refers to a group of processes where the confidence for user identities is established and presented via electronic methods to an information system. The digital authentication process creates technical challenges because of the need to authenticate individuals or entities remotely over a network.
The American [[National Institute of Standards and Technology]] (NIST) has created a generic model for digital authentication that describes the processes that are used to accomplish secure authentication:

# Enrollment – an individual applies to a credential service provider (CSP) to initiate the enrollment process. After successfully proving the applicant's identity, the CSP allows the applicant to become a subscriber.
# Authentication – After becoming a subscriber, the user receives an [[authenticator]] e.g., a token and credentials, such as a user name. He or she is then permitted to perform online transactions within an authenticated session with a relying party, where they must provide proof that he or she possesses one or more authenticators.
# Life-cycle maintenance – the CSP is charged with the task of maintaining the user's credential over the course of its lifetime, while the subscriber is responsible for maintaining his or her authenticator(s).<ref name="Turner-DigitalAuthentication-Basics" /><ref name="NIST-Authentication">{{cite web|title=Draft NIST Special Publication 800-63-3: Digital Authentication Guideline|url=https://pages.nist.gov/800-63-3/sp800-63-3.html|publisher=National Institute of Standards and Technology, USA|access-date=9 August 2016|url-status = live|archive-url=https://web.archive.org/web/20160913153728/https://pages.nist.gov/800-63-3/sp800-63-3.html|archive-date=13 September 2016}}</ref>

The authentication of information can pose special problems with electronic communication, such as vulnerability to [[man-in-the-middle attack]]s, whereby a third party taps into the communication stream, and poses as each of the two other communicating parties, in order to intercept information from each. Extra identity factors can be required to authenticate each party's identity.