With the advent of recent security breaches and loss of millions of private data records stored on government and corporate computers, along with an ever growing list of federal and corporate regulations to enforce compliance; there has become an ever increasing requirement to secure access to the data that is stored on electronic devices, while assuring that users whom have access to these computers are who they say they are, and enforcing policies on securing organizational infrastructures.
Identity management is the act of verifying in as detailed manner as possible that a person either entering a structure or authenticating to a network is who they say they are. In this document we will discuss both identity management as well as some of the types of components available and involved.
First we will discuss some of the technologies that can comprise an identity management solution beginning with methods for advanced authentication. A smart card is pocket sized card that contains integrated circuits, for the purposes of this document we will discuss the microprocessor version. The microprocessor version which is of credit card size and contains an integrated chip that allows small levels of secure data storage for items such as, secure certificates that can contain a users credentials and allow a human entity to authenticate to a network, gain access to a building or utilize the certificate for Public Key Infrastructure (PKI) based services and applications for example digital signatures and providing non-repudiation for encrypted email delivery and receipt. Smart cards were derived in the 1970’s and have become tremendously accepted in Europe and numerous Asian countries. These countries utilize them for payment cards, vending, and the transit system access. Until recently smart cards have not been as popular in the United States, but due to new government regulations such as the White House issued Homeland Security Presidential Directive 12 (HSPD-12), and Personal Identity Verification (PIV) which are policies and guidelines for a common identification standard for federal employees and contractors, they have become more accepted. The Department of Defense (DoD) started issuing the Common Access Card (CAC) which is a smart card issued as standard identification for active duty military personnel, selected reserve personnel, civilian employees, and eligible contractors. The CAC is used as a general identification card as well as for authentication to DoD computers, networks, and certain facilities. It also serves as an identification card under the Geneva Convention. The CAC enables encrypting and cryptographically signing email, facilitating the use of PKI authentication tools, and establishes an authoritative process for the use of identity credentials. Being that the government has set an example and assisted in the standards for implementing a smart card identity management project, many private and public organizations have begun implementing similar systems. Smart card login is also known as two-factor authentication, or what a person has “a smart card” and what a person knows “the pin number”.
Biometrics are another complimentary, or standalone method of identity management that utilize a persons physical and behavioral traits, in this case we will discuss fingerprint biometrics. In most fingerprint biometric authentication applications a template is taken of a users fingerprint. The template is usually a mapping of certain points and key characteristics that are only relevant to the person submitting them. Biometrics is considered one of the most accurate means of identifying an individual, due to the fact that there is a less that a billion chance of two people having the exact same fingerprint. The U.S. Government utilizes biometrics for a variety of both physical and logical access. In some cases they actually use iris or facial recognition biometrics. In other cases three-factor authentication can me implemented by storing the users fingerprint template on a smart card, and using what is commonly known as match-on-card technology, meaning that the user has to insert their card, enter their PIN number and then place their finger on a biometric reader which will in-turn pull the template from the card to verify that it matches the users physical characteristics.
Single Sign-On (SSO) in reference to identity management, is an application that recognizes user authentication dialog boxes, windows and form controls, and based upon the criteria when an application is launched that requires login, the SSO application saves the users credentials, normally in an encrypted format and auto populates the username and password fields then sends an OK key command to log the user in automatically. Single Sign-On assists in the prevention of password theft by centrally managing the users numerous password due to an ever growing list of applications a user has to login to. Users with numerous passwords in many cases will write them down on a post-it and stick it to their monitor so they do not forget it. SSO helps prevent this by managing their passwords for them, and alleviates the confusion of having to remember and manage multiple passwords.
Digital Token and One Time Password (OTP) systems are another method of preventing identity and password theft. A token is a device that contains a running algorithm that is synchronized with a server that is located on an organizations authentication server or platform. When a user attempts to authenticate to a corporate asset, they are prompted for their one time password, which is provided by the token device. Some token devices generate a new password every minute or at a designated interval, others will generate a pass-code when requested. The most secure model is one that requires a user to enter a PIN into the device before it generates a code.
Many organizations especially financial, are instituting a stronger means of authentication for their customers to gain access to user accounts and web portals. Some are using pictures and pass-codes to verify identities, while some have gone as far as issuing smart cards for select users to gain access their accounts. They don’t want to make it an inconvenience for their customers, but at the same time they must help protect their identities.
Companies such as of course, Microsoft, are attempting to centralized user credentials into what is termed as an “Identity Metasystem” called CardSpace. The function this service is meant to provide will be similar to SSO, but accessible anywhere, and can only be accessed using a secure token to access the users credentials. When a web or Windows application prompts for authentication credentials, CardSpace is launched and requests the users token to verify whether the user should be provided access or not, once the user provides their valid token credential, they will receive a list a login accounts and will be provided with the option to select the credential that matches the application. Both the server and client sides will store all data encrypted, and will decrypt it if it is compatible with the requesting interface. This type of application will assist in the reduction of authentication any given user will have to maintain.