Authentication is defined as establishing the identity of one party to another. Authentication mechanisms always work in two directions. There is a user that has to prove his identify to an information system and the information system has to confirm this identity. Additional to that very basic definition, authentication describes the measures to verify the quality and features of the offered products or services and to control whether the contract among two or more parties is correct or not. Once the authentication to a system is performed correctly, the user is authorized for further actions, e.g. editing personal settings or closing contracts.

Especially for online Market places like the internet both sellers and buyers face high levels of uncertainty. The risk of Online Fraud is very high and leads to the point that growth of E-Commerce depends on the authentication problem. Authentication in the view of e-commerce is always linked to the buyer-seller-product triangle. As defined above there is a further dimension regarding the term authentication, the quality of the service or product and the identity of the parties. And as third dimension, we can define trust and information. Online sellers and buyers have to provide authentication information and have to verify the trustworthiness of this information. Combining those three dimensions gives an overview over authentication issues. The buyer-identity-information authentication for example leads to the point that the buyer has to prove his identity by giving personal information (e.g. credit Card number, social security number, signature,..). The product-quality-trust authentication can be supported by the possibility to get test products or to send products back cost-free. ¹⁾

Authentication mechanisms are categorized in three dimensions. The user proves his identity by

• Something he knows (e.g. a password, a username)
• Something he has (e.g. an Electronic Signature, a credit card number)
• Something he is (e.g. a signature, a fingerprint)

Obviously the combination of the categories increases the security of an authentication system. Based on those three categories, there are many different technical solutions and linked to that possibilities and threats. The basis for all of these methods is the registration of the user on the website of the e-commerce company or a neutral agency. Information that is regularly provided in the different categories is listed below.

• verified name (the name of a real person with a proved identity, for example by real identification at a Warehouse)
• pseudonym (= a not verified name)
• email-address
• password (e.g. PIN)
• personal data (e.g. sex, address, phone number, …)
• Private answer for a standardized security question (e.g. “What was the name of your first pet?“)

The security of the knowledge-method depends on two factors, the responsibility of the user and the security of information transferring systems (protocols). The problem with the responsibility of the user seems to be obvious, but it isn’t. Providing personal information for authentication issues also means to protect them from being spread. Using a PIN (personal identification number) in public always hides the threat of being captured by a key logger or camera-systems for example. The security of the information transferring system is in the responsibility of the operating company. Standard network protocols like SSL (Secure Sockets Layer) are preventing data from getting captured by a third party by using symmetric or asymmetric Encryption.

• existing online account (e.g. using your email-account for further online authentication)
• Digital Certificate
• one -way-password-list (TAN (transaction-number), also see Security)
• credit-card, eurocheque card
• SIM-Card (Subscriber Identity Module)
• RFID-chip
• Combination of mechanisms (mobile-TAN = TAN via SIM-Card)

Identity-proving by possession has some obvious risks. Possession always means, that something can be stolen or get lost. Additional to those risks, items like eurocheque-cards for example can easily be duplicated. None the less those mechanisms are very common. The explanation for that is very simple, because each of those methods is combined with either a knowledge or personal identification method. Using a credit-card is always linked to giving a signature or a pin for example.²⁾

• Retinal eye scanner
• Personal signature (writing-speed and acceleration, form an size, …)
• Fingerprint reader
• Facial recognition Systems

The risks related to proving identity by biometric attributes have a big variety. One the one hand, the security and reliability of the system depends on the system itself. Since the picture of a face isn’t always the same, the system has to react intelligent to external influences in order to secure identification. On the other hand systems like this are very expensive, especially in a maintenance point of view.

Security

Digital Certificate

Privacy and data protection

www.nist.gov

http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf

http://www.newbiometricauthentication.com/

Kaeo, Merike. Designing Network Security. Indianapolis, IN: Cisco, 2004. Print.

— Stephan Köstler 2012/12/10 20:55