Computer Systems Laboratory  Bulletin
                          November 1991

ADVANCED AUTHENTICATION TECHNOLOGY
 
Introduction  
Computer systems and the information they store and process are 
valuable resources which need to be protected.  With the current 
trend toward networking, compromise of one computer on a network
can often affect a significant number of other machines connected
to the network.  

The first step toward securing a computer system is the ability
to verify the identity of users.  The process of verifying a
user's identity is typically referred to as user authentication. 
Passwords are the method used most often for authenticating
computer users, but this approach has often proven 
inadequate in preventing unauthorized access to computer 
resources when used as the sole means of authentication.  This 
bulletin describes advanced authentication technology which can 
be used to increase the security of computer systems and 
provides guidance in the selection and use of this technology. 
 
User Authentication  
Authentication technology provides the basis for access control 
in computer systems.  If the identity of a user can be correctly
verified, legitimate users can be granted access to system 
resources.  Conversely, those attempting to gain access without 
proper authorization can be denied.  As used in this bulletin, 
authentication is defined as the act of verifying the identity of
a user.  Once a user's identity is verified, access control 
techniques may be used to mediate the user's access to data.  A 
variety of methods are available for performing user 
authentication. 
 
The traditional method for authenticating users has been to 
provide them with a secret password, which they must use when
requesting access to a particular system.  Password systems can 
be effective if managed properly (Federal Information Processing
Standard [FIPS] 112), but they seldom are.  Authentication which
relies solely on passwords has often failed to provide adequate
protection for computer systems for a number of reasons.  If
users are allowed to make up their own passwords, they tend to
choose ones that are easy to remember and therefore easy to
guess.  If passwords are generated from a random combination of
characters, users often write them down because they are
difficult to remember. 
 
Where password-only authentication is not adequate for an 
application, a number of alternative methods can be used alone or
in combination to increase the security of the authentication
process.  The three generally accepted methods for verifying the
identity of a user are based on something the user knows, such as
a password; something the user possesses, such as an
authentication token; and some physical characteristic of the 
user, such as a fingerprint or voice pattern. 
 
Token-Based Authentication 
Token-based authentication schemes require the system user to 
produce a physical token which the system can recognize as 
belonging to a legitimate user.  These tokens typically contain 
information which is physically, magnetically, or electrically 
coded in a form which can be recognized by a host system.  The 
automatic teller machines used by the retail banking industry, 
which require the user to carry a magnetic stripe card, are one 
example of token-based authentication systems.  The most 
sophisticated tokens contain one or more integrated circuits 
which can store and, in some cases, process information.    
Tokens which are manufactured in the form of a credit card with
an onboard microprocessor and memory are commonly referred to as 
"smart" cards. 
 
Token-based systems reduce the threat from attackers who attempt
to guess or steal passwords, because the attacker must either 
fabricate a counterfeit token or steal a valid token from a user
in addition to knowing the user's password. 
 
Biometric Authentication  
Biometric authentication relies on a unique physical 
characteristic to verify the identity of system users.  Common 
biometric identifiers include fingerprints, written signatures, 
voice patterns, typing patterns, retinal scans, and hand 
geometry.  The unique pattern which identifies a user is formed 
during an enrollment process, producing a template for that user.

When a user wishes to authenticate to the system, a physical 
measurement is made to obtain a current biometric pattern for the
user.  This pattern can then be compared against the enrollment 
template in order to verify the user's identity.  Biometric 
authentication devices tend to cost more than password or token-
based systems, because the hardware required to capture and 
analyze biometric patterns is more complicated.  However, 
biometrics provide a very high level of security because the
authentication is directly related to a unique physical 
characteristic of the user which is more difficult to 
counterfeit.  Recent technological advances have also helped to 
reduce the cost of biometric authentication systems.
 
Combination Methods 
Passwords, authentication tokens, and biometrics are subject to a
variety of attacks.  Passwords can be guessed, tokens can be 
stolen, and even biometrics are susceptible to certain attacks. 
These threats can be reduced by applying sound design principles
and system management techniques during the development and 
operation of an authentication system.  

One method which can substantially increase the security of an
authentication system is to use a combination of authentication
techniques.  For example, an authentication system might require
users to present an authentication token and also enter a
password.  By stealing a user's token, an attacker would still be
unable to gain access to the host system, because the system
would require the user's password in addition to the token. 
 
Implementation Guidelines and Recommendations 
An organization must answer numerous questions when it decides to
implement an advanced authentication system.  The following
guidelines will assist those responsible for evaluating,
procuring, and integrating these systems. 
 
Risk Analysis - A thorough analysis should be done to 
determine what parts of the system in question are vulnerable to
attack, and to prioritize these vulnerabilities in terms of 
severity and likelihood. 
 
Product Evaluation and Selection - Once the risks associated with
a host system have been identified, this information can be used
to select an authentication system which provides adequate
protection against these risks.  In addition, the authentication
system will have to meet several other requirements in order to
function effectively in a given environment.  The organization
responsible for selecting the authentication system should decide
whether sufficient in-house expertise exists to evaluate the
available options.  In some cases, it is more cost-effective to
hire a consultant who is familiar with the available technology.

Whether the evaluation is done in-house or by a consultant, the
following items should be considered: 
 
  o  Sources of information - A variety of sources should be used
     when evaluating authentication systems. Vendor product
     literature can be very helpful in describing specific
     details of product operation, and in understanding the range
     of products offered.  There are several annual conferences
     devoted to computer security, network access control, and
     authentication technology.  In addition to the papers
     presented at these conferences, there are usually large
     vendor exhibit halls and product forums.  Many
     organizations, particularly those in the government sector,
     have published information on the selection and integration
     of advanced authentication technology.  These publications
     are often the result of practical experience gained during
     the implementation of these systems, and so can be
     particularly useful. 
 
  o  Integration into existing environment - This factor is
     discussed further in the next section, but is an important
     consideration when selecting a product.  All other features
     of an authentication system may be irrelevant if the product
     cannot be integrated into the customer's computing
     environment. 
 
  o  Custom design - Sometimes an organization's needs cannot be
     met by a commercially available product.  In these cases,
     the organization may decide to do a custom design using
     in-house resources.  This alternative is most practical for
     large organizations with experienced system design and
     support groups, or for smaller organizations with a high
     level of expertise in computer access control systems. 
     Vendors are often willing to work with customers to modify
     existing products or design new products to meet custom
     requirements.  An arrangement which often works well is for
     the customer and vendor to work together on the design of
     the system, and for the vendor to then manufacture the
     product. 

  o  Cost and performance - The relationship between cost and
     performance can be relatively complex for authentication
     technology.  Similar products from different vendors may
     vary widely in cost, depending on the vendor's manufacturing
     and development techniques and marketing philosophies.  In
     general, devices with a higher performance level will cost
     more, but individual cases should be evaluated carefully. 
     The general approach should be to procure the authentication
     system which provides the required level of security and
     other performance factors at a minimum cost. 

  o  Accuracy - The accuracy of an authentication system refers
     to the ability of that system to correctly identify
     authorized system users while rejecting unauthorized users. 
     Since this is the primary function of an authentication
     system, accuracy is directly related to the level of
     security provided by the system.  Vendors may not be
     objective about producing and interpreting the results of
     tests which quantify the accuracy of the authentication
     process with regard to the vendor's particular products. 
     For these reasons, an organization may wish to run
     independent tests to determine the accuracy of an
     authentication system in terms which are relevant to the
     environment in which the system will be used. 

  o  Reliability - An authentication system should be capable of
     operating in its intended environment for a reasonable
     period of time.  During this time, the system is expected to
     perform at or above a level which ensures an appropriate
     amount of protection for the host system.  If the
     authentication system fails, the chances for unauthorized
     access during the failure should be minimized. 
 
  o  Maintainability - All hardware and software systems require
     some form of maintenance.  The components of an
     authentication system should be evaluated to determine the
     level of maintenance which the system will require.  One
     goal in the design of an authentication system should be to
     minimize the maintenance requirements within the constraints
     of system cost, performance, and available technology. 

  o  Commercial availability - Large-scale networking of computer
     systems and distributed computing are relatively recent
     developments, and are the driving forces behind the need for
     more effective methods for authenticating system users. 
     Unfortunately, the market for advanced authentication
     technology is not fully developed and is somewhat unstable. 
     Many commercially available authentication systems have not
     yet been sold in quantity.  An organization that is
     considering the use of this technology should evaluate the
     vendor's ability to produce systems that meet specific
     quality control standards and in sufficient quantity to meet
     the user's requirements.  Contracts written to procure
     authentication systems should provide some form of
     protection for the customer in the event that the vendor is
     unable to produce systems in the quantities required. 
 
  o  Upgradeability - Because the technology of advanced
     authentication systems is continually developing, any
     authentication system should be able to accommodate the
     replacement of outdated components with new ones.  A modular
     approach to the design of an authentication system, with
     clearly defined interfaces between the system components,
     facilitates the process of upgrading to new technology. 
 
  o  Interoperability - A wide variety of computing platforms and
     security architectures are in use today.  Any authentication
     system should be designed to work with as many of these
     diverse platforms as possible, or at least to require a
     minimum of modifications to work in different environments. 
 
  o  Reputation of manufacturer - Obtaining satisfactory service
     during the selection, installation, and long-term operation
     of an authentication system can be difficult if the
     manufacturer is uncooperative.  Customers can request a list
     of references from prospective vendors for products and
     services which have been provided to other customers in the
     past.  In addition, the resumes of key individuals working
     on the vendor's staff can sometimes be examined to determine
     whether an adequate level of expertise is available. 
 
  o  Training programs - Some form of training is usually
     necessary for the people who will be using and maintaining
     an authentication system.  An effective training program is
     of critical importance to the success of any new system. 
     Vendors should offer training appropriate for everyday users
     of the system, and also for the system administrators who
     will be responsible for managing the system. 
 
System Integration - The integration of an authentication 
system into an existing computer environment can be very 
difficult.  Most operating systems do not contain well-defined 
entry points for replacing the default authentication mechanism 
supplied with the operating system.  This is partly because there
is no widely accepted standard for the interface between an 
operating system and an authentication device.  Until such a 
standard becomes available, there are three general options: 
 
  o  In some cases, the vendor who provides the authentication
     system may have already integrated it into certain operating
     systems.  If the authentication system meets the
     requirements of the customer and the customer is using the
     specified operating system, then the system integration has
     already been accomplished. 
 
  o  Operating system vendors may select certain security
     architectures for incorporation into their systems.  If
     these architectures include an authentication technology
     which the customer finds acceptable, then the operating
     system may be purchased with the appropriate authentication
     mechanism as part of the package. 
 
  o  It may be necessary to customize the authentication system
     and perhaps modify the host operating system so that the two
     can communicate.  This will involve cooperation between the
     operating system vendor, the authentication system vendor,
     and the customer, unless the customer has sufficient
     expertise to perform the integration in-house.  A
     prototyping approach is strongly recommended, due to the
     complexity of this type of project. Implementing such a
     system on a small scale first can be very helpful in
     determining what problems will be encountered in a
     full-scale implementation. 
 
System Maintenance - After an authentication system has 
been selected and installed, it must be maintained.  Maintenance
costs can easily exceed the initial acquisition cost if the
system is to be in operation for a reasonable length of time.  It
is therefore important that long-term plans for system
maintenance be developed by the customer or provided by the
vendor in the initial stages of the procurement cycle. 
Provisions must be made for assigning responsibilities for system
administration so that new users can be enrolled, inactive
accounts deleted, and system malfunctions identified and
corrected. 
 
The majority of network authentication systems employ some form 
of cryptography, which means that some form of cryptographic key
management system will be necessary.  The key management
component may be provided by the authentication system vendor,
but the process of maintaining and distributing keys usually
requires active participation by the host system.  Since the
security of a cryptographic system is directly related to the
level of protection provided for the cryptographic keys, it is
essential for the vendor or customer to develop a system for
managing these keys effectively.  Also, the host computer system
will probably evolve over time through the addition of new
software and hardware, and these changes may require
corresponding modifications or upgrades to the authentication
system to maintain compatibility.  

Summary 
Password-based authentication is the most widely used method for
verifying the identity of persons requesting access to computer 
resources.  However, authentication based only on passwords often
does not provide adequate protection.  The use of authentication
tokens, biometrics, and other alternative methods for verifying 
the identity of system users can substantially increase the 
security of an authentication system.  The proliferation of 
networked computer systems and the corresponding increase in the
potential for security violations makes it even more critical 
those who design and operate computer systems to understand and 
implement effective authentication schemes. 
 
References
           
    Guideline on User Authentication Techniques for Computer 
    Network Access Control, National Institute of Standards and 
    Technology (U.S.), Federal Information Processing Standards 
    Publication 83, National Technical Information Service, 
    Springfield, VA, September 1980. 
 
    Computer Data Authentication, National Institute of Standards
    and Technology (U.S.), Federal Information Processing 
    Standards Publication 113, National Technical Information 
    Service, Springfield, VA, May 1985. 
 
    Biometric Access Control Device Evaluation Criteria (Draft 
    Report), DCI Intelligence Information Handling Committee,    
Access Control Subcommittee, Community Headquarters Building,    
Washington, DC 20505, February 1991. 
 
    Smart Card Technology:  New Methods for Computer Access 
    Control,  National Institute of Standards and Technology 
    (U.S.), NIST Special Publication 500-157, September 1988. 
 
    Financial Institution Sign-On Authentication for Wholesale 
    Financial Transactions, American National Standard X9.26, 
    American National Standards Committee X9, American Bankers 
    Association, May 1990. 
 
    Password Usage, National Institute of Standards and 
    Technology (U.S.), Federal Information Processing Standards 
    Publication 112, National Technical Information Service, 
    Springfield, VA, May 1985. 
 
For More Information
For further information on NIST's ongoing work in advanced
authentication technology, contact Jim Dray, Computer Security
Division, Room A216, Technology Building, National Institute of
Standards and Technology, Gaithersburg, MD  20899, (301) 975-
3356.Downloaded From P-80 International Information Systems 304-744-2253