Authentication is a critical component of the access control mechanisms implemented by organizations to secure information. Underlying principle of logical access control is to identify whether a user is in fact the right person whom he claims to be and provide the right type of access to that person.
From the above explanation we can identify the three steps involved in implementing logical access controls viz. (a) Identification (b) Authentication (c) Authorization.
In the section below, let us look at the definition of each of these steps and tools used to accomplish their objectives.
1. Identification
The person trying to access an information asset or a network resource, must identify himself. It should be borne in mind that the identification component should be unique to each user and should not be shared among users.
Tools: User name, user id, employee number
2. Authentication
After a person has identified himself, he needs to prove that he is who he says he is. In other words, the identification information is being verified through authentication.
Tools: Authentication can be implemented through the following means:
a. Authentication by knowledge (something the user knows) – password, PIN.
b. Authentication by ownership (something the user has) – Smart Card, Swipe Card, Access Card
c. Authentication by characteristic (something the user is) – Biometrics such as fingerprint, retina scan, facial scan, voice print
3. Authorization
On completion of authentication, the system must establish whether the user is authorized to access the system or its various modules. Authorisation also determines what actions the user is permitted to perform on that system or module.
Tools: Access control matrix containing roles, profiles and privileges.
The above are pre-emptive steps in logical access control. These are followed by a post-mortem control viz. ‘Accountability’. ‘Accountability’ is the process of recording the actions done by the user and uniquely identifying them to the user. This is being accomplished by enabling audit trails and logs in the systems.