Semester 4 / Operating Systems Security /Authentication

Authentication

5 min read Last updated Tue Jun 02 2026 13:21:49 GMT+0000 (Coordinated Universal Time)
Open in ChatGPT Open in Claude

The process of proving that the identity of a person or device they are claiming to be.

Identity

A digital identity includes all the information about an individual, organization, or device.

Identifiers are attributes and activities of an entity. An identity may have one or more identifiers.

Examples are names, email addresses, or medical history.

Identity Theft

Assuming another person’s identity without authorization.

Examples:

  • Using another person’s credit card.
  • Opening accounts in another person’s name.
  • Changing account information to take over existing accounts.
  • Obtaining identity documents fraudulently.

Most cases become apparent 1–2 months after data theft, when fraudulent transactions appear. By then, the thief has typically moved on.

Types

Something you know

Aka. knowledge factor. Passwords, security questions, PINs, etc. Most common and weakest factor.

Informed attackers can easily exploit them using techniques like dictionary or brute-force attack.

Time required to crack passwords depends on length and complexity. Must be long and complex to be safe from quick brute-force hacks. Must be stored securely (salted and hashed) to prevent unauthorized access in case of a data breach.

Something you have

Aka. possession factor. Devices like smart cards, tokens, or a phone with SMS codes.

Active Tokens

Require server-side validation which involves a database lookup.

Instantly revocable. Can be updated without reissuing. Not good for scalable and distributed environments.

Example: OTP.

Passive Tokens

Self-contained. Stateless. Do nothing. Server checks for integrity of the token (using no external information).

Works well in scalable and distributed environments. However, they can be lost, stolen, or duplicated. Can be instantly revocable through specific techniques.

Example: Photo IDs.

Hybrid Tokens

Combine active and passive token features. They are self-contained but also require server-side validation.

Something you are

Aka. characteristic factor or biometric authentication.

While biometrics are increasingly used for convenience, they remain unsuitable for highly sensitive applications. Advances in smartphones have made them cheaper and more accessible.

Expensive, intrusive, false readings (false positives/negatives), and potential forgery.

Examples: fingerprints, retina scans, or facial recognition.

For certain reasons users may be reluctant to use biometric authentication.

  • Privacy concerns
    Biometric data is highly personal and users fear whether the data is shared with anyone.
  • Irreversibility
    Stolen fingerprint or iris scan cannot be revoked ever.
  • Data Breach Risk
    Centralized biometric databases are high-value targets
  • Accuracy Issues
    High chance of false positives (incorrectly accepting an unauthorized user) and false negatives (incorrectly rejecting an authorized user).
  • Slowness
    Certain biometrics require more time to process and verify the authenticity (e.g. face unlock).
  • Consent & Coercion Biometrics can be forcibly obtained (e.g. pressing someone’s finger to a sensor). No legal right to remain silent equivalent for biometrics in many jurisdictions.
  • Trust issues Users may not trust the company/government storing their data to secure it properly or use it ethically.

Multi-Factor Authentication (MFA)

Combines 2 or more authentication factors to enhance security.

Examples: password + SMS code, or password + fingerprint.

Federated Identity Management

Aka. FIM. A framework where organizations establish mutual trust, allowing one organization (identity provider) to authenticate users and share identity attributes on behalf of another (service provider), across organizational boundaries.

Organizations (service providers) trust and rely on 1 or more organizations (identity provider) to authenticate users.

Single Sign-On

Aka. SSO. A mechanism that allows a user to authenticate once and gain access to multiple applications or services within the same organization, without being prompted to log in again.

Lets users log in once and access multiple applications of a single organization without re-authenticating.

Cross-org SSO is achieved through FIM.

Authentication vs. Identification

  • Authentication
    Verifying that a claimant is who they say they are. One comparison: “Is this person X?”
  • Identification
    Determining who a person is from authenticating data. Requires nn comparisons across the full database.

Identification is harder: subject may not be in the database; partial matches are ambiguous.

Confusion Between Authentication and Identification

Privacy violations arise when data items serve multiple roles.

Example: the U.S. Social Security Number was intended as an identifier but is now used as authenticator, database key, and identifier simultaneously. Acquiring it for one purpose enables use for others.

Computer-Computer Authentication

Stored authentication credentials could be stolen by malware and reused by attackers.

Continuous Authentication

The process of continuously monitoring ongoing communication session to ensure the communication entity remains the same. In computer-computer authentication, even after authentication succeeds, systems must continuously verify the connection.

Prevents attacks such as session hijacking and communication interception.

Was this helpful?
PreviousControl
NextAccess Control