Note that in common practice, the username is by definition the identity by which that subject is known within the system; the rest of the information created and provisioned by the identity management process, which is then used during access authentication and authorization, is known as the credentials. Some credentials, such as passwords, may also become factors and are presented as part of access authentication.
As with any process, authentication can be prone to errors. Type 1 errors, also called false negative errors, occur when an otherwise legitimate subject is denied access; this is an incorrect or false rejection of the subject. Type 2 errors, also called false positive errors, give the “green light” to a subject to proceed in their attempt to access the system or object in question. These false acceptances are the greater security worry, as they potentially are allowing an intruder into your systems. You'll look at these errors and how to manage their rate of occurrence several times in this chapter. Note that many IT professionals refer to these directly as false rejection or false acceptance errors and avoid the possible confusion of types, positive and negative.
Single-Factor/Multifactor Authentication
Authentication is the first step in controlling what subjects (people, processes, or hardware) can access any portion of your systems. As you think about authentication, keep in mind that there are three sometimes competing needs to address. Human subjects need to get work done; their identity, and the parameters and attributes associated with that identity, need to be kept safe and secure; and the information assets that are the very reasons for your system to exist in the first place need to be kept safe and secure. Each of those needs requires its own dose of CIANA+PS sauce; each will need a different mix of those security ingredients, tailored to your organization's needs and its approach to information risk.
Traditionally, the issue of single-factor versus multifactor authentication has been discussed in terms of human end users as access control subjects. With more autonomous and semi-autonomous systems becoming part of our networks——or becoming users of your networks—it's probably time to reconsider this in more general terms. It's time to focus on subjects regardless of whether they are people, robots, IoT devices, or processes, of any level of complexity, as having identities that must be authenticated prior to allowing them to connect to our systems and networks. If our security needs require multifactor authentication for one class or type of entity, we take on great risk for any other class of entity for which we only require single factor authentication.
Authentication of human user access attempts has traditionally been based on one or more of three authentication factors.
Type I: Something you know, such as a username or password
Type II: Something you have, usually a hardware device, a machine-readable identity card, or a smart card or key fob
Type III: Something you are, such as a physical characteristic that does not change over time
Two additional factors (not, so far, named Type IV and Type V) have been gaining more widespread use in the marketplace: “something you do” and “somewhere you are,” which relate to specific behavioral patterns associated with you as a subject.
These factors can be applied alone or in combination with each other as both a deterrent against intrusion or reconnaissance attempts and as a way to reduce the overall rate of Type 2 (false acceptance) errors. Single-factor authentication involves the use of only one of these three factors to carry out the authentication process being requested. Multifactor authentication requires the subject to present two or more such factors for sequential authentication. Successfully passing the gate of each factor's test increases the confidence that the subject is in fact whom (or what) it claims to be. Of course, the more factors you want to use for authentication, the more effort it will take to create and provision them, update them, and otherwise manage and maintain them. When it comes to any factor used for authentication, do remember that human users forget things, lose things, misplace things, and sometimes willfully violate administrative policies and allow other people to use those things and thereby have access to systems. The use of multifactor authentication by itself won't necessarily address these human frailties. The chosen authentication factor technology must also support rapid revocation of a factor when it is lost or compromised; and in some cases, you may also need to provide recovery of a factor, such as a passphrase or other information the user should know and remember when it is lost, forgotten, or garbled in use.
Regardless of the choice of factors used, at some point your security protocols need to deal with locking a user out from further access attempts (also known as a false rejection error). A user who fails to authenticate properly after a small number of attempts (typically three to five attempts) is locked out and may have to either wait a certain amount of time or contact the systems help desk and request a reset of their access credentials. Although false rejections cause you to spend extra effort to resolve and potentially waste otherwise productive time for your users, they are far less worrisome than false acceptance errors, which occur when an attacker manages to spoof a set of identification and authentication credentials and is accepted by your system and granted access. The frequency with which both of these types of errors occur is an important security diagnostic you should monitor, if not treat as an alarm condition.
Figure 2.4 shows one statistic you will often see cited in vendor material about biometric devices. The crossover error rate (CER) is the number that results when the device is adjusted to provide equal false acceptance (false positive or Type II) and false rejection (false negative or type 1) error rates in your environment. This is also referred to as an equal error rate (EER). All other things being equal, the device with the lower CER or EER may be demonstrating a greater intrinsic accuracy and yield you less wasted effort spent on false rejects and lower your risk of allowing an intrusion (a false acceptance) to occur. Since most systems see tens of thousands of access attempts per day, it's important and meaningful to look at the rate that these errors occur as indicators of whether you've got your access control system tuned properly.
In selecting, tuning, and deploying any access control methods, including biometric technologies, it is critical to choose the tolerance for false positive and false negative error rates to meet your risk tolerance. Let's look at some numbers:
The false rejection rate (FRR) is the ratio of false rejection errors to valid authentications. If 1,000 attempts to authenticate result in two rejections of legitimate users, the FRR is .002, or .2 percent.
The false acceptance rate (FAR) is the ratio of false acceptance errors to valid authentications. If, in 1,000 attempts to authenticate, two impostors are erroneously allowed in, the FAR is .002, or .2 percent.
FIGURE 2.4 Crossover error rate
You can see in this figure that the costs associated with implementing more rigorous access authentication techniques, such as multifactor biometric technologies, do buy you lower false acceptance rates (that is, spending more money moves your operational point to the left on that graph). False rejections cause you to spend extra effort to validate that a legitimate but rejected user should in fact be allowed to have access. If your circumstances and risk appetite suggest that you can tolerate the increased risk by spending less, then, by all means, move toward the right side of the graph and be willing to accept a greater likelihood of an intrusion while minimizing the disruptions to legitimate users (and increased costs of legitimate work).
Be aware that it is false reasoning to associate a lower cost with the right edge of this graph: You “win” on this trade space only if your systems are never penetrated in ways that inflict great impact