Understanding dif authentication types
54 views
Skip to first unread message
Randy Johns
Dec 1, 2022, 11:13:42 AM12/1/22
to FIDO Dev (fido-dev)
I am new to this topic but have looked and many articles and want to make sure I am understanding what is available today for authentication types:
- Password only (single factor authentication)
- Password substitute (OTP, Bio, etc replace password)
- MFA (Password and another factor...something the user has or is)
- Passwordless (no password ever created...public and private key to device created)
Arshad Noor
Dec 6, 2022, 7:10:34 AM12/6/22
to Randy Johns, FIDO Dev (fido-dev)
That is one way of looking at it.
Another way of looking at authentication technology is described in this
peer-reviewed paper from 2008:
https://dl.acm.org/doi/10.1145/1373290.1373293.
ABSTRACT
Since the dawn of computing, operating systems and applications have
used many schemes to identify and authenticate entities accessing
resources within computers. While the technologies and schemes have
varied, there appears to have been little attempt to classify them based
on their ability to resist attacks from unauthorized entities.
With the proliferation of identity management technologies in the market
today, it is becoming increasingly difficult to assess and compare them
with each other. As the threat level continues to rise on the internet,
and regulations governing information technology continue to grow, risk
managers need more objective mechanisms to assign risk to their systems
so they may apply appropriate mitigating controls.
This paper attempts to describe a classification scheme that will permit
the comparison of seemingly different identification and authentication
(I&A) technologies on the basis of their vulnerability to attacks. With
a better understanding of related authentication technologies, companies
can determine the appropriate technology to use for mitigating
authentication risks.
Arshad Noor
StrongKey
On 12/1/22 8:13 AM, Randy Johns wrote:
> I am new to this topic but have looked and many articles and want to
> make sure I am understanding what is available today for authentication
> types:
>
> 1. Password only (single factor authentication)
> 2. Password substitute (OTP, Bio, etc replace password)
> 3. MFA (Password and another factor...something the user has or is)
> 4. Passwordless (no password ever created...public and private key to
> device created)
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8828e5ba-b065-4a3e-bb1b-dc52d005f68cn%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8828e5ba-b065-4a3e-bb1b-dc52d005f68cn%40fidoalliance.org?utm_medium=email&utm_source=footer>.
Another way of looking at authentication technology is described in this
peer-reviewed paper from 2008:
https://dl.acm.org/doi/10.1145/1373290.1373293.
ABSTRACT
Since the dawn of computing, operating systems and applications have
used many schemes to identify and authenticate entities accessing
resources within computers. While the technologies and schemes have
varied, there appears to have been little attempt to classify them based
on their ability to resist attacks from unauthorized entities.
With the proliferation of identity management technologies in the market
today, it is becoming increasingly difficult to assess and compare them
with each other. As the threat level continues to rise on the internet,
and regulations governing information technology continue to grow, risk
managers need more objective mechanisms to assign risk to their systems
so they may apply appropriate mitigating controls.
This paper attempts to describe a classification scheme that will permit
the comparison of seemingly different identification and authentication
(I&A) technologies on the basis of their vulnerability to attacks. With
a better understanding of related authentication technologies, companies
can determine the appropriate technology to use for mitigating
authentication risks.
Arshad Noor
StrongKey
On 12/1/22 8:13 AM, Randy Johns wrote:
> I am new to this topic but have looked and many articles and want to
> make sure I am understanding what is available today for authentication
> types:
>
> 2. Password substitute (OTP, Bio, etc replace password)
> 3. MFA (Password and another factor...something the user has or is)
> 4. Passwordless (no password ever created...public and private key to
> device created)
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8828e5ba-b065-4a3e-bb1b-dc52d005f68cn%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8828e5ba-b065-4a3e-bb1b-dc52d005f68cn%40fidoalliance.org?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages