Authentication is a process that verifies the identity of a user or device. It can be part of a broader identity and access management process that continuously authenticates subjects in a system.
Is a subject really what it claims to be? This is what the authentication process confirms by means of various authentication mechanisms. Users e.g. may confirm their claimed identity via:
Certificate-based authentication uses a digital certificate to authenticate users, but beyond that also machines, devices and IoT endpoints (using “something they have”). Advantages include ease of use – often happening automatically without the intervention of the user – and mutual authentication of the user or device to the network or system and vice versa.
Due to the sheer number of connected users and devices, and the increase in cloud-based services, secure identification and authentication are business-critical nowadays. Simple passwords are not sufficient anymore to get access to a network, system, resource or application, and regulations and industry-specific standards have come into place that require stronger authentication mechanisms.
Major concepts around authentication defined
- Identification – A user or a device (“a subject”) claims an identity.
- Authentication – Making sure the subject is, what it claims to be. This requires confirming the claimed identity, e.g. by presenting a password or a certificate, or using a smart card or fingerprint scan. Various distinct types of user authentication mechanisms exist, based on their knowledge, possession, biometrics or behavior.
- Single-factor authentication – With only one single authentication mechanism being used, this type of authentication can be vulnerable and offers little fraud protection.
- Two-factor authentication – A minimum of 2 authentication mechanisms from 2 different categories are used. Consequently, this approach is more secure and less likely for hackers to attack successfully.
- Strong authentication = multi-factor authentication – This approach involves more than two authentication mechanisms of different types to prove the identity of a user or device.
- Authorization – Once a user or device identity is confirmed, authorization mechanisms grant or deny access to specific data, files or applications.
Whether you need to authenticate employees or their devices in your network, machines in your production environment, customers using a cloud-based application or payment transactions – in all these cases, the use of an HSM as hardware Root of Trust ensures maximum security.
The banking and financial services market has the most stringent security regulations and has a long-standing history of using security mechanisms such as authentication. Recent breaches and subsequent tightening of security measures are expected to bring biometric authentication into the focus of attention for future-proof authentication.
As part of the second Payment Services Directive (PSD2, since January 13th 2018), the EU will introduce stricter requirements for authenticating online payments as from September 2019. These are known as Strong Customer Authentication (SCA) and complement PSD2 as part of the European Commission’s Delegated Regulation on regulatory technical standards (RTS). They will significantly impact how users are identified and authenticated, involving at least two of three authentications methods (knowledge/possession/inherence). Biometrics (inherence) such as fingerprints will be more widely used as a highly secure way to identify individuals. Important prerequisites are the secure storage of biometric data and use of a public key infrastructure, which is ideally backed by an HSM for managing cryptographic keys. With these new requirements, the EU aims at reducing online payment fraud and identity theft.
A standardized electronic identification system across the European Union facilitates strong and straight-forward authentication mechanisms. The related standards as defined in the eIDAS regulation (EU) N°910/2014 are fully taken into consideration for maximum security, e.g. with qualified certificates for website authentication or qualified certificates for payment providers’ electronic seals.
Identification and authentication mechanisms are a prerequisite to implement conditional access. A securely identified user or device is granted access to a network, system, data or other when meeting a specified set of criteria.
Although similar to CA in terms of intent, i.e. limiting access to content for authorized/paying users, DRM usually protects a specific “piece” of content at rest or in transition. It allows users to access the content and defines the when, how, how long/often, on which device(s), etc.
The way we access and consume video content has changed dramatically in recent years. The new Pay TV landscape means that consumers have a wealth of choice from content which is broadcast and consumed on set top boxes to OTT content delivered to any device.
As banking, payment, and financial services shift massively to web and mobile, fraud opportunities multiply. Cars get connected and in-car & cloud services sprout. Cybersecurity issues raise safety & privacy concerns. The motivation: protecting digital identities for any industry.