Data Protection - User Authentitication

User authentication mechanisms are designed to uniquely identify users, assign their corresponding access rights to information, and track their activities. These measures also show users that security is taken seriously by the organization.

User IDs and strong passwords are the primary means of safeguarding organizational assets. Authentication is usually performed at the access point and consists of challenging the user to provide access keys (passwords, biometric information, tokens, ID cards, etc.) and checking their access privileges against an authentication server (using authentication protocols such as RADIUS or LDAP).

Before authentication servers existed, user names and passwords had to be stored locally at every network access point. That created enormous management overhead because any change to the user database had to be manually replicated over a potentially large number of devices.

It was also a source of security problems because password databases were less protected at the edge of the network, and human mistakes (by systems administrators updating files manually) were common.

Authentication by user name/password is an example of single-factor authentication and can provide adequate protection for most enterprise applications if passwords are managed properly.

When stronger authentication security is required, two-factor authentication can be implemented with the addition of tokens (e.g., RSA SecurID®).

A two-factor authentication scheme requires users to present “something you know��? (password) and “something you have��? (the token). One must possess both at the same time to gain access to the network.

For ultimate authentication security, a biometric scan match can be required (fingerprint, retina, face recognition, etc.) as a third authentication factor. With biometric authentication, an intruder could obtain a stolen password and token card, but still be unable to gain authorized access without a biometric match.