Difference between revisions of "Multi-factor Authentication"

From MgmtWiki
Jump to: navigation, search
(References)
(Full Name and Scope)
Line 1: Line 1:
 
==Full Name and Scope==
 
==Full Name and Scope==
 
Originally known as Two-factor Authentication, this concept covers a wide range of technologies designed primarily for strong assurance as to the either the real-world identity, or at least a persistent identity, for purposes of establishing the authorization from an individual to a online resource of some type.
 
Originally known as Two-factor Authentication, this concept covers a wide range of technologies designed primarily for strong assurance as to the either the real-world identity, or at least a persistent identity, for purposes of establishing the authorization from an individual to a online resource of some type.
 +
 +
==Context==
 +
As a part of [[Authorizing]] a [[Subject]] to access a digital resource the [[Web Site]] hosting that resource will need to acquire a set of [[Claims]] that apply to the [[Subject]] for the duration of the access. While this [[Authorization]] process can begin with the [[Authentication]] of the [[Subject]] with something as simple as a statement from the [[Subject]], additional steps may be necessary including using other [[Authentication]] factors. Standards like NIST SP 800-63 address this need as a part of the [[Authentication]] process by requiring the additional factors prior to attempting access. Most commercial [[Web Site]]s use a hybrid approach where [[Authentication]] is minimal and additional factors are address as needed to avoid early drop off by [[Consumers]] of their resources.
 +
 +
==The Problems==
 +
Originally a distinction was made between [[Authentication]] (the process of determining who you are) and [[Authorization]] (the process of determine what you can access).
 +
 +
==The Solutions==
 +
A broad range approach to multi-factor [[Authentication]] will need to address processes that occur during [[Authentication]] as well as processes that occur later during the [[Authorization]] step. This distinction becomes blurred, especially in [[Site]]s with different requirements for different resources.
  
 
===References===
 
===References===

Revision as of 13:53, 21 July 2018

Full Name and Scope

Originally known as Two-factor Authentication, this concept covers a wide range of technologies designed primarily for strong assurance as to the either the real-world identity, or at least a persistent identity, for purposes of establishing the authorization from an individual to a online resource of some type.

Context

As a part of Authorizing a Subject to access a digital resource the Web Site hosting that resource will need to acquire a set of Claims that apply to the Subject for the duration of the access. While this Authorization process can begin with the Authentication of the Subject with something as simple as a statement from the Subject, additional steps may be necessary including using other Authentication factors. Standards like NIST SP 800-63 address this need as a part of the Authentication process by requiring the additional factors prior to attempting access. Most commercial Web Sites use a hybrid approach where Authentication is minimal and additional factors are address as needed to avoid early drop off by Consumers of their resources.

The Problems

Originally a distinction was made between Authentication (the process of determining who you are) and Authorization (the process of determine what you can access).

The Solutions

A broad range approach to multi-factor Authentication will need to address processes that occur during Authentication as well as processes that occur later during the Authorization step. This distinction becomes blurred, especially in Sites with different requirements for different resources.

References

  1. W3C Credential Management Level 1 describes an imperative API enabling a website to request a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use.
  2. U2F
  3. Web Authentication: An API for accessing Public Key Credentials Level 1 defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.
  4. WebAuth an effort is to define a simple challenge-response authentication mechanism for PKI (X509) roll-outs, with a standardized token format for transporting the claim and a standard API for website developers to request for that authentication token, to overcome a set of issues present with client certificate authentication in the web context.