On Authentication

The basis of any modern security system is authentication—ensuring someone is who they say they are. 

By far, the most prevalent means of authentication in use today was invented in the 1960s: the username and password. In the ensuing five decades, so much has changed: computers aren’t kept in glassed off rooms, hard drives aren’t the size of a Frigidaire, and nobody refers to anything in bauds as ‘blazing fast’. Despite rapid changes in almost every way we interact with computers, the traditional login process is so entwined into our daily lives that most people can’t imagine operating differently.

However there are active and interesting alternative authentication schemes that are gaining traction:


One pattern of authentication is to do away with manually entered user names and passwords altogether and fall back on the user’s email system for proof of identity.

Authentication Process

  1. User enters email into the application
  1. System emails user a URL with a session token embedded in it
  1. User clicks the URL in their email client and gains access

Craigslist has a per post access method that works like this: you post an item and they send you a unique URL from which to manage that single post. Separately, you can still create an account and log in, see all your posts, etc. but by offering both mechanisms they can simplify things for their users.


  • Less data to enter and remember (just an email)
  • Conceptually straightforward


  • If your email is compromised, an attacker has instant access to the service (but given most password reset mechanisms this criticism is a little weak)
  • User must have a functioning email system and access to it at the time they are logging in
  • Overly aggressive spam filters and general Internet weirdness may prevent emails from arriving instantly, delays with receiving the email are a definite possibility


One Time Passwords are constantly changing values generated by an outside service and communicated securely to the user who then enters them for access to a system.

More closely associated with two-factor authentication (where multiple methods of authentication are stacked to provide greater protection), the typical process is that a username/password combination is entered and then as an additional security measure the user must enter their one time password.

OTPs are commonly generated via mobile applications (dedicated apps or a texted code) or from a key fob device that constantly generates new codes.

While normally used for two-factor authentication, it is possible that OTPs could be used in conjunction with a username for direct access to a system, forging the need to remember and maintain a separate password.


  • No password to remember
  • No passwords kept in a database on a server to be yanked. This is particularly important as most users use the same password across different sites and services.
  • Fairly good user experience (heck the game company Blizzard will give you a free in-game pet if you use their mobile authenticator)


  • If your authenticator fob or phone is stolen it provides easy access to your services


Applications like Appuous’s Keycard work by pairing your mobile to your desktop computer (OS X only currently) and constantly checking the Bluetooth signal strength.

If the signal drops below a preset threshold (aka you left your office to grab a coffee), your computer automatically locks. Upon your return, the computer detects the phone’s presence and unlocks the machine.


  • Decreases risk of walking away from computer and leaving it unlocked
  • Great user experience


  • If someone steals your phone, they’ll have access to your computer


While it still mostly seems the stuff of science fiction, there are more and more real world fingerprint (the most common), retina, and hand vein pattern biometric identification devices hitting the market. Most prominent among these would be the different mobile handset makers who have enabled unlock capabilities for the phones via fingerprint scanner; thereby removing one more password that you need to know.


  • Good user experience


  • Not as accurate as you would think, there have definitely been cases of fingerprint scanners being fooled.
  • Not robust enough to be solely relied on. If you nick your finger cutting vegetables, it would be nice to still be able to call the hospital.


Secure Sockets Layer (SSL) certificates, the public key encryption implementation that puts the padlock icon on your browser when a website has set it up properly, actually can be created for multiple different purposes. While most commonly used to encrypt traffic between web browsers and web servers, they are also routinely used to secure email servers and for some site-to–site encryption.

One area where they have outright failed to take off is as a client-side authentication mechanism.

It’s possible right now, with the browser you are using to read these words to create a client side SSL certificate with which your identity could be verified. When you would interact with SSL-secured sites your client side SSL certificate would be sent.


  • Good user experience (once configured)
  • Added security benefits from encryption


  • If your computer is stolen and access to your browser gained, your SSL Authenticated services would be at risk as well. For this reason, it might make more sense to use client-side SSL as part of a two factor authentication solution.
  • Current setup of Client Side SSL certificates is complicated enough to be beyond the skillset of most computer users.


If client-side SSL certificates have failed to catch on with the mass of computer users, they have come to dominate the world of Linux server management. Linux servers are routinely managed via Secure Shell (SSH) and Public/Private key pairs where a connection is made from a terminal to the server and secured via public key exchange.


  • Good Experience (once setup)
  • Significant benefits as the number of servers being managed increases


  • You have to worry about Key Management (keys backed up and secured)
  • Can take come extra configuration time if you’re unfamiliar with the concepts


Username and password authentication schemes are likely going to be with us for some time. However, it’s great to see alternative approaches that could better secure all of the myriad of services that we depend upon.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s