By Glen E. Clarke, Edward Tetz, Timothy Warner

Authentication is the process of proving one’s identity to the network environment. Typically, authentication involves typing a username and password on a system before you are granted access, but you could also use biometrics to be authenticated. Biometrics is using one’s unique physical characteristics, such as a fingerprint or the blood vessels in one’s retina, to prove one’s identity.

This figure shows a fingerprint reader used to scan your fingerprint when logging on.

A fingerprint reader is an example of biometrics used for authentication.

Here is a quick look at what happens when you log on to your system with a username and password. When you type a username and password to log on to a system, that username and password are verified against a database — the user account database — which has a list of the usernames and passwords allowed to access the system. If the username and password you type are in the user account database, you are allowed to access the system. Otherwise, you get an error message and are not allowed access.

The name of the account database that stores the usernames and passwords is different, depending on the environment. In a Microsoft network, the account database is the Active Directory Database and resides on a server known as a domain controller (shown here).

Logging on to Active Directory in a Microsoft network environment.

Generating the access token

When you log on to a Microsoft network environment, the username and password you type are placed in a logon request message that is sent to the domain controller to be verified against the Active Directory Database. If the username and password that you typed are correct, an access token is generated for you.

An access token is a piece of information that identifies you and is associated with everything you do on the computer and network. The access token contains your user account information and any groups of which you are a member. When you try to access a resource on the network, the user account and group membership in the access token are compared against the permission list of a resource. If the user account in the access token or one of the groups contained in the access token are also contained in the permission list, you are granted access to the resource. If not, you get an access-denied message.

If you do not have a server-based network environment and you are simply running a Windows desktop system such as Windows 8.1, when you log on, the logon request is sent to the local computer — to an account database known as the Security Accounts Manager (SAM) database. When you log on to the SAM database, an access token is generated as well, and that helps the system determine what files you can access.

Smart card

Another type of logon supported by network environments today is the use of a smart card. A smart card is a small, ATM card–like device that contains your account information. You insert the smart card into a smart card reader that is connected to a computer, and then you enter the PIN (personal identification number) associated with the smart card. This is an example of securing an environment by forcing someone to not only have the card but also know the PIN.

Other authentication objects

When implementing authentication systems, you have a number of different ways that you can prove someone’s identity or that he belongs in the physical facility or environment. The most common method to authenticate someone to a system is with a username and password, but the following items outline some other methods of authenticating employees and many of these relate to physical security:

  • ID badges: High-secure environments require all personnel, including employees and contractors, to wear identification badges at all times to identify that employee. These badges may also use different colors, which are a flag identifying different parts of the building that the employee is allowed to be in. Some badges have magnetic strips that store authentication information and are used to swipe before gaining access to the building.
  • Key fobs: A key fob is a small authentication hardware device that connects to an employee’s keychain. The device is used in the authentication process by generating a random number that the employee who possesses the key fob must enter as part of the authentication process. The random number is synchronized with an authentication device. A key fob is also a device that is used to gain access to a building by having the employee swipe the key fob past a scanner.
  • RFID badge: RFID (radio frequency ID) badges use radio frequency to submit authentication information to RFID access points as the employee approaches the facility or different areas of the facility. The benefit of the RFID badge is that the employee is not required to swipe any kind of card because the RFID signal is picked up by the access point.
  • OTP token: A One-Time Password (OTP) token is a device, also called a key fob, that is used in authentication by generating a random number that the user carrying the token, usually on his or her keychain, would use along with his or her password.
  • Privacy filters: Privacy filters are placed on computer screens so that to see the information on the screen, you have to be directly in front of the screen. The privacy filter is similar in concept to a window blind that sits on top of your computer screen and prevents someone lurking around you from seeing the information on the screen.
  • Entry control roster: In high-secure environments you may want to have an entry control roster, which is a list of people allowed to gain access to the facility. The roster usually sits at the entrance to a building or at the gate entrance to the facility. Typically, an employee signs visitors in and records the time they entered and exited the facility.

Strong passwords

It is really hard to talk about authentication without talking about ensuring that users create strong passwords. A strong password is a password that is very difficult for hackers to guess or crack because it contains a mix of uppercase and lowercase characters, contains a mix of numbers, letters, and symbols, and is a minimum of eight characters long.

Single sign-on

Single sign-on (SSO) is an authentication term you should be familiar with for the A+ Exams. SSO is the principle that you should be able to log on to the network with your username and password and then be given access to a number of different resources such as files, printers, and your email using that one username and password. The opposite of an SSO environment is when you have to supply a username and password for each different resource that you access. Microsoft’s Active Directory environment is an example of a single sign-on environment.

Multifactor authentication

There are different techniques that can be used to authenticate to an environment:

  • Something you know: The most common method of authentication is inputting something you know, such as a PIN or password.
  • Something you have: This authentication method involves authenticating by having a physical object in your possession, such as a debit card, a smart card, or a key fob.
  • Something you are: This authentication method involves authenticating to a system with personal characteristics of yourself such as a fingerprint scan, retina scan, or voice recognition. This is where biometrics fits in.

The key point here is that in high-secure environments you should use multiple authentication techniques, which is known as multifactor authentication. Look at why. If you drop your bank card (something you have) on the ground and someone picks it up, will she gain access to your account? The answer is no; that would be a terrible authentication system if banks granted access based on you having the bank card in your possession. So the bank uses two factors of authentication: You have to have the bank card (something you have) and then you must type the PIN (something you know) associated with the bank card. Requiring both factors greatly increases the security of the scenario. This is known as multi-factor authentication — using more than one of something you know, something you have, and something you are.

It should be noted that most of us log on to a network by typing a username and password, both of which are examples of something we know. For this reason, a username/password authentication technique is not considered multifactor authentication because we are only using one method of authentication.