Page 957 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 957

Comparing Identification and Authentication


               Identification is the process of a subject claiming, or professing, an
               identity. A subject must provide an identity to a system to start the
               authentication, authorization, and accountability processes. Providing

               an identity might entail typing a username; swiping a smartcard;
               waving a token device; speaking a phrase; or positioning your face,
               hand, or finger in front of a camera or in proximity to a scanning
               device. A core principle with authentication is that all subjects must
               have unique identities.

               Authentication verifies the identity of the subject by comparing one or
               more factors against a database of valid identities, such as user

               accounts. Authentication information used to verify identity is private
               information and needs to be protected. As an example, passwords are
               rarely stored in clear text within a database. Instead, authentication
               systems store hashes of passwords within the authentication database.
               The ability of the subject and system to maintain the secrecy of the

               authentication information for identities directly reflects the level of
               security of that system.

               Identification and authentication always occur together as a single
               two-step process. Providing an identity is the first step, and providing
               the authentication information is the second step. Without both, a
               subject cannot gain access to a system.

               Alternately, imagine a user claims an identity (such as with a
               username of john.doe@sybex.com) but doesn’t prove the identity

               (with a password). This username is for the employee named John
               Doe. However, if a system accepts the username without the password,
               it has no proof that the user is John Doe. Anyone who knows John’s
               username can impersonate him.

               Each authentication technique or factor has unique benefits and
               drawbacks. Thus, it is important to evaluate each mechanism in the
               context of the environment where it will be deployed. For example, a

               facility that processes Top Secret materials requires very strong
               authentication mechanisms. In contrast, authentication requirements
   952   953   954   955   956   957   958   959   960   961   962