Authentication is a critical part of any organization’s network. It’s what confirms that a user is actually who they say they are. Authentication is the foundation from which an organization can build its IT infrastructure. Even in the earliest days of computing, authentication was used to ensure that the right people had access to the right machines, that their environments were set correctly, and that all actions on the machine were logged.
In the modern era, authentication continues to be vital in ensuring that the right people are accessing an organization’s IT resources. Authentication controls access to devices, files, IT applications, Web-applications, sites, and infrastructures, among other IT assets.
Authentication is generally accomplished by asking a user to enter something that they know. Typically, this is a username and password. But this simple process is becoming more complex, as the importance of online security increases. Some IT resources require an SSH public key. And, even further still, some required multi-factor authentication (a second additional factor to authenticate the user with something they have).
The process to authenticate a user is usually a variant of the following:
- User navigates to the IT resource – e.g. enters an IP address, a URL, or turns on a device
- The user is presented with a login screen to enter a username, password or SSH key
- These credentials are securely compared to the credentials on file either within a directory, application, or device, for example
- If the credentials match, then the user is admitted to the resource
- If the credentials fail, the user can try again. At some point, though, with most modern devices and applications there is a limit on the number of tries at which point the user is locked out.
There are a number of aspects to this authentication “ceremony” that need to be explored further in order to understand how the process works, ways that it can be easily managed, and how to increase security.
The first area to investigate is how the authentication process occurs. Most devices and sites still leverage the age-old username and password combination. This is the most common option because it’s extremely simple, and used almost universally. However over time, this method has proven to be less secure than other methods, resulting in several improvements to the process. One option is that users can choose a longer, more complex username/password combination. Research has shown that a longer password is more secure than a complicated shorter one. Another option is leveraging SSH keys. This is considered a far more secure method to authenticate as a password can be cracked or guessed. A key can be upwards of 2048-bits making it impossible to crack or guess. The key is stored on a user’s machine and then securely exchanged with the server or application. Finally, you can implement multi-factor authentication. While this category will be discussed in detail separately, this method of authentication requires you to also “have” something for example a smartphone or fob that will generate a number to be entered into the device or application.
The second area to investigate is how the exchange of information is done securely. When a user first enters their password, for example, that password is one-way hashed by combining it with another number to create a fixed length cryptographic hash. However, two passwords that are the same will have the same hash. Dictionary, or brute force attacks, can still reverse a password under this method. As a result, a “salt” is added which is an additional random number to create a unique password hash. This combination of hashing and salting a password is generally how it is stored within a system. Thus, when user enters their password, that password goes through the same process of hashing and salting and is compared to the original. If there is a match, then the password is correct.
Today, many authentication requests go over the Internet. As a result, the communication between the users device and the end device or application must also be secured. In general, this communication is easily secured using SSL. SSL confirms that the password cannot be copied in transit and re-used. A great deal of time has gone into this area with the introduction of WiFi and other Internet-based protocols. Making sure that the authentication process is secure from start to finish, is critical to accurate user verification.
JumpCloud is the most progressive authentication platform for business. By providing a single source of authentication for a wide range of devices (Windows, Mac, and Linux) and IT applications (IaaS, Web applications, networking gear, and more), IT admins don’t need to create multiple directories or user stores across their infrastructure. Instead, there is one directory of record that serves as the repository of usernames, passwords, and SSH keys. This ensures that users can have access to the IT resources they need with one set of credentials, while IT admins can have greater control over who has access. JumpCloud’s authentication process supports a wide range of protocols including LDAP, REST, SAML, RADIUS, and SSH among others.
Authentication is a critical component of providing users access to IT resources. It confirms who they are. JumpCloud’s Directory-as-a-Service® platform leverage’s standards based authentication protocols to ensure that the right users have access to their IT resources.