Best Practices for Authenticating Individuals

D.

The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification)

Physical attributes cannot be shared, borrowed, or duplicated.

They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor.

Some people are getting thrown off by the term Masquarade.In general, a masquerade is a disguise.

In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for.A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism.Spoofing is another term used to describe this type of attack as well.

A UserId only provides for identification.

A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.

A smart card can be stolen and its corresponding PIN code can be guessed by an intruder.

A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card.

Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person.

Biometric identifying verification systems control people.

If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not occur.

As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN.

This is because these systems control only pieces of plastic (and sometimes information), rather than people.

Real asset and resource protection can only be accomplished by people, not cards and information, because unauthorized persons can (and do) obtain the cards and information.

Further, life-cycle costs are significantly reduced because no card or PIN administration system or personnel are required.

The authorized person does not lose physical characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are continuously lost, stolen, or forgotten.

This is why card access systems require systems and people to administer, control, record, and issue (new) cards and PINs.

Moreover, the cards are an expensive and recurring cost.

NOTE FROM CLEMENT: This question has been generating lots of interest.

The keyword in the question is: Individual (the person) and also the authenticated portion as well.

I totally agree with you that Two Factors or Strong Authentication would be the strongest means of authentication.

However the question is not asking what is the strongest mean of authentication, it is asking what is the best way to identify the user (individual) behind the technology.

When answering questions do not make assumptions to facts not presented in the question or answers.

Nothing can beat Biometrics in such case.

You cannot lend your fingerprint and pin to someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan.

This is why it is the best method to authenticate the user.

I think the reference is playing with semantics and that makes it a bit confusing.

I have improved the question to make it a lot clearer and I have also improve the explanations attached with the question.

The reference mentioned above refers to authenticating the identity for access.

So the distinction is being made that there is identity and there is authentication.

In the case of physical security the enrollment process is where the identity of the user would be validated and then the biometrics features provided by the user would authenticate the user on a one to one matching basis (for authentication) with the reference contained in the database of biometrics templates.

In the case of system access, the user might have to provide a username, a pin, a passphrase, a smart card, and then provide his biometric attributes.

Biometric can also be used for Identification purpose where you do a one to many match.You take a facial scan of someone within an airport and you attempt to match it with a large database of known criminal and terrorists.This is how you could use biometric for Identification.

There are always THREE means of authentication, they are: Something you know (Type 1) Something you have (Type 2) Something you are (Type 3) Reference(s) used for this question: TIPTON, Harold.

F.

& KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7)

and Search Security at http://searchsecurity.techtarget.com/definition/masquerade.

To prevent local masquerading attacks, it is essential to ensure that the person accessing a system or resource is indeed who they claim to be. This process is known as authentication. There are several methods for authenticating individuals, including the ones listed in the answer choices.

A. User ID and password: This method is the most common method for authentication. In this method, the user provides a unique user ID (username) and a secret password to access the system. The system compares the provided credentials with those stored in its database. If the credentials match, the user is authenticated and granted access.

However, user ID and password authentication have some weaknesses. Passwords can be guessed, cracked, or stolen. In addition, users tend to use weak passwords that are easy to guess, which makes it easy for attackers to gain access.

B. Smart card and PIN code: Smart cards are small devices that store a user's digital credentials. The smart card is inserted into a card reader, and the user enters a PIN code to authenticate. This method is more secure than a user ID and password since it requires physical possession of the card and knowledge of the PIN.

C. Two-factor authentication: Two-factor authentication (2FA) requires two forms of authentication to access a system or resource. For example, a user may be required to enter a password and a code sent to their mobile device. This method is more secure than user ID and password since it requires two factors to authenticate, making it more difficult for attackers to gain access.

D. Biometrics: Biometric authentication uses physical characteristics of the user, such as fingerprints, facial recognition, or iris scans, to authenticate the user. This method is more secure than user ID and password since it is difficult to fake or replicate a user's biometric data.

In conclusion, the best method for identifying or authenticating an individual to prevent local masquerading attacks depends on the system's security requirements and the sensitivity of the data being accessed. Biometrics or two-factor authentication are generally more secure than user ID and password authentication. Smart cards and PIN codes provide another layer of security and are also an excellent option for high-security systems.