If you want to pass through a locked door you must have a key for the lock. Possession of that key is a form of authentication. It identifies you as a person who is authorised to open that door. If you want to withdraw money from an ATM your right to do so is authenticated by your knowledge of a PIN, and your possession of a bank card. When you log on to a website you authenticate yourself by entering a user name and password.
Authentication is obviously an important issue in online transactions. You may need to establish that you are someone authorised to log on to a server and access the data stored there. Websites need to prove that they are who they claim, and that it is safe for you to enter your credit card details. If digital documents are to replace posted paper documents there needs to be some reliable method of authenticating senders and signatories.
Though authentication is essential to online dealings it is much more difficult to authenticate someone online than in a customer is present transaction.
It is often stated that there are three only forms of authentication. In fact there are four, and the fourth is particularly important online. You can be authenticated by something you know, something you have, some personal attribute, and by someone vouching for you. Only the first and fourth of these methods are effective online.
1. You can be authenticated by something you know, such as a password or PIN. Passwords are a very weak form of authentication because most are easily cracked.
2. You can be authenticated by something you possess, such as a key or a card. Because these can be stolen this is a weak method of authentication.
3. You can be authenticated by a unique personal characteristic. Developments in biometrics have made this one of the strongest methods of authentication. You can be authenticated by your signature, a retinal print, your appearance, fingerprints, and your DNA.
Despite their weaknesses passwords are widely used because methods 2 and 3 are not easily implemented online, and would require a sensor, such as a card reader or fingerprint reader, to be installed in computers.
4. You can be authenticated by a trusted third party who knows you and vouches for you. This other party must have been authenticated earlier and be authorised to authenticate others. This is a weak method offline, but is widely employed online, where digital certificates are used to identify e-commerce websites.
When you begin a transaction with a website it may send a digital certificate to your browser. This certificate contains a digital signature which identifies the website site.
Your browser knows the certificate is authentic because it is its validity is vouched for by a certification authority [the trusted third party]. The certification authority signs the website’s digital certificate with a digital signature to vouch for its authenticity. Your browser knows the certification authority’s digital signature is valid because it compares it with one it already possesses. When you install a browser it comes with a number of certification authority signatures already installed. In Firefox you can see these by going to Tools/Options/Advanced/View Certificates/Authorities.
A key for a lock is an example of single factor authentication. ATMs implement two factor authentication by requiring you to insert a card and enter a PIN. Generally, the more factors used, the more reliable the authentication. It would be possible to implement two factor authentication for online transactions by combining a password with a digital certificate. For example, a website could ask you to provide a password and your digital certificate to log on. This is probably not practical. Whilst it is easy enough for an individual to buy a personal digital certificate from a certification authority, it is not easy to get one which secure enough to be worth having.