Let me in, I swear it’s me!

--Originally published at Mr. Robot's Imaginary Friend

I have talk a lot in previous post about the importance of the information that it’s on the internet and who have access to this information, this is why the authentication and access control is really important.

Modern computer systems provide services to multiple users and require the ability to accurately identify the user making the user making request. In traditional systems, the user’s identity is verified by checking a password typed during the login, the system record the identity and use it to determine what operations may be performed.

The process of verifying the user’s identity is called authentication. Password-based authentication is not suitable for use on computer networks. Passwords send across the networks can be intercepted and subsequently used by someone else to impersonate the user. In addition to the security concern, password based authentication is inconvenient, user doesn’t want to enter password each time they access the network service, this lead to use of even weaker authentication.

An authentication factor is a category of credential used for identity verficatiion. The three most common categories are often described as something you know, something you have and something you are.

  • Knowledge factors: Category of authentication credentials consisting of information that user possesses, such as personal identification number, a username, a password or the answer to a secret question
  • Possession factors: Category of credentials based on items that the user has with them, typically a hardware device such as a security token or a mobile phone used in conjunction with software token.
  • Inherence factors: Category of user authentication credentials consisting of elements that are integral to individuals in question, in the form of biometric data.

Strong authentication is a commonly used term that is largely without a standardized definition, for general purposes, any method of verifying the identity of a

a3f3730eb1e5f574ce3d11f459af6823
or device that is intrinsically stringent enough to ensure the security of the system it protects can be considered strong authentication.

The term strong authentication is often used to refer to two factor authentication or multi factor authentication. That usage probably came about because MFA is a widely-applied approach to strengthen authentication. In cryptography, strong authentication is defined as a system involving multiple challenge/ response answers. Because such a system involves multiple instances from a single factor (the knowledge factor), it is an example of single-factor authentication , regardless of its strength.

a3f3730eb1e5f574ce3d11f459af6823

Now I will talk about access control, the purpose of access control is to limit the actions or operations that a legitimate user of a computer system can perform. Access control constrains what a user can do directly, as well as what programs execution on behalf of users are allowed to do. In this way access control seeks to prevent activity that could lead to a breach of security.

Access control relies on and coexists with other security services in a computer system and is concerned with limiting the activity of legitimate users. It is enforced by  a reference monitor which mediates every attempted access by a user to objects in the systems. The reference monitor consults an authorization database in order to determine if the user attempting to do an operation is actually authorized to perform that operation. Authorization in this database are administered and maintained by a security administrator, who sets these on the basis of the security policy of the organization.