Questions tagged [authentication]

A process of proving that an entity (commonly a user or organization) is who they claim to be, or who they were previously identified as being. Authentication does not guarantee that particular entity's identity absolutely, it just proves that they are the same agent that has previously successfully asserted their identity. There are three factors (types) of authentication, and a particular authentication process may combine two or more different factors.

Authentication is critical to systems security. It is the mechanism an authoritative system uses to validate a given entity's asserted identity (who they claim to be) is the same as that entity's stored credentials. Credentials must be previously stored for an entity either by the authoritative system, or by another trusted system, before authentication can occur.

Authentication is commonly used in real life in a number of different scenarios, for example a national border agent confirming a person's identity using a passport.

Authentication usually requires the entity being authenticated to produce one or more tokens. These tokens are then used, possibly alongside other properties or characteristics of the entity, to confirm their identity. An example of an authentication token is a password. These tokens can fall into three broad categories, or factors:

  • Something you know. This is the most commonly used authentication factor in electronic systems. It is most commonly implemented as a password or PIN (personal identification number). This is also the most commonly misused authentication factor. Many system require a secondary security question, such as your mother's maiden name, place you were born in or other such trivia. These all belong to this single factor, thus systems can as as many questions as they like and they are still single factor authentication; all the answers are something the entity would know.
  • Something you have. This is most commonly implemented as a formula number generator (like an RSA Key Fob) or a digital certificate (which can be stored on a smart card or less securely as a simple file on a computer). The Key Fobs, Smart Cards, and SSL Certificates are the most commonly used forms of this factor.
  • Something you are. This is commonly known as biometric security. Fingerprints and iris scans are the most common form when used with electronic access systems. Fingerprints and DNA are the most commonly used in law enforcement.

It should be noted that some security experts have reservations about the factor categories. Specifically all authentication factors are fed into the authentication mechanism as computerized information and are therefore subject to the same possible tampering or forgery as any other information. Digital Certificates for example are essentially passwords that are so long a normal person would never memorize it; it must be stored on a medium (thus termed "something you have"). Similarly anyone who has seen a spy movie has undoubtedly seen a fictional character copy a fingerprint or fake an iris scan. This is possible because the authentication mechanism is reliant on a digital reproduction of the physical item; a digital representation that can be duplicated.

There are many indirect authentication schemes as well. Kerberos is one of the most popular, you authenticate against a central store, which then gives you a token. The token can then be used to grant you access to other systems in lieu of the original authentication mechanism.

Authentication should not be confused with Authorization, which involves granting rights to a specific entity. Authorization schemes are commonly dependent on Authentication to ensure security, but are not the same.

See Wikipedia for more information about Authentication and Security.

2161 questions
231
votes
5 answers

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

I believe this is not possible, but someone I know insisted that it works. I don't even know what parameters to try, and I haven't found this documented anywhere. I tried http://myserver.com/~user=username&password=mypassword but it doesn't…
ripper234
  • 5,710
  • 9
  • 40
  • 49
195
votes
1 answer

SSH use only my password, Ignore my ssh key, don't prompt me for a passphrase

This is a question regarding the OpenSSH client on Linux, MacOSX and FreeBSD. Normally, I log into systems using my SSH key. Occasionally, I want my SSH client to ignore my SSH key and use a password instead. If I 'ssh hostname', my client prompts…
Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
152
votes
5 answers

What is the difference between authentication and authorization?

Basic question from a novice: What is the difference between authentication and authorization?
Kyy
142
votes
5 answers

How do I make ssh fail rather than prompt for a password if the public-key authentication fails?

I've got a script that SSHes several servers using public key authentication. One of the servers has stopped letting the script log in due to a configuration issue, which means that the script gets stuck with a "Password:" prompt, which it obviously…
rjmunro
  • 2,221
  • 4
  • 18
  • 22
94
votes
6 answers

How to delete cached temporarily credentials for a network share on a Windows machine without rebooting or logging off

This is more of a curiosity then a real problem, I am just to lazy to reboot or log off my laptop. I have connected to a network share on a Windows server with domain credentials from a non-domain Windows 7 machine, I didn't mark the option to…
ralz
  • 2,691
  • 2
  • 17
  • 21
73
votes
11 answers

Why is SSH password authentication a security risk?

Most guides for OpenSSH configuration advise to disable password authentication in favor of key-based authentication. But in my opinion password authentication has a significant advantage: an ability to connect from absolutely anywhere without a…
Septagram
  • 927
  • 1
  • 8
  • 13
73
votes
4 answers

How to grant network access to LocalSystem account?

How do you grant access to network resources to the LocalSystem (NT AUTHORITY\SYSTEM) account? Background When accessing the network, the LocalSystem account acts as the computer on the network: LocalSystem Account The LocalSystem account is a…
Ian Boyd
  • 5,131
  • 14
  • 57
  • 79
71
votes
20 answers

How to create an SHA-512 hashed password for shadow?

The previous SF questions I've seen have lead to answers that produce MD5 hashed password. Does anyone have a suggestion on to produce an SHA-512 hashed password? I'd prefer a one liner instead of a script but, if a script is the only solution,…
Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145
71
votes
11 answers

How do I remove login credentials for a network location in Win7?

I just tried to access a folder like so: \\somecomputeronmynetwork\somelocation$ When going to this location I'm prompted for a user name and password. I put one in, and it let me in fine. Now I need to remove that login, so I can try a different…
Joseph
  • 1,726
  • 3
  • 19
  • 22
55
votes
6 answers

How to configure basic authentication in Apache httpd virtual hosts?

I'm trying to configure mercurial access using Apache http. It requires authentication. My /etc/apache2/sites-enabled/mercurial looks like this: NameVirtualHost *:8080 UseCanonicalName Off ServerAdmin …
Jader Dias
  • 4,625
  • 18
  • 48
  • 50
49
votes
14 answers

This could be due to CredSSP encryption oracle remediation - RDP to Windows 10 pro host

Error Following Windows security updates in May 2018, when attempting to RDP to a Windows 10 Pro workstation the following error message is displayed after successfully entering user credentials: An authentication error occurred. The function…
scott_lotus
  • 1,079
  • 3
  • 16
  • 29
48
votes
4 answers

How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?

I'm told that it's possible to make a web application that does not require a login. The user logs in to Windows, which authenticates via an Active Directory (LDAP) Lookup. Then, they should be able to go to my webapp and never see a login prompt.…
blak3r
  • 721
  • 1
  • 11
  • 16
44
votes
6 answers

Postgres error message: FATAL: Ident authentication failed for user "..."

Say you're seeing this message: FATAL: Ident authentication failed for user "..." What are the causes of this error message?
Steve Bennett
  • 5,539
  • 12
  • 45
  • 57
44
votes
5 answers

Best system for managing ssh keys?

I've got several client computers (i.e. laptops, desktops, etc.), and I connect to several server machines that I manage, and I log into them all via SSH. I can imagine several schemes of managing ssh keys that would make sense, and I'm curious…
slacy
  • 910
  • 1
  • 9
  • 11
36
votes
6 answers

Is it valid to have part of an IPv4 address set to zero?

I am working on a change in a Java EE application that would authenticate based on the user's IP address using ServletRequest.getRemoteAddr. We store IP address ranges (FROM_IP and TO_IP) in a database and the system would authenticate only if a…
Ritesh
  • 471
  • 1
  • 8
  • 10
1
2 3
99 100