Biscom | 1-800-477-2472 | sales@biscom.com | 321 Billerica Rd Chelmsford, MA 01824 | www.biscom.com

Information in many ways is the most powerful asset that companies acquire, retain, and use on a daily basis as they provide products and services to their customers. Intellectual property, customer information, personnel files, marketing research, financials, source code, product designs, and business plans are but a few of the kinds of data that keep a company running on a day-to-day basis.

Making sure access to this valuable data is controlled and limited to those individuals who are authorized to view, change, or manage this information is critical to ensure that confidential assets are not exposed and accessed by the wrong person. In today’s world, many bad actors, from individuals to state-sponsored entities, are actively trying to penetrate and thwart systems that protect this corporate information.

This primer is meant to provide an introduction and overview of authentication techniques and technologies for people who are less technically-oriented, but who need to have a familiarity or general understanding of the different systems and methods and the benefits and challenges of their implementation.

What is Authentication?

Authentication is the act of verifying that a person is who he or she claims to be. A familiar method of authentication is a simple username and password combination. These two pieces of information, when used together, can provide some level of assurance that only that individual would know both pieces of information.

Accessing private systems and networks clearly requires some form of identification because of potentially confidential information, trade secrets, intellectual property, and other communication that is not for public consumption.

Pre-Internet, most organizations were islands with few connections to each other. Larger companies that have multiple offices dispersed throughout the country or the world often had private networks that connected the disparate offices. Securing companies was significantly more straightforward than today. The level of connectivity that exists today with the Internet, wireless networks and mobile devices, and soon a proliferation of even the most mundane or common items such as appliances and furniture will soon be expanded with the “Internet of Things” trend. The job that administrators today face to secure their organizations is much more complex than days past. Pushing authentication requirements to all of these potential endpoints means there will have to be more robust ways to control access.

Biscom | 1-800-477-2472 | sales@biscom.com | 321 Billerica Rd Chelmsford, MA 01824 | www.biscom.com

Simple User Authentication

Most people who use email are familiar with entering their email address as their username and a password they’ve created. Many internal corporate systems employ this common authentication method – it’s simple, it’s well understood, and provides a level of protection that is adequate in many cases.

Authentication is used for access control – it does not necessarily imply a level of access rights once authenticated. Instead, a separate process of authorization then determines which resources the user can access, what control the user has, and other actions the user has rights to perform.

Directory Services and User

Management

Sufficiently large companies (but not exclusively large companies) may deploy some kind of centralized directory service that is used to manage users, resources, and permissions and policies around accessibility. Lightweight Directory Access Protocol or LDAP is a common protocol used to access directory services. LDAP is supported by many different vendors and open-source implementations, but many will be familiar with Microsoft’s use of LDAP in their Active Directory (AD) product. A directory service is simply a database of objects and company resources – one of its main uses is to centrally manage users and credentials.

The advantage of having a directory service is the centralization of users, their credentials, and their privileges to access enterprise resources such as email, servers, network drives, accounting systems, and other shared properties. IT administrators can make changes to a user’s profile, such as a password or permissions, and this change immediately affects all the applications and objects in the network related to this user – so a password can be changed in one place and its effect is global. For applications that do not support LDAP or AD, user information and authentication is usually local – and changes are not propagated to any centralized location. To update a simple password becomes tedious when it’s required across more than a handful of systems.

Password Management

Passwords and how to manage them can make for heat-ed discussions. Being forced to change passwords every few months can be one of the more painful require-ments, and long passwords requiring letters, numbers, and symbols is another. But are frequent password changes and highly complex passwords even good ide-as? While forcing password changes frequently can limit the time a compromised account is accessible, it may not actually add much security. Most data theft is imme-diate— thieves are in and out, so unless you change your password the instant there’s a breach, it may not really help. And forcing users to change passwords fre-quently can lead to gaming the system, rotating around a few different passwords, or increasing the likelihood that a user will write the password on a sticky note and tape it to their monitor. And while complex passwords are harder to guess in brute force attacks, the problem is the same as frequent password changes – complex passwords are harder to remember, leading back to the sticky note solution. Many users rely on a few common passwords which they use on many of their accounts. The danger of course is cross contamination – and if attackers compro-mise one account, there’s a good chance they will try that password on other accounts and often succeed. One simple piece of advice for passwords – don’t make the mistake that many people make and use the most obvious ones, such as “password” or “123456” – these are easily guessable and provide very little protection. There’s no single optimal strategy – but convenience and security are at odds with each other, so think about how to best balance the two opposing interests, and what method would ensure the highest level of compli-ance. And consider using a password management app to store and manage your myriad accounts and pass-words. These enable you to create unique complex passwords for each account, and keeps you putting that sticky note on your monitor where anyone can view it.

Biscom | 1-800-477-2472 | sales@biscom.com | 321 Billerica Rd Chelmsford, MA 01824 | www.biscom.com

Multi-factor Authentication

While most are familiar with a straightforward username and password combination, it’s pretty clear that this is very basic and that forging these credentials is not only easy, but often abused – for example, how many people share their usernames and passwords so others can access a particular service? While this may be convenient for people, it is almost certainly not the intention of most systems that are processing the authentication. There is a level of implied trust that users are retaining their credentials for their own use and not sharing this with others. For some systems, it’s not critically important, but other systems may need to log this information for tracking purposes or chain of custody reasons, and it can appear that a particular person is accessing information when in reality it’s a different individual.

Multi-factor authentication systems provide a means to further assure that the person accessing a system is the person he or she claims to be. A two-factor system requires both knowledge of a secret and a unique token which, when combined, provide a significantly higher probability that the actual person that is in the process of authenticating himself, is who he asserts himself to be. In simple terms, it’s something you know and something you have. What you know is the secret, e.g. a password or PIN. What you have is a key fob, smart card, or, more commonly used these days, a smart phone. You cannot impersonate someone by just knowing their secret (e.g. username and password), you must also have the physical item that is associated with him or her. When you use your bank’s ATM, you’re using two factor authentication – your bankcard and a PIN number. If you lose your bankcard, you report the loss and the bank will deactivate it. If you forget your PIN or think it’s been compromised, you can easily change it, but without the bankcard, it’s not very useful.

RSA, now a part of EMC, was a software security company that was best known for its SecurID technology. This technology comprised an internal authentication server and a small key fob with a tiny LCD screen that generated and displayed a unique random number at short time intervals. When a user tried to log into an application or system, the login page would ask for a username, a password, and then also the random number generated by the fob as a third piece of information. If the random number entered matched the expected number on the authentication server, then the user was allowed access to the system. These days, mobile phones act as the physical device that can receive SMS or text messages that contains a random string, which people then enter in a separate step during authentication. The same principal applies – a random number that has a short lifespan and extremely hard to counterfeit, provides an additional level of assurance that only the authorized person would have access to both the password and token-based information. The main difference is the token – instead of having to provision a key fob to every user, you can leverage a device that almost everyone these days has.

Increasingly popular are biometric systems – fingerprint readers, retinal scanners, and facial recognition software – which don’t require you to carry a separate device or token (“something you have”), but they use characteristics or attributes of your physical makeup as a second factor (“something you are”).

Biscom | 1-800-477-2472 | sales@biscom.com | 321 Billerica Rd Chelmsford, MA 01824 | www.biscom.com

Single Sign-on (SSO) and Federated Identity Management

While many systems require additional steps, physical tokens, or other forms of identification, a single sign-on (SSO) system actually opens up more access to multiple systems with a single act of authentication. SSO does not technically reduce the level of security, but it provides convenience to the user: instead of having to re-authenticate with credentials for each system or application individually, a person can simply authenticate once and a successful login can be used to automatically grant access to multiple systems. Conceptually, SSO assumes that successful authentication in one system is transferable to another – and in many cases this is true, but be careful of providing access based on another system – it could be flawed, or have a lower security threshold.

SSO is a subset of federated identity management. The concept of federation implies a network of trust where authentication systems and credential information span multiple domains. In cases where centralized identity management may not apply to external systems and cloud-based services, a federated approach enables seamless secure access even outside of a company’s domain of control. Such systems add complexity for the IT group, but provide identity portability, which is becoming more prevalent and necessary with decentralized Internet-based services.

One technology that is increasingly being used in SSO for browser-based applications is security assertion markup language, or SAML. SAML is an XML-based, open standard that defines a format for exchanging authentication and authorization information between two parties. More web-enabled applications are supporting SAML as a way to support multiple authentication systems without being tied to a single vendor’s method.

Further Reading

This white paper covers a few of the common authentication methods and technologies at a high level. Companies may use one or more of the above approaches to allow people access to systems, and different systems may have higher or lower security requirements. For example, email may only require a basic username and password combination, but transferring secure information, such as medical records, financial information, legal documents, source code, or intellectual property, may require a more rigorous authentication scheme. Federation is also a complex topic and was only briefly discussed, with SSO and SAML details left to further research by the reader. There are many levels of authentication, and they are usually commensurate within the context of the sensitivity of underlying data and information.

ABOUT BISCOM Since 1986 Biscom has been the preferred provider of enterprise

document delivery and workflow solutions for Fortune 1000 companies.

Biscom’s secure file transfer, file sharing, file synchronization, and fax

solutions are trusted around the world for reliability, scalability, and

ease-of-use.