Authentication and Authorisation

Before we start looking at storing state, we will introduce authentication and authorisation.

Later this week we will discuss ways of keeping track of which users are accessing a website. However, to keep the systems secure we will also need some form of access control. Otherwise, we could have users claiming they are a different person, or accessing functionality that should be restricted.

In this article we will examine ways we can:

• Confirm users are who they say they are (authentication)
• Confirm users have the right privileges to perform a task (authorisation)

Authentication

Authentication is our first step in access control. It allows us to confirm that a user is who they say they are. This includes systems such as passwords, security tokens etc.

Obviously, this is an important part of security. Having a robust authentication method allows us to trust that a user is who they say they are. With a weak, or broken authentication process, an attacker could gain access to the system as a different user.

The most common ways of implementing Authentication are known as the the Three factors:

Factor 1: Something you Know

This is the simplest (to implement), and the most commonly used factor. Its also probably the easiest to exploit.

Something you know is information that is stored in *your memory * (in theory) only you should know. Examples of this include

• Passwords
• PIN's

Note

True, we use email addresses (or usernames) as part of the authentication process,
they let us know which user is trying to use the system.

However, they don't really pass the only known by you test. Most organisations have a list of users and email addresses somewhere on the home page, so its usually trivial to obtain this information.

One problem with these methods is the human memory aspect.

• We all know that good passwords are long, but they then become much harder to remember.
• We all know that reusing passwords is a bad idea. But trying to remember 10 or more strong passwords is nearly impossible.
• Also company rules on passwords (Letters, Numbers and Symbols) all contribute to making the passwords hard to remember.

Choosing a strong password isn't that difficult. (Personally I use a password manager)

However, this factor of authentication isn't going to go away.
We will still need some way of authenticating if any of the other methods fail.

Factor 2: Something you Own

The second way of authentication is using something you own. Usually this will be something you can carry with you (like a ubikey, or mobile phone)

This can then be used to authenticate. For example, an organisation may send you a text with a code that can be used for the "Something you know" element of authentication.

Example

My Bank has given me a card based authetication device. When I try to make a transaction, it will prompt me to generate a code using the device. If the codes match, then I can finish the transaction.

Other examples of things you own could be the NFC cards we use to get access to the labs.

One issue with something you own as a method of authentication is that you have to carry it with you. If the device used to generate the tokens is lost, damaged, or forgotten, you cannot get access to your accounts.

Factor 3: Something you Are

Basically Biometrics, so things like finger prints or facial recognition.

While this is probably the strongest method of authentication, it also comes with a lot of problems. Some types of biometric authentication can be broken (in awesome ways)

Additionally we have the problem of False positives and negatives. Like all technology biometrics are not bombproof, and at times it will fail to authenticate correctly.

Factor 4: Where you are

So we have looked at the 3 most common forms of authentication. Using geolocation is a reasonably rare. However, it can be used to help detect anomalous activity, which could be used as part of the authentication program.

One example of this could be in detecting bank fraud. The bank knows you live in the UK, and has a pattern of behaviour that show you use UK based cash points.

If you start making transactions in France, then one of two things have happened:

• You are on holiday
• Someone else is using your details

Like biometrics this has the potential for false positives. If you are on holiday, and blocking your account would ruin it. However, the location information can give some insight into when normal behaviour has changed.

Two Factor Authentication

You can see that each of these elements has a set of strengths and weaknesses. We can offset these somewhat using two factor authentication.

With 2-factor we can improve security by using multiple ways of authentication. Usually, this is in the form of Something you Know, and Something you Own.

For example, When you try to login to Google using your password (Factor 1) They will ask you to enter a pin number that gets sent to your phone (Factor 2)

The benefits of this are obvious. Even if someone gets your Password, they need the phone to complete the login. However again we have the downsides of needing to carry the device around with us to access data.

Authorisation

Determines what authenticated users can access. For example can a user only access their own "private" messages, or is sensitive data restricted to those that need it.

Note

This is even more important from a complicance point of view.

GDPR has rules not only for the types of data that we collect, and consent from users. But also covers who has access to the data. Having PII available to people within the organsiation who dont need to have access to it, could be considerd a breach.

When it comes to authorisation, the most common approach is to assign different "access levels" to users.

Example

Consider a basic forum system. This could have three different access levels, each giving different functionality.

• Unauthenticated users would only be able to View posts
• Authenticated users can also make new posts, and edit their own posts.
• Administrators are able to view and edit any post on the system.

These access levels can become quite complex to meet the needs of an application, and to keep information segregated. The number of layers, and the privileges assigned to them will be application specific. However, if designing such a system the "Rule of Least Privilege" should apply.

Summary

In this article we looked at the various methods of authentication, and authorisation. We also discussed two factor authentication, and how it can make our systems more secure.

Password Managers #passwordManagers

This should be an interesting one...

Password managers are a hot topic. On one hand they make it easy to have a strong password for every site. On the other, they must be a tempting target for a hacker.
If they can break into the password manager, then they have access to everything.

Using Aula Feed discuss your views #passwordManagers

• Do you think they are a good thing?
• What weaknesses do they have?
• Is there any information you wouldn't store in a password manager.

Further Reading (or Watching?)

I really like the following video on password security. Good to see I am not the only University Lecturer who likes sitting around talking about this stuff

Computerphile on Passwords

---

1. Don't use CorrectHorseBatteryStaple for a password. Its in the password lists already. ↩