30 The Basics of Information Security Authentication is the process we use to validate whether the claim of identity is correct. It is important to note that authentication and verification are not the same things and that verification is a much weaker test from a security perspective. When we perform authentication, we can use a number of factors. The main factors are something you know, something you are, something you have, something you do, and where you are. When we use an authentication mecha- nism that includes more than one factor, this is known as multifactor authen- tication. Using multiple factors gives us a much stronger authentication mechanism than we might otherwise have. EXERCISES 1 What is the difference between verification and authentication of an identity? 2 How do we measure the rate at which we fail to authenticate legitimate users in a biometric system? 3 What do we call the process in which the client authenticates to the server and the server authenticates to the client? 4 A key would be described as which type of authentication factor? 5 What biometric factor describes how well a characteristic resists change over time? 6 If we are using an identity card as the basis for our authentication scheme, what steps might we add to the process in order to allow us to move to multifactor authentication? 7 If we are using an 8-character password that contains only lowercase char- acters, would increasing the length to 10 characters represent any signifi- cant increase in strength? 8 Name three reasons why an identity card alone might not make an ideal method of authentication. 9 What factors might we use when implementing a multifactor authenti- cation scheme for users who are logging on to workstations that are in a secure environment and are used by more than one person? 10 If we are developing a multifactor authentication system for an environ- ment where we might find larger-than-average numbers of disabled or injured users, such as a hospital, which authentication factors might we want to use or avoid? Why? Bibliography [1] MessageLabs. MessageLabs intelligence: November 2010, http://www.messagelabs.com/ mlireport/MLI_2010_11_November_FINAL.pdf, 2010. [2] Javelin Strategy, 2010 Identity fraud survey report, http://www.javelinstrategy.com/research/ brochures/Brochure-170, 2010.