The Security Authentication Process
Simply put, authentication is the process by which a subject’s (or user’s) identity is verified (Conklin, White, Williams, Davis, & Cothren, 2012). An example of authentication most people are familiar with is their e-mail login. For instance, Gmail requires a person’s Gmail address and individual password to access his or her Gmail account. However, there are numerous types of authentication outside the common username and password. Furthermore, authentication is used in numerous areas of a system to re-verify a user’s identity when he or she is accessing a new area of the system, accessing encrypted data types, and securing the preservation of a system. This paper evaluates the different authentication types, their applications, and additional security measures for securing a system and its data.
Types of Authentication
According to Whitman and Mattford (2010), there are four types of authentication mechanisms, which are: * Something a person knows (passwords or passphrases) * Something a person has (such as cryptographic tokens or smartcards) * Something a person is (a fingerprint, retina or iris scan, or hand topography or geometry * Something a person produces (such as voice or pattern recognition)
The level of access control associated with a system and the data contained on the system is determined by legislation (varies geographically) governing data, and control policies developed and implemented by the entity who owns or controls the data. Passwords and passphrases, or something a person knows, are potentially the most commonly recognized forms of authentication. Specific examples of password and passphrase authentications include a Personal Identification Number (PIN) used at a bank ATM or a password safeguarding an e-mail account. However, stronger authentication is required for some data types, which includes the addition of secondary authentication mechanisms. A bank ATM does not simply allow a person to retrieve cash by entering a PIN. Customers are required to insert their bank card at the ATM, which prompts for the PIN associated with the customer’s card after insertion. The bank card acts as the second item from the list above and is classified as something a person has. Another example of something a person has is using a Common Access Card (CAC) or smartcard to access a system and the data contained therein. Applebee’s Neighborhood Bar and Grill requires employees to carry a smartcard to gain access to their Point-of-Sale (POS) systems. The card has a magnetic strip with an employee’s information programmed into it. Simply sliding the card through a card reader provides Applebee’s employees with access to the POS system where they can do number of tasks such as clock in and out for shifts and place orders for guests. The third type of authentication mechanism from the list is something a person is. For example, a system manufacturer may provide consumers with the option to equip their systems with biometric recognition software and hardware to prevent unauthorized access to a system and its data. This hardware may be used to recognize items such as finger, thumb, or palm prints, facial recognition, or retina or iris scans, which help to verify or authenticate a person’s identity. Types of biometric software includes Verisoft Access Manager, DigitalPersona, and HP Protect Tools, and the hardware used to verify biometrics includes cameras for facial recognition of scanners for recognizing items such as a thumb or finger prints. Something someone produces is the fourth and final type of authentication method from the list above. Examples of things a person produces for authentication are signatures or patterns and speech or audible sounds. Android powered devices such as smartphones and tablets offer a great example of pattern recognition for authenticating a user, which comes in the form of a pattern lock. The user is shown a twelve-dot matrix in which he or she can draw a pattern by connecting the dots. If the person attempting to unlock the device does not draw the approved pattern he or she is denied access to the device. Voice recognition software is another method for verifying a user’s identity through something he or she produces. An example is a person stating their name when prompted by a system to verify his or her identity for the system.
The Authentication Process
The authentication process seems fairly easy to explain using a Personal Computer (PC). When a person sets up a PC for the first time they set up a user profile. A person selects his or her user profile to access their personal profile and data on a system. The user is given the option to set up password protection for his or her profile (something a person knows). To sign on to the PC a user selects his or her profile and enters the password associated with the profile. An invalid password entry restricts access to the selected user profile.
An alternative to using a password is biometrics. Facial recognition software is one example of biometrics. Software installed on a system can control a camera to scan and authenticate a person’s face using various facial features such as a person’s jaw line, upper eye socket outlines, proportion of features such as distance and size of nose, mouth, etc. (FindBiometrics, 2014). Fingerprint, thumb, and palm readers are also good examples of biometric devices. These scan the features of a person’s features to verify their identity. These are excellent sources for authentication because each person’s hand feature is unique to them.
The use of two or more is known as strong authentication (Whitman & Mattford, 2010). Using smartcards in conjunction with PIN is an excellent example of strong authentication. Military and corporate systems are examples of places where strong authentication can prove useful for safeguarding IT systems and the data stored on them. Google uses a secondary authentication method to authenticate users in which a verification code is sent to a user’s phone as a text message. This is similar to having a token without the need to purchase and carry an additional product with a single function.
Securing Data
The authentication process is the first step in securing and preserving data. Using a password deters unauthorized access, but it is not an impenetrable means of security. Administrators can schedule system backups to further safeguard and preserve the integrity of a system and its data from damage or loss resulting from unauthorized access and even hardware or software failure. These backups allow for the restoration of a system in the event an attack is successful and data become damaged or lost. Several factors require consideration regarding backups, which include frequency of backups, extent of data that is backed up, process followed to backup data, verification of data backup creation, retention of data backups, storage of backups, and number of backups (Conklin, White, Williams, Davis, & Cothren, 2012). Creating and implementing a solid backup plan help reduce the amount of damage caused if authentication security measures fail or hardware or software failure results in data corruption.
Conclusion
Authentication is the process in which a user’s identity is verified (Conklin, White, Williams, Davis, & Cothren, 2012). Authentication is used every day in many ways. Signing on to a PC, work station, mobile phone, tablet, or even accessing a bank ATM all require authentication using one, or a combination, of the four authentication types. A PC may require a password whereas access to a work station may require an employee to use biometric authentication methods such as facial recognition software or print scanners to scan a user’s finger or thumbprint. A more advanced means of authentication in a workplace may require the use of a smartcard and PIN to gain access to a system. Financial institutions use ATM cards with PIN to aid in the prevention of unauthorized use of a customer’s card. Regardless of use, authentication is the first line of defense for safeguarding data. Following authentication is the use of backups for securing data. Backups reduce the damage caused in the event of unauthorized access and hardware or software failure. Organizations can benefit from solid backup policies and procedures coupled with strong authentication mechanisms to secure the data of a system from unauthorized access and unexpected hardware or software failures.

References
Conklin, A. W., White, G., Williams, D., Davis, R., & Cothren, C. (2012). Principles of Computer Security: CompTIA Security+ and Beyond. McGraw-Hill.
FindBiometrics. (2014). Facial Recognition. Retrieved from findbiometrics.com: http://findbiometrics.com/solutions/facial-recognition/
Whitman, M. P., & Mattford, H. M. (2010). Management of Information Security. Mason: Cengage Learning.