Authentication - Access Control

Access Control

One familiar use of authentication and authorization is access control. A computer system that is supposed to be used only by those authorized must attempt to detect and exclude the unauthorized. Access to it is therefore usually controlled by insisting on an authentication procedure to establish with some degree of confidence the identity of the user, granting privileges established for that identity. Common examples of access control involving authentication include:

• Asking for photoID when a contractor first arrives at a house to perform work.
• Using captcha as a means of asserting that a user is a human being and not a computer program.
• A computer program using a blind credential to authenticate to another program
• Entering a country with a passport
• Logging in to a computer
• Using a confirmation E-mail to verify ownership of an e-mail address
• Using an Internet banking system
• Withdrawing cash from an ATM

In some cases, ease of access is balanced against the strictness of access checks. For example, the credit card network does not require a personal identification number for authentication of the claimed identity; and a small transaction usually does not even require a signature of the authenticated person for proof of authorization of the transaction. The security of the system is maintained by limiting distribution of credit card numbers, and by the threat of punishment for fraud.

Security experts argue that it is impossible to prove the identity of a computer user with absolute certainty. It is only possible to apply one or more tests which, if passed, have been previously declared to be sufficient to proceed. The problem is to determine which tests are sufficient, and many such are inadequate. Any given test can be spoofed one way or another, with varying degrees of difficulty.