HP Access Control Client Software manual Authentication

Access Control Concepts

Network Access Control Technologies

Authentication

Authentication is the process by which a device determines the identity of a user connecting to a network or attempting to access a resource.

Authentication Factors. A human can identify another human in many different ways: by a name, a face, an ID badge, or knowledge of a certain piece of information. And a human can rely on his or her judgment to inform the identification. In the networking world, authentication boils down to a user submitting certain information that an authentication server uniquely associ- ates with that user.

However, the information submitted can take several forms, or factors:

■Something the user knows—The user submits a password, which the authentication server has already associated with the user’s name (also submitted during authentication). Assuming that no one else knows the password, the server equates a correct password with an authentic user.

Although relatively easy to deploy, this factor is also the least secure. Users may write down their passwords where anyone can find them; they may tell them to friends and family members; they may select easily guessed passwords. In addition, passwords that are not changed often enough can be cracked, and passwords submitted or stored in an insecure manner can be hijacked.

Still, steps have been taken to address these issues. Databases often store passwords in non-reversibly encrypted form; users may be required to choose non-dictionary passwords and to change passwords frequently. In addition, most authentication protocols require users to submit pass- words in encrypted form. You need to consider these issues when you select an authentication protocol because, implemented correctly, pass- words are still often a good choice for credentials. (For more information, see “Authentication Protocols” on page 1-23.)

■Something the user has—The user owns a physical object, such as a token card or smart card, that identifies him or her, usually by storing credentials that cannot be compromised without destroying the device.

The stored credentials often take the form of a private key/digital certifi- cate. The private key “signs” data to prove that the user, who is identified in the associated digital certificate, is the source of the data.

Instead of being installed on a smart card, the private key/digital certifi- cate can be stored directly on a user’s endpoint. In this case, owning the endpoint (with installed certificate) is what proves the user’s identity.

1-7