12

I came across the concepts of passive authentication and active authentication in my work related to SAML 2.0 single-sign-on integration. I tried very hard to find a clear, generic definition and a proper explanation on these two concepts but almost every doc I referred to was quite vendor specific.

Can anyone provide a clear definition and explanation on these concepts along with appropriate examples?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Chiranga Alwis
  • 221
  • 2
  • 5
  • Can you narrow the scope, in what context is this authentication? what environment are you using? as to a clear definition and explanation. no single soul left on this planet has ever given a clear definition and explanation without some interaction. And I'm afraid they answer has to be vendor/ implementation specific as those define the meaning of these terms (in general they mean nothing, and are often just marketing terms. – LvB Jan 07 '16 at 11:36
  • I refer to passive authentication referred in SAML 2.0 single-sign-on, most specifically. – Chiranga Alwis Jan 07 '16 at 11:46

2 Answers2

6

Active Authentication: authenticates user via the WS-Trust protocol. The Replying Party (RP) owns the login window and requests a security token from the Security Token Service (STS). Here, the user logs in using a flow. An example of active authentication involves mobile devices, verifying a user's identity continuously based on the sensors that are a part of that device. More on this in Active Authentication on Mobile Devices via Stylometry, Application Usage, Web Browsing, and GPS Location.

Passive Authentication: the RP has no login logic; the user is directed to the login page on the STS. After logging in, the STS directs the user back to the URL and you're authenticated on that site which trusts the STS. An example of passive authentication involves a user signing in through "a web form displayed by the identity provider and the user is requested to log in." See this document for more on active and passive authentication.

0

I don't think these terms are well established, while the notions are almost trivial, which is why it is hard to find anything on this in the literature. I believe passive authentication, sometimes also known as static, is a method of authentication which transfers shared secret by the client as a part of the exchange, similar to HTTP Basic authentication. Active authentication, on the other hand, uses a challenge-response mechanism, similar to HTTP Digest authentication. Active authentication is clearly superior from security perspective, since the shared secret (password) never appears on the wire. Additionally, authentication data cannot be replayed, since it depends on the challenge (nonce). However, it introduces an additional round in the protocol, which is not always desirable.

denisp
  • 1
  • 1