A Penn State Identity Services (IdS) White Paper
October 2014

Definition
Authentication is the proof by an individual and a verifier of the linking of the individual to his records within an electronic system in order to establish him as a single user of that system.
What Is Authentication?
In order to understand what authentication is, it is important to understand a related term:
Identification. Identification (See Identity
Services whitepapers: “The Role of Unique
Identifiers in Identity Management” and “The
Role of Credentials in Identity Management.”) is the statement of indication of a person's identity.
Authentication is the performance by an individual of an act that confirms ownership of an established, previously registered, or claimed identity.
In the context of electronic systems, authentication is most commonly performed by the use of a public identifier and a secret shared with the authentication system of record, or
"verifier." In order to be used as intended, for the confirmation of a single identity, the registration of that identity to that person must have previously been performed in a reliable way, such that neither a duplicate record of that individual's identity exists in the verifier nor does any other individual share that identity.
These two cases are commonly referred to as
"duplicate identities" and "unintentional matches," respectively.
To prove ownership of this exclusive identity belonging to a person in a single-verifier system, the person typically provides a public identifier
(a "user name,” which at Penn State is commonly referred to as the "Access Account
ID") in addition to a secret that only that person and the verifier system know--a "shared secret" or "password." Upon providing the correct user name and password, the verifier confirms the person is who the individual claims to be and
The Role of Authentication in Identity Management provides a temporary indicator that the person has done so to the system that the person is attempting to access. This temporary indicator is often only good for the duration of the person's use of that application or system and is known as a "token."
Authentication does nothing more than link a person using an application or system to the individual’s electronic identity, which the application or system can use to link the person's previous actions to new actions. It does not authorize a person to use an application or system; it simply states that a person has supplied the correct information to prove that the individual is in possession of a specific electronic identity.
The act of verifying whether a person should have access to an application or system requires more information and is explained in the Identity
Services whitepaper on authorization. (See
Identity Services whitepaper: “The Role of
Authorization in Identity Management.”)
Nothing more needs to be shared between the verifier and the application the person is attempting to access beyond confirmation of the authentication event. The system only needs to know that it is the same person who accessed that system previously and can store its own internal unique identifier for the person, thus completely preserving privacy. If additional information about the person is required from other systems, then those systems must share some very basic knowledge of the person's identity, such as an appropriately scoped Person
Unique Identifier (See Identity Services whitepaper: “The Role of Unique Identifiers in
Identity Management”)
.
Authentication can vary in its degree of strength: a very simple password like "password" does almost nothing to link an individual to an electronic identity because it is easily guessed.
Similarly, a very short or simple password, such as "abc1" also does almost nothing to link an
2

individual to an identity because it is easy for a computer to determine via many sequential repeated guesses. Since a computer can perform these sequential guesses rapidly, it can search many possible passwords in a short amount of time.
To help alleviate the problem of easily guessed or simple passwords, password complexity and length requirements are frequently put into place. However, as attackers become more advanced and the stakes for gaining illicit access to systems become higher (for example: access to a person's direct deposit routing information), more resources are being directed at attacking even more complex passwords. After some period of time, passwords alone are simply no longer good enough for systems that require an added level of security or "assurance" that the person is who he claims to be.
The problem of passwords for authentication can be addressed via the use of other factors in addition to a user name and password. This is called "multi-factor authentication."
The methods or "factors" for authentication are frequently referred to as:

Something you know : a shared secret, password, or passphrase, typically something a person can remember.
These can be problematic since they cannot be extremely long or complex, and a person can be tricked into providing them to an attacker.

Something you have: a piece of hardware that contains a secret that cannot be directly provided to an attacker and that can only be proved via use of the hardware device to provide a temporary proof of ownership to the verifier. Such systems are often implemented as hardware tokens
(keychain fob devices that display a temporary number that the person types into an interface to provide to the
The Role of Authentication in Identity Management
 verifier), smartphone "apps," such as the
Duo Security "push" app or even telephone calls, test messages, and unique tokens provided to a verified email account protected with a different set of credentials. ( See Identity Services whitepaper: “The Role of Credentials in
Identity Management.”
)
Something you are : a fingerprint, facial or hand geometry, iris or retina pattern, infrared body heat map, or the pattern of a user's input to a computer via typing, interaction via a mouse, or other established pattern of previous behavior.
This type of authentication can be problematic because not everyone has an eye, hand, fingerprint, etc. that is consistent or even present. Patterns of use are more consistent and available but can change over time and are in the early stages of development for use in authentication.
How Is Authentication Used?
At Penn State, authentication is used by nearly everyone every day. It is used to log in to access email accounts, file space, computers, and hundreds of other systems and services. Penn
State's central authentication credential is known as the "Access Account" ( see http://identity.psu.edu/services/authenticationservices/access-accounts/ ). Some systems require a second factor via use of a hardware token or Duo Security app. There are a number of second-factor authentication options at Penn
State, but Penn State's central service for second factor is called "Duo Security" ( see http://identity.psu.edu/services/authenticationservices/two-factor/ ). Many web applications at
Penn State take advantage of "single sign-on"
(SSO), which allows users to supply a user name and password to a single system, known as
3

"WebAccess." (See http://identity.psu.edu/services/authenticationservices/webaccesscosign/ ) and then stay
"logged in" for up to a single business day and all the use of any other system that WebAccess provides access to, typically without needing to re-authenticate. Additionally, WebAccess protects a user’s identity because the user is only supplying an Access Account password to
WebAccess, not directly to an application that may not have the necessary security measures in place to protect the individual’s identity.
Users typically use authentication for many other systems on the Internet, such as Gmail,
Yahoo!, Microsoft, and millions of other possibilities. It is critical to not share passwords or pass phrases between systems because if one system is successfully attacked, then any password or pass phrase you use with that system is also compromised.
Authentication Examples
Here are a few authentication examples:

The Penn State Access Account

ATM or debit card (something you have) and PIN (something you know)

Facebook, Google or Twitter login

The PIN or other protection method used with your smartphone

The system of knowledge-based authentication that banks and lenders use, which typically ask for users addresses, phone numbers, cars, etc. that have been associated with an individual
The Role of Authentication in Identity Management 4