Understanding how User Authentication impacts the security of your business is more critical than ever, but knowing where to start can be tough. Good thing we’ve simplified this complex issue into the essential things you need to know in order to make more informed decisions.

1. Share This:
9 Things Everyone
Should Know About User Authentication

2. Share This:
The Notorious 9
Nine Essential Components of User Authentication
User Authentication (UA) is a field that’s constantly evolving; however, staying current doesn’t have to be
a full time job, if you master the basics. Despite the appearance of constant change, there are nine basic
principles of UA that remain the same, and knowing them will help you make more informed decisions. To
make things even easier, we’ve broken the Notorious Nine into three parts:
username
**********
3 Types of UA
3 Delivery Methods of UA
3 Ways to Integrate UALOGIN

3. Share This:
have been the victim of online
crimes due to their accounts
being hacked
600,000
FACEBOOK ACCOUNTS
75%
OF AMERICANS
90%
OF BUSINESSES
have been hacked in
the last year
are hacked every day
Source: http://www.clubcloudcomputing.com/2013/01/infographic-on-hacking-statistics/
FACTS

4. Share This:
Know Your Type
The 3 Types of UA
Confirming that users really are who they say they are is serious business, especially when the annual
cost of identity theft in America is now $10 billion more than all other property crimes combined. The good
news is that while there may only be three types of UA, your company can combine their strengths to make
the process of identifying, verifying and granting users access to your system as easy as one, two, three.
The three types of UA are:
Source: http://www.businessinsider.com/bureau-of-justice-statistics-identity-theft-report-2013-12
1. What You Know
2. What You Have
3. What You Are

5. Share This:
Well, Whadayaknow?
UA Type 1: “What You Know”
“What You Know” is the oldest form of UA and is based on secret information that only the user knows
— and therein lies the issue. Aside from malicious programs that can guess billions of passwords per
second, many users share their passwords and/or post them next to their screens, making this the
weakest of all methods. However, it’s also the oldest and cheapest, which explains why it’s still popular.
Examples of “What You Know” UA
Passwords1
2
3
4
5
Phrases
Security Questions
PINs
Patterns (i.e drawn with a finger to access mobile devices)

6. Share This:
FACTS
Source: http://janrain.com/about/newsroom/press-releases/online-americans-fatigued-by-password-overload-janrain-study-finds/
58% of Americans
have 5 or more online passwords
30% of Americans
have 10 or more online passwords
8% of Americans
have 21 or more online passwords

7. Share This:
What You Got There?
UA Type 2: “What You Have”
“What You Have” is a much stronger UA method than “What You Know” and carries the added bonus of
being a fairly economical solution. To use this method, users must possess a hardware token contained on
a smart card, USB token, mobile device, etc. Companies seeking to enhance security without sacrificing
usability often combine “What You Have” with other types of UA for added strength. An example of this is
your debit or ATM card. ‘You have’ the physical card that you must swipe in the machine and ‘you know’ the
PIN number to access your account.
1. Public Key Cryptography
2. One Time Password (OTP)
3. Smart Cards

8. Share This:
FACTS
The People’s Choice: How Americans Use Social Network
Single-Sign-On to Surf
Source: http://blog.gigya.com/which-identities-are-we-using-to-sign-in-around-the-web-infographic/
FacebookGoogleTwitterYahooMySpaceLinkedInOther
1% 2% 7% 13% 14% 17%
46%

9. Share This:
Who Do You Think You Are? James Bond?
UA Type 3: “What You Are”
Often showcased in spy movies, “What You Are” is perhaps the most well-known form of UA and yet is
the least used due to its high cost. Because “What You Are” is dependent on an individual’s habits and/
or biological characteristics, it is a very strong UA method. It’s also convenient for companies and users
since critical information can’t be borrowed, lost or forgotten. When combined with other UA methods, it’s
incredibly strong.
1. Biometry – fingerprints, retina scans, voice recognition, etc.
2. Behavior-Based Authentication
3. Physical Unclonable Functions

10. Share This:
FACTS
Fingerprint Facts
Source: http://www.funtrivia.com/en/subtopics/Fingerprints-170308.html
Fingerprint ridges do not change with growth or age
Minor burns, cuts and scrapes don’t affect fingerprints because new skin
grows in the original pattern
Koala fingerprints are virtually indistinguishable from human prints
In 1858, Sir William Herschel became the first person to use fingerprints
to identify criminals
The FBI's fingerprint database is the largest in the world
1.
2.
3.
4.
5.

11. Share This:
Cutting Out the Middle-Man
3 Ways to Receive User Info
Securing the delivery of user information is critical in preventing hack attacks, such as man-in-the-middle
schemes where a malware program intercepts the username, password and passcode of a user as it is
being sent. Listed from weakest (1) to strongest (3), the three current UA delivery methods are:
1. Local
2. In-Band
3. Out-of-Band

12. Share This:
Are You With the Band?
The 3 Ways UA Credentials Are Delivered
While your company has limitless choices when it comes to the combinations and types of UA available,
there are only 3 choices when it comes to how a user’s credentials will be delivered to the authentication
system: local, in-band or out-of-band.
1. Local – The system that receives the credentials and the
system that matches them are on the same host
Examples: Entering a PIN in a smart card reader, swiping a
finger on an iPhone, logging into a Windows PC
2. In-Band – Users submit credentials through an app that
interfaces with the system after authentication
Example: Connecting to a web server using a web browser
and logging in via that same browser
3. Out-Of-Band – Users complete part of the UA process
through one channel and receive secure information via
a second channel that enables them to complete the UA
process
Example: Connecting to the Internet on a PC and receiving a
code via a mobile phone to complete log-in

13. Share This:
FACTS
Calling for Security: Companies Employing Mobile Phone
Multi-Factor Authentication
Source: http://mashable.com/2013/07/31/two-factor-authentication/
Google is the first company to offer users multi-factor authentication via
mobile codes
Facebook begins using mobile codes for multi-factor authentication
Dropbox, LinkedIn, Apple, Microsoft and Twitter offer users mobile code
multi-factor authentication
2010
2011
2012

14. Share This:
Getting with the Program
The 3 Ways to Integrate UA
Choosing how you will integrate UA with your current system is one that requires your business to find its
own sweet spot between retaining control internally and relinquishing elements of control to third parties.
The current three UA integration methods are:
1. Embedded Component
2. Callable Web Service
3. Delegation

15. Share This:
Are You a DIY’er or a Delegator?
The 3 Ways UA Can Be Integrated with a System
You have three options when it comes to integrating UA into your current system, and all three ways are
compatible with all types of UA, so the choice boils down to how much you want to invest and how much
control you desire.
1. Embedded Component: UA components are embedded into the server that
provides service to users
Pros: Instant access and greater control
Cons: Companies using their own servers must be vigilant about maintenance and
security monitoring, especially since a single security breach could expose all codes
2. Callable Web Service: UA information is passed to a dedicated authentication
server via web service calls
Pros: Authentication codes are not stored on the service provider’s server
Cons: If a company uses one of its servers as the dedicated authentication server, it must be
vigilant about the maintenance and security of the server
3. Delegation: UA is delegated to a third party authentication server known as the
Identity Provider (IP)
Pros: Maintenance costs, updates and compliance are the responsibility of the third-party IP
Cons: Less access and control

16. Share This:
FACTS
LOW - Little or no confidence exists in the user’s identity; usually self-asserted
MODERATE - Confidence exists that the user’s identity is accurate; used for self-service apps
MODERATE - High confidence in the user’s identity accuracy; used to access restricted data
HIGH - Very high confidence in the user’s identity accuracy; used to access highly restricted data
Level 1
Level 2
Level 3
Level 4
The four levels of assurance the U.S. government uses to categorize Identity Providers are:
Source: https://www.cio.wisc.edu/security-initiatives-levels.aspx

17. Share This:
Hark! Who Goes There?
We hope you have enjoyed our ebook, “9 Things Everyone Should Know About User Authentication.” At
Gemalto, we provide a powerful portfolio of UA solutions that address a wide range of business needs. To
learn more about us, download more ebooks, or register for a free trial, please visit CloudEntr.com/latest-
resources.