In this lesson, we discuss the definition of authentication, the type of authentication, credentials, and authentication process and leadership requirements. In secure network systems, we verify the identity of a user, a process or a device before we allow them to access the resources and services provided by the networked system. This is as defined in the NIST Glossary web page. The resources can be computer and storage. The services can be web services, database services, DNS query service and hosting services. The creation and verify of identity information is related to identity management. One example is a AWS, Integrated Access Management, short name for IAM system, which we discussed in the cloud security module. It allow us to create a password, create access key, secret key, public key, and private key for a user. As a credential for future access, it also ties the entity to certain rules. For example, simple read only viewer power users who can create a managed instance or administrator who can create other users and to certain services such as EC2 or S3. The rules also implies certain privileges in the system. EC2 means Amazon Elastic Cloud 2, an S3 is short for Amazon Simple Storage Services. The new trends in authentication include first, Single sign on which simplifies the access of collections of networked system by allow the user to authenticate once, obtain certain token, and then use that token to access the rest of the system. Another popular trend is to use user's existing credential on other system such as Facebook or Google and rely on the third party authentication services to verify the identity of the users. It simplify and shorten the identification process since the user, in most cases, doesn't have to go through the long registration process. There is an OAuth 2.0 open standard that specify such access delegations. Recently, we have started to see many healthcare organizations using multi-factor authentication, including the use of onetime code in conjunction with password or secret personal questions. In secure network systems, we create credential for authenticating purposes. The type and example of authenticate credential include things that you know such as passwords, documents you have such as digital certificate signed by the CA and the reality private key. Note that you do not present the private key. You encrypt certain known data with your private key and then presents a cyber text and your digital certificates for others to verify your identity, which is included in the subject for you of the digital certificate. In OAuth or open authentication open standard, the user redirect the authentication request to a third party identity provider. The user provides their credential information to the third party identity provider and complete the authentication there. The third party then presents token back or OpenID certificate to the original authentication process for users to access the resources. With fingerprint reader as additional interface in a laptop or smartphone, the fingerprint can be used as credential for verify the identity of a user. This biometric info is used to authenticate you. The use of a combination of these different type of credential for verification the identity of a person is called multi factor authentication. The authentication process stop by the system asking a user to present their credentials before access the resources and services over the system. Since we do not want hackers to snatch the credential, we typically established during a secure connection such as SSH before sending in the credential. One of the chosen criteria for the credentials is it cannot be easily guessed or faked. One common practice is to require password to be of certain length. For example more than eight characters or even 12 character with certain cases, special character combination. In the next lesson, we'll talk about digital certificate creation.
