General understanding of the function of authentication, its use, and related concepts are assumed. For readers unfamiliar with these, we recommend referring to the Johns Hopkins University Enterprise Services Glossary.
Key concepts and terms referred to throughout the Roadmap are included below. Many of them have broader meanings and implications but, in the interest of simplicity, are provided with more specific, authentication-related definitions:
Authentication is the process of validating the credentials presented in a particular security context. Proper authentication requires that the identification and registration processes that precede it are not compromised. Authentication should not imply access to resources, which is done with the Authorization step.
Authorization is the process of controlling, based on business rules, an individual’s access to resources.
Credential is an object that is verified when presented to the verifier in an authentication transaction. [OMB M-04-04 E-Authentication Guidance for Federal Agencies]. Examples include network identifiers (netids), campus unique identifiers, and digital certificates.
Credentialing. See Registration.
Identification is the process by which information about a person is gathered and used to provide some level of assurance that the person is who they claim to be. Generally, this identity verification takes place within the office (e.g. Human Resources or Student Services) that first encounters the individual and creates their record within the institutional system(s) of record. The next step is Registration (see below).
Identity Management is an integrated system of business processes, policies, and technologies that enable organizations to facilitate and control their users' access to online applications and resources — while protecting confidential personal and business information from unauthorized users. It represents a category of interrelated solutions that are employed to administer user authentication, access, rights, access restrictions, account profiles, passwords, and other attributes supportive of users' roles/profiles on one or more applications or systems.
Identity Proofing. See Identity Vetting.
Identity Vetting is the process used to establish the identity of the individual to whom the credential was issued .[OMB M-04-04 E-Authentication Guidance for Federal Agencies] This is typically done at the Registration stage.
Level of Assurance (LoA) describes the degree of certainty that the user has presented an identifier (a credential in this context) that refers to his or her identity. In this context, assurance is defined as:
- the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and
- the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued. [Ibid.]
A variety of application factors are examined to determine the minimum strength of the credential provided to an application. This determination is made through a risk assessment of each type of transaction that the application supports, identifying each risk and the likelihood of its occurrence, including:
- identity proofing,
- issuing credentials,
- using the credential in a well-managed and secure application, and
- record keeping and auditing.
As the point in the process with the lowest assurance level can compromise the assurance level of all other steps, each one should be as strong and robust as the others in the process.
Multi-factor Authentication requires the use of two or more approaches from something you know, have, or are. Examples include using a password to unlock a digital certificate store. Typically, multi-factor authentication is associated with a more rigorous vetting process, providing a higher LoA, and therefore a higher security level for more sensitive services or systems.
Registration (credentialing) is the process whereby users are given electronic credentials, leveraging the identification process above to ensure that they are coupled with the correct electronic identity information. For example, many campuses use a web-based mechanism to reset an initial password and establish a permanent one, ensuring a correct mapping by requiring the user to enter additional information validated against that which is contained in their record. It is important for institutions to establish rules that govern the processes used by the department or office that assigns and distributes credentials.
Risk-level Assessment is a management technique used to determine the level of exposure associated with unauthorized use of a resource. In the security area, risk-level assessments have a broader use associated with relative priorities and mitigation plans for protecting an institution's information assets.
Single Sign-on Authentication, or SSO, allows users to login once and gain access to multiple applications for a defined time period without having to re-login each time: subsequent authentication takes place without further user interaction or interruption. SSO is most often used to refer to "Web Single Sign-on," however it can also be implemented outside the web with PKI (client certificates) and Kerberos/Active Directory.
Click [next] below to review potential drivers for your authentication-related policies and procedures.