This process by which two parties in a communication or transaction can assure each other of their identity is a fundamental requirement for any transaction not involv-ing cash, such as the use of checks or credit or debit cards. (In practice, for many transactions, authentication is “one way”—the seller needs to know the identity of the buyer or at least have some way of verifying the payment, but the buyer need not confirm the identity of the seller—except, perhaps in order to assure proper recourse if something turns out to be wrong with the item purchased.)
Traditionally, authentication involves paper-based iden-tification (such as driver’s licenses) and the making and matching of signatures. Since such identification is rela-tively easy to fake, there has been growing interest in the use of characteristics such as voice, facial measurements, or the patterns of veins in the retina that can be matched uniquely to individuals (see biometrics). Biometrics, how-ever, requires the physical presence of the person before a suitable device, so it is primarily used for guarding entry into high-security areas.
Traditionally, authentication involves paper-based iden-tification (such as driver’s licenses) and the making and matching of signatures. Since such identification is rela-tively easy to fake, there has been growing interest in the use of characteristics such as voice, facial measurements, or the patterns of veins in the retina that can be matched uniquely to individuals (see biometrics). Biometrics, how-ever, requires the physical presence of the person before a suitable device, so it is primarily used for guarding entry into high-security areas.
Authentication in Online Systems
Since many transactions today involve automated systems rather than face-to-face dealings, authentication systems generally involve the sharing of information unique to the parties. The PIN used with ATM cards is a common exam-ple: It protects against the physical diversion of the card by requiring information likely known only to the legitimate owner. In e-commerce, there is the additional problem of safeguarding sensitive information such as credit card num-bers from electronic eavesdroppers or intruders. Here a sys-tem is used by which information is encrypted before it is transmitted over the Internet. Encryption can also be used to verify identity through a digital signature, where a mes-sage is transformed using a “one-way function” such that it is highly unlikely that a message from any other sender would have the same encrypted form (see encryption). The most widespread system is public key cryptography, where each person has a public key (known to all interested parties) and a private key that is kept secret. Because of the mathematical relationship between these two keys, the reader of a message can verify the identity of the sender or creator.
The choice of technology or protocol for authentication depends on the importance of the transaction, the vulner-ability of information that needs to be protected, and the consequences of failing to protect it. A Web site that is pro-viding access to a free service in exchange for information about users will probably not require authentication beyond perhaps a simple user/password pair. An online store, on the other hand, needs to provide a secure transaction environ-ment both to prevent losses and to reassure potential custom-ers that shopping online does not pose an unacceptable risk.
Authentication ultimately depends on a combination of technological and social systems. For example, crypto-graphic keys or “digital certificates” can be deposited with a trusted third party such that a user has reason to believe that a business is who it says it is.
No comments:
Post a Comment