In order to ensure the confidentiality, integrity, and availability of information, organizations can choose from a variety of tools. Each of these tools can be utilized as part of an overall information-security policy. The tools can be categorized as either, authentication, prevention or detection.
The most common way to identify someone is through their physical appearance, but how do we identify someone sitting behind a computer screen or at the ATM? Tools for authentication are used to ensure that the person accessing the information is, indeed, who they present themselves to be. Authentication can be accomplished by identifying someone through one or more of three factors: something they know, something they have, or something they are.
Something They Know
|Passwords||The most common form of authentication today is the user ID and password. Authentication is done by confirming something that the user knows (their ID and password). This form of authentication is easy to compromise.|
|Out of Wallet (OOW) Questions||Questions that can be asked of the user to authenticate their identity. OOW questions should be easy to answer by the user but not by anyone else. This makes them ideal for the authentication process. An example might be – what is the name of your first pet?|
Something They Have
|Tokens||Means identifying someone by something they have, such as a key or a card. This can also be problematic as the token can be lost or stolen, making it easy to steal the identity.|
Something They Are
|Biometrics||This factor identifies a user through the use of a physical characteristic, such as a retinal scan, fingerprint, or facial geometry. This is much harder to compromise.|
A more secure way to authenticate a user is through multi-factor authentication. By combining two or more of the factors listed above, it becomes much more difficult for someone to misrepresent themselves. An example of this would be the use of an RSA SecurID token. The RSA device is something you have, and it generates a new access code every sixty seconds. To log in to an information resource using the RSA device, you combine something you know, such as a four-digit PIN, with the code generated by the device. The only way to properly authenticate is by both knowing the code and having the RSA device.