1.5 Authenticity

Authenticity means establishing a user’s identity beyond reasonable doubt. Authenticating the user is crucial in many scenarios, particularly in business and legal matters. A simple example of authentication is a user login to a network. A more advanced example would be the use of encrypted digital signatures in a business transaction or the use of watermarking on digital photographs. - From the ITGS Guide.
Authentication is the act of verifying a claim of identity. When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe (a claim of identity). The bank teller asks to see a photo ID, so he hands the teller his driver's license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe. If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be.
There are THREE different types of information that can be used for authentication.
  1. Something you know - includes a PIN (Personal Identification Number), a password, your mother's maiden name etc.
  2. Something you have - includes a driver's license, an ID card, a passport etc.
  3. Something you are - this uses biometric data such as fingerprints, voice prints, retina scans etc. - From - Thu Sept 23 2010

Two Factor Authenticationis a method of ensuring that the bearer has been authorized to view the requested secure data. It involves the bearer needing to provide at least 2 of the 3 types of information mentioned above.
On computer systems in use today, the Username is the most common form of identification and the Password is the most common form of authentication. Usernames and passwords have served their purpose but in our modern world they are no longer adequate. Usernames and passwords are slowly being replaced with more sophisticated authentication mechanisms.

An example of an OTP token
One form of 'something you have' is the smart card and USB tokens. Differences between the smart card and USB token are diminishing; both technologies include a microcontroller, an OS, a security application, and a secured storage area.Tokens provide you with a One Time Password (OTP) which the user uses when signing in to a specific website. It is a proof of "something you have". This OTP is used together with your usual login username and password, thus providing a Two Factor Authentication method.
File:CryptoCard two factor.jpg
File:CryptoCard two factor.jpg

Magnetic Cards
Magnetic cards (credit cards, debit cards, ATM cards, gift cards, etc) combined with secure, encrypting card readers provide a possible solution for two-factor/strong authentication. Each magnetic stripe card has unique characteristics much like the card's own fingerprint called a magnetic fingerprint.
An example of the reverse side
of a typical credit card:Green circle #1 labelsthe Magnetic stripe
  • A magnetic fingerprint already exists on every magnetic stripe card
  • It is an intrinsic characteristic and no cards would need to be re-issued.
  • Each swipe of the card provides a correlative number called a dynamic digital identifier that can be scored and "matched" to the originating value to determine the cards authenticity.
  • Since the number changes each time, it cannot be re-used as long as all processing is authenticated.
  • It does require a special reader that can read the magnetic fingerprint value, but these readers can be swapped out incrementally as old readers wear down.
external image 225px-CCardBack.svg.png

Biometric authentication also satisfies the regulatory definition of true multi-factor authentication.
Examples of biometric information -
  • Fingerprint
  • Voiceprint
  • Iris scan
A human thumbprint is
a common type of biometric
data used in authentication.
  • Can become unacceptably slow and expensive when a large number of users are involved.
  • Extremely vulnerable to a replay attack. (Once the biometric information is compromised, it can be easily replayed unless the reader is completely secure and guarded.
  • There is a user resistance to biometric authentication. A percentage of today's society resist having their personal physical characteristics captured and recorded for authentication purposes.
external image 150px-Fingerprintonfinger.JPG

- From - Thu Sept 23 2010

Phishing is a process in which once attempts to acquire other's sensitive information such as user names, passwords and credit card details. One can do so by setting up a fake website resembling a trustworthy, authentic website. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
Once a victim visits the phishing website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.
An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal.[42]

Articles relating to the issues of Authenticity -


In todays regulated and security-conscious world, strong authentication is quickly becoming a must-have technology. This Quest One Identity Solution White Board session discusses the benefits of two-factor authentication in a complex heterogeneous environment.
'"George is a nice guy who is just learning how two-factor authentication can protect him when he is online. He receives a one-time password token that allows him to access his bank, his social network and his medical inforamation. George is happy!