For a PDF version of this document, click here
When looking at the basic authentication system model, we see that a system is separated into four main
components: the authenticator, the input, the transport, and the verification. While all four parts must work
together effectively for secure authentication, the authenticator component deserves special attention.
are the proof offered by an individual to confirm his or her identity. This can be secret
knowledge, a physical object, or other unique feature. Authenticators are also called authentication factors.
We commonly sort authenticators into three general categories based on their relationship to a person:
- What you know Ė knowledge-based authenticators
- What you have Ė possession-based authenticators
- What you are Ė biometric-based authenticators
These authentication factors provide a wide variety of technologies and products from which to choose. Like any
technology, authenticators have characteristics that make them more or less suitable for use in our
organizations. Unfortunately, making the right authenticator choice is difficult without a standardized set of
characteristics that can be used to judge our options.
While some in the security industry have sought to establish guidelines for authenticator use, these
recommendations are usually limited by their lack of detail. Because this advice deals in generalities it may
not be appropriate for your business environment. The one-solution-fits-all approach isnít the preferable way
to make security decisions. When possible, we should take the time to evaluate the pros and cons of
authenticators as they apply to our unique organizations.
As security professionals we tend to focus on the security aspects of authenticators, but there are other
important issues that require consideration. The following list details what I consider the five fundamental
characteristics of authenticators:
Usability answers the question of how effectively can people utilize the authenticator. It is concerned with
any human or environmental factors that might hinder the use of an authenticator. Every organization has a
number of users that will be unable or unwilling to utilize a particular authenticator, or at least use it
without a struggle. Exceptions can occur due to physical or mental deficiencies, cultural or medical concerns,
unaccommodating work locations, or just the burden of using and maintaining the authenticator.
In turn, we can break usability into a number of distinct sections. When evaluating an authenticator we should
answer the questions posed and allow the answers to influence our choice.
Usability within the user population
Usability within the work environment
- Does the authenticator require certain physical features, skills, or mental abilities that would exclude
members of the user population? If so, what percentage will be affected?
Burden of use
- Are their environmental or functional factors that would prevent the authenticator from properly functioning?
Example: humidity, heat, lighting, dirt, chemical fumes. If so, what locations or departments will be affected?
- Is the authenticator limited to use on certain computers? Example: certificates and private keys.
Skill required to properly use
- Is the user required to carry extra devices, authenticate on specific computers, or do extra work to use the
authenticator? Evaluate the form factor of the authenticator: is it bulky, hard to carry, etc? Consider the
accumulative burden. Does the burden to the user grow as they are forced to support authenticators from multiple
internal or third-party systems?
Speed of using
- How much training or talent does it take to complete a successful authentication?
- How long (both average and maximum time) does it take a user to successfully input the authenticator?
- Are there any cultural reasons that could cause people to object to using the authenticator? Example:
facial recognition may face resistance in areas where religious beliefs compel people to cover their faces.
Ease of enrollment
- Are there any health related reasons that could cause people to object to using the authenticator? Example:
People might object if everyone has to place their hand on a hand geometry scanner if it is not regularly
Skill required to enroll
- Are there requirements for physically visiting an enrollment station or enrolling only while connected to
the corporate network?
Speed of enrollment
- How much training or talent does it take to complete a successful enrollment?
Frequency of enrollment
- How long does the enrollment process take for each user?
Usability requirements over time
- How often must the user enroll to change their authenticator? Example: passwords that must be changed
every 60 days.
- Do usability requirements change over time? Example: an aging user population may affect the usability.
Uniqueness answers the question of how distinct is the proof used to confirm an identity. We require uniqueness
to impede attacks that attempt to guess a legitimate authenticator, and to limit accidental user impersonation.
Limits the false acceptance of illegitimate users
- Is the authenticator complex and unique enough that an attacker cannot easily guess the authenticator of a
legitimate user? Example: passwords consisting of dictionary words should not be considered sufficiently unique
in an environment that needs good authentication.
- Is the authenticator, or authenticator input, unique enough that one user canít accidentally or purposely
authenticate to another userís account with their own authenticator? Example: a biometric system where it is not
tuned well enough to tell certain users from other users in the same population (measured by the false
Integrity answers the question of how difficult is it to guess, forge, or steal the authenticator. Integrity of
an authenticator is the key influence of how tightly it can be bound to a user. Good integrity provides
resistance to authenticator disclosure, duplication, and theft, thereby ensuring that it is available only to
the genuine user. As integrity diminishes, so does user accountability.
Resistance to disclosure
Resistance to theft
- Is the authenticator reasonably complex so that a user cannot easily convey information that would allow
another person to use their authenticator? Example: a user can easily share their password if they think the
request is appropriate. But they canít give someone their hand to use for a biometric authentication system.
Resistance to duplication
- How hard is it for an attacker to steal the authenticator from the legitimate user? Example: if a user can
leave their one-time token card on their keyboard then it may not be difficult for some attackers to steal it.
If it is on their key ring, the attacker will probably face more difficulties.
Detection of theft, duplication, or disclosure
- How difficult is it for an attacker to create a working duplicate of the userís authenticator? Example:
Duplicating a password takes no skills or special tools; duplicating a fingerprint requires some skill, special
tools, and access to a fingerprint impression.
- If theft, duplication, or disclosure of the authenticator occurs how likely is detection by the user or
administrators? Example: If a user canít log into their computer they are more likely to detect the theft
(or presume loss) and report it.
Affordability answers the question of how much does it cost to buy and maintain the authenticator. It involves
the cost of the authenticator, supporting software and hardware, user and administrator training, and
reoccurring support (replacements, resets, tracking, etc.).
Cost of selection
Cost of the deploying hardware and software
- What is the cost of purchasing or using the authenticator? Example: starting to use passwords is typically
free, starting to use private keys and certificates may not be.
Cost of managing
- What is the cost of implementing input hardware and software to accommodate the authenticator? Example:
again, passwords are typically supported by the existing hardware, but smart card readers are needed for smart
- What are the ongoing management costs related to deploying, resetting, and retiring authenticators? Example:
if each user, on average, contacts the helpdesk two times a year to have their password reset, then you should
be able to estimate the cost of managing passwords based on the value of help desk personnel time.
Accuracy answers the question of how often do mistakes occur that limit use by legitimate users. Accuracy of
authenticators is important to limit the false rejection of legitimate users. A verification component canít
link people to their identities unless it is supplied with an accurate authenticator. Inaccuracies may stem
from improper user interaction or imprecise system calibration.
Limit false rejection of legitimate users
- Is the authenticator, or authenticator input, predictable enough?
Measuring Core Characteristics
To end up with meaningful results, characteristics must be measured for the exact authenticator type being
evaluated. Different biometric-based, possession-based, and knowledge-based authenticators do share some
qualities but also have their own unique characteristics.
For instance, passwords and passphrases both share a common integrity risk of user disclosure, but passphrases
fare much better against guessing attacks. A secret pattern based authenticator manages the disclosure problem
because it is more difficult for one person to describe this knowledge to another.
Different organizations have different needs for authentication. Ultimately, the importance your company gives
to authentication should reflect the importance of the data you protect. It doesnít make sense to secure
unimportant data or services with an expensive or burdensome authentication solution. Conversely, it generally
isnít sensible to protect mission critical services and trade secrets with an ineffective authenticator.
I donít want to downplay the importance of paying attention to industry authentication trends and guidelines.
Combating authentication problems with a methodical, tailored approach just brings greater success. Armed with
these tips you have the ammunition to win the authentication battle.