Book contents
- Frontmatter
- Contents
- Foreword
- Acknowledgements
- Note to readers
- Glossary
- 1 What is access management, and why do libraries do it?
- 2 Electronic resources: public and not so public
- 3 Principles and definitions of identity and access management
- 4 Current access management technologies
- 5 Authentication technologies
- 6 Authorization based on physical location: how does the internet know where I am?
- 7 Authorization based on user identity or affiliation with a library: who you are? Or what you do?
- 8 Federated access: history, current position and future developments
- 9 How to choose access management and identity management products and services
- 10 Internet access provided by (or in) libraries
- 11 Library statistics
- 12 The business case for libraries
- Afterword
- Appendix 1 Case studies
- Appendix 2 A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources
- Index
5 - Authentication technologies
Published online by Cambridge University Press: 10 September 2022
- Frontmatter
- Contents
- Foreword
- Acknowledgements
- Note to readers
- Glossary
- 1 What is access management, and why do libraries do it?
- 2 Electronic resources: public and not so public
- 3 Principles and definitions of identity and access management
- 4 Current access management technologies
- 5 Authentication technologies
- 6 Authorization based on physical location: how does the internet know where I am?
- 7 Authorization based on user identity or affiliation with a library: who you are? Or what you do?
- 8 Federated access: history, current position and future developments
- 9 How to choose access management and identity management products and services
- 10 Internet access provided by (or in) libraries
- 11 Library statistics
- 12 The business case for libraries
- Afterword
- Appendix 1 Case studies
- Appendix 2 A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources
- Index
Summary
This chapter examines the different approaches to authentication, as well as what is considered good practice. It also gives an overview of some of the available technologies for authenticating a user.
‘Something you know, something you have, or something you are’
As explained in more detail in Chapter 3, the four main components of access control used in most information systems are:
1 Identification(also called registration): ‘Who are you?’ – the user provides information to identify him/herself, e.g. e-mail address, user ID, name or username.
2 Authentication ‘ Are you who you say you are?’ – the user verifies his/her identity or which organization he/she comes from.
3 Authorization ‘ What are you allowed to do?’ – the process of determining what the identified and authenticated user is allowed to access and what operations he/she is allowed to carry out. In case of licensed information resources, this is based on user profiles and licensing permissions.
4 Accounting The process of collecting statistics and/or billing data. The same tools can also be used to investigate which user accounts may have been compromised due to unauthorized access.
In this chapter we focus on the authentication aspect of access control.
Authentication is a process of establishing the user's right to an identity, in other words, the right to have a name (Lynch, 1998). While identification is usually non-private information provided by the users to identify themselves and can be known by system administrators and other system users, authentication requires private information (Zviran and Elrich, 2006). Names used to authenticate a user do not need to correspond to real names used by the user in real life (Lynch, 1998). Authentication is the first step towards protection of electronic library resources and information systems, so it is important to get it right in order to avoid security issues later.
There are many ways of authenticating a user, most commonly by means of a username and password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition or fingerprints.
Menkus suggested dividing authentication methods into three types (in Zviran and Elrich, 2006, 5):
1 Knowledge-based authentication ‘ Something you know’, e.g. password or PIN (personal identification number). It is based on private information supplied by the user.
2 Possession-based ‘ Something you have’, e.g. smart card tokens. It is based on private objects that the user possesses.
- Type
- Chapter
- Information
- Access and Identity Management for LibrariesControlling Access to Online Information, pp. 39 - 54Publisher: FacetPrint publication year: 2014