User Authentication

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm looking for a best practices paper on online user authentication.
Currently one of our systems allows people to share a user id and
password and to login with that id at the same time in multiple
locations.  I believe that is a poor security practice.  Are there any
papers that discuss this situation and why it may or may not be good
practice.  I'm creating a paper for the company I work with and would
like documentation to support my findings.

Thank  You

Re: User Authentication

On 29 Nov 2006, in the Usenet newsgroup, in article

Quoted text here. Click to load it

No kidding.

No indication of what operating system - possibly windoze.   Might seem
off topic to you, but try /.  The book you are looking
for is "Practical UNIX and Internet Security, Third Edition" Feb 2003
US$54.95  ISBN 0-596-00323-4, 984 pages.  While it's aimed at the four
most popular Unix variants, the fundamentals are certainly applicable to
your specific problem.     You may even find the book in your library,
and you can read snippets on line at the O'Reilly site.

        Old guy

Re: User Authentication

Moe Trin wrote:
Quoted text here. Click to load it

Thanks, I will take a look at it.  The problem is more an in general
problem than specific to anyone technology.


Re: User Authentication

Quoted text here. Click to load it

the basic premise in "shared secret" authentication ... is to have
unique "shared secrets" for unique security domains (countermeasure
for individuals in one security domain attacking another ... i.e.
local garage ISP attacking your place of work or financial

there is trade-off issues involving multiple systems within same
security domain.

the unique "shared secret" guidelines have resulted in individuals
having to deal with large scores of unique "shared secrets" and
finding it impossible to remember them all. this is further aggrevated
by guidelines for "impossible to guess" shared secrets ... which are
also impossible to remember. the whole issue may become further
obfuscated when each system sort of makes believe that they are the
only one in existance ... and therefor the end-user only is dealing
with the one and only password that they required.

so the trade-off involving multiple systems within a single security
domain ... is that a single password compromise can compromise all
systems ... against having large number of different passwords
resulting in the end-user having to write down every one (as an aid to
all the impossible to remember stuff). an attacker getting the written
copy of all passwords can also compromise all systems ... so is a
single password less vulnerable than multiple different passwords (all
recorded in the same place)?

some of the single-sign-on scenarios allow the individual to
authenticate once to the authentication service ... and then the
authentication sevice provides the credentials for all the actual
system connections and authorizations.

one such common facility that is fairly widely deployed is kerberos
originally developed at mit's project athena. there is even a kerberos
specification (pk-init) for allowing for authentication via
verification of digital signature.

the original pk-init called for just substituting registration of
public key for registration of password ... and then using the registered
public key for verifying any digital signature (w/o requiring any PKI
or digital certificates)

later, PKI-mode of operation was added to the pk-init standards
document. my oft repeated comment is that in such environments, the
digital certificates are mostly redundant and superfluous. for whole
lot of reasons (like privacy, security, etc), such digital
certificates tend to only carry information regarding what is
associated with the digital signature being verified ... still
requiring system to lookup in some sort of repository the permissions
and other characteristics. in all such situations, having to make a
repository lookup implies that the registered public key can be
carried in the same repository. if the registered public key can be
carried as part of a repository lookup that is being performed anyway
... the whole PKI and digital certificate distribution infrastructure
is therefor redundant and superfluous.

of course, the alternative is to avoid a repository lookup and
everybody with any kind of acceptable digital certificate is allowed
all possible permissions and privileges.

for other drift ... note that digital signature verification is also a
countermeasures to "replay attacks" typical of "shared secret" based
paradigms ... i.e. evesdropping the shared secret allows attacker to
replay its.  typical digital signature verification operations has the
system presenting some random data to be digitally signed (as a
countermeasure to static data replay attacks).

Re: User Authentication

Quoted text here. Click to load it

http:/ User Authentication

news article from today:

UN agency warns of online security risks

from above:

Computer users who type in the same username and password for multiple
sites - such as online banks, travel agencies and booksellers - are at
serious risk from identity thieves, a United Nations agency said.

... snip ...

Re: User Authentication

I feel one of the best protocol to authenticate the users of a network
against distributed network services is Kerberos 5. A tutorial about that it
is available at /


Site Timeline