Tue Mar 10 20:41:23 PDT 2015

Control Architecture: Authentication: How are identities authenticated to support authorized access?


- A Multiple simultaneous or synchronized independent acts (e.g., multi-party control)
- B All three of something they know or can do, are, and have
- C Two of of something they know or can do, are, and have
- D Physiological characteristics (something they are)
- D Possession of a dynamic authentication device (something they have - changing)
- D Query/Response (something they can do)
- E Possession of a key (something they have - static)
- F Password (something they know)
- Y No authentication, identified
- Z No authentication, anonymous

- A Within device
- B Physical at console
- C Local console switch
- D Local only switched connection
- F Authorized/controlled (or time sequence of) location(s)
- G Local radio link
- H Remote over closed infrastructure
- I Remote over open infrastructure

- B During pre-specified dates and times
- B At dynamically constrained dates and times
- C Any time

- A Direct physical connection
- B Authenticated encrypted links
- C Encrypted links
- D Links

Updates and changes:
- 0 Never update or change
- 1 Update or change when there is a specific reason to do so
- 2 Update or change at convenient system changeover times
- 3 Update or change at regular intervals
- 4 Change from defaults during installation prior to network connection


The most suitable approach is sequences of different factors at different points in a process based on location, connection, time, and consequence. A rating is comprised of the sequence of:

{Authenticator [change] x Location x Time x Connection [change]}

Minumum ratings per situation are as follows:
Consequence Minimum Ratings
High B[1]--- AND -H-B[123] AND if feasible --B- AND if feasible -D--
Medium [ C[1]--C[1] OR F[1]D-C[1] OR F[1]FCB[12] ] AND if feasible --B- AND if feasible -D--
Always [4]
Authentication process minimums

From any minimum rating, any element can be higher rated and still satisfy the need, but no element can be lower unless it dominates a different rating for the same risk level. The [change] field provides change strategy for the relevant element in the particular situation (i.e., authenticator change after the first element and connection change after the 3rd element)


As background, authentication may be a sequenced series of events. For example, entry into a building may require an authentication process which is augmented by steps to enter an internal area, a contained facility, a designated portion of that facility, and finally to undertake a specific act therein. Thus multiple uses of different authentication mechanisms involving time, place, sequence of events, and multiple factors at each authentication step prior to actual access.


- A Multiple simultaneous or synchronized independent acts (e.g., multi-party control):
As an example, teo partis at physically differne locations may authenticate simultaneously in order to enable a critical function such as a weapons launch. These may have to be sychronized over time so that they may act within a minute of a previous action authorizing the launch.

- B All three of something they know or can do, are, and have:
This includes personal authentication by someone who knows the individual engaging in some level of communications as well as a variety of combinations of devices and other similar things.

- C Two of three of something they know or can do, are, and have:

- D Query/Response (something they can do):
This is a process in which a set of passwords, or the equivalent thereof, are associated with queries and the user demonstrates their ability to do something in order to authenticate themselves. In more advanced cases they may be things like the ability to compose music of a genre on the spot, to computer a formulaic response in time, or answers to questions with pre-defined answers - such as mother's maiden name. It also encompasses typing characteristics and other similar indicators.

- D Possession of another device (something they have - changing):
This includes time variant mechanisms, electronic query response systems, one-time passwords, and so forth.

- D Physiological characteristics (something they are):
This includes retinal prints, facial recognition, infrared facial recognition, fingerprints, hand geometry measurements, DNA samples, and so forth. It also includes things like color blindness, trained responses, and other similar mechanisms.

- E Possession of a key (something they have - static):
Door keys or other similar mechanisms are commonly used for entry and access.

- F Password (something they know):
Passwords are the most commonly used authentication approach and will likely remain so for the indefinite future because of their extreme ease of use by people and universal compatibility.

- Y No authentication, identified:
This is used for tracking purposes only - such as the use of cookies for tracking behavioral patterns without necessarily tracking identity.

- Z No authentication, anonymous:
This is common for remote access to Web pages and other similar things.


- A Within device:
This includes forensic examination of a device and other mechanisms based on presence inside a physical system or facility.

- B Physical at console:
This is presence at the directly connected device intended to control the mechanism locally.

- C Local console switch:
This includes switching devices that allow connection to multiple devices and switching between them, but does not include LAN-based console devices.

- D Local only switched connection:
This includes local telephone lines on the same PBX, a local only switched network, or other similar devices.

- E LAN:
A local area network that extends only to the physical facility and may be connected through a gateway to other networks.

- F Authorized/controlled (or time sequence of) location(s):
This includes absolute and relative location within a framework (e.g., room in building, room in ship, address, city, state, country, etc.) possibly under specific controls (e.g., a cleared facility) and where you are compared to where you were (travel time-based restrictions, only allowed access from one authorized place at a time, etc.).

- G Local radio link:
This includes infrared, bluetooth, and other similar limited radius devices.

- H Remote over closed infrastructure:
This includes a wide variety of technologies such as campus-wide networks, lease lines, remote telephonic connections, and so forth.

- I Remote over open infrastructure.:
This includes the Internet and all variations thereupon.


- B During pre-specified dates and times:
For example, at a bank, tellers should only be able to access financial systems during periods when the bank is open for business and the teller is scheduled to be behind the counter.

- B At dynamically constrained dates and times:
For example, an authorization may be granted for a period of time and from a specific location based in a special condition (e.g., repair personnel during an outage) or be limited based on travel time (e.g., you cannot access from London 1 hour after you accessed from New York) or similar restrictions.

- C Any time:
No time restrictions are used in cases where anytime access is desired.


- A Direct physical connection:
This is a physically implementes trusted path. Note that physical devices may be altered or connectors placed between physical devices, and this direct connection implies an unanltered path from user input to systems, including such things as proper key mappings and labels on physical devices.

- B Authenticated encrypted links:
This includes encrypted links that are also authenticates so that the remote machine, facility, or device is authenticated and the traffic encrypted. This is a non-physical trusted path approach.

- C Encrypted links:
This is a connection that is encrypted but not authenticated, such as an SSL link or an SSL session without a password. It also includes carrier encrypted tunnels and other similar mechanisms.

- D Links:
This is any connection without protective mechanisms.

Changes and updates:

Changes are generally made to password-based and token-based authentication mechanisms and keys for encryption systems.

For passwords:

For tokens

For encryption keys

For encryption and token systems

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved