During multi-factor and two-factor authentication processes a device may be used for one time password generation or OTP transmission. Known as an authentication token and ranging from a proprietary device to a regular mobile phone these tokens are used for out-of-band authentication. Many times when discussing the cost of authentication security the token is mentioned due to the costs associated with hardware creation and network expenses. Downsides to tokens are that they can be missplaced, stolen or broken.
Glossary
DynaPass Authentication Glossary
Biometric Authentication
Biometric authentication is when biological measurements, such as the distance between mapped out points on fingerprints or in the retina, are used as identifying factors while authenticating a user. During mutli and two-factor authentication processes biometrics could be considered the “something you are” factor. However the high cost associated with this type of authentication along with the nature of scanning makes it less desirable.
Cloud Computing Services
Allowing users to access information from any internet connection cloud computing services offer companies an affordable option for storing and accessing data. The cloud referring to a network of computers offers computing services without the need for knowledge of the system; all IT, software and security measures are handled on the cloud company’s end. An example of a cloud computing service which almost everyone has used is Google’s Gmail which offers email services over the cloud.
Electronic Medical Record (EMR)
Patient data that once was stored in file cabinets on paper is now put into an electronic medical record or EMR. Patient healthcare information in an EMR can be stored, transmitted and access by healthcare facilities allowing them to offer patient support remotely as well as work together with other physicians. Electronic medical records security is created through government regulatory compliance of the healthcare facilities.
Electronic Protected Health Information (ePHI)
Electronic protected health information, ePHI, is protected healthcare documentation that is made electronically to be accessed, stored and transmitted through computers and mobile devices. The information must identify an individual including either physical or mental health issues, healthcare provisioning, or payments for healthcare.
Family Educational Rights and Privacy Act (FERPA)
Federal legislation FERPA (Family Educational Rights and Privacy Act of 1974) requires protection to be in place for personally identifiable information (PII) of students. If a school receives federal funding they are required by government regulatory compliance of FERPA to protect their student’s private info.
Federal Financial Institutions Examinations Council (FFIEC)
Standing for Federal Financial Institutions Examinations Council, the FFIEC was formed in 1979 and maintains financial institution standards for security, accountability and consistency. The council creates uniform principles for supervising financial institutions through regulatory compliance. These principles are created for federal examination by the FRB, FDIC, NCUA, OCC, MAIC and CFPB.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act, also knowns as the Financial Services Modernization Act of 1999, became effective as of November 12, 1999 and was enacted by the 106th United States Congress and signed into law by President Bill Clinton. It was an act that allowed financial companies such as commercial banks, investment banks, securities firms, and insurance companies to consolidate. An example of this type of consolidation is Citigroup which was a merger of Citicorp, a commercial bank, and Travelers Group, the insurance company. The Gramm-Leach-Bliley Act requires financial institutions that offer consumers financial products or services to explain their information sharing practices to consumers and to safeguard sensitive data. The GLB Act includes the Financial Privacy Rule, the Model Form Rule, the Safeguards Rule and provisions that prohibit pretexting.
Hacking
Hacking is utilizing information or techniques to gain access to confidential systems or networks through bypassing security. Hackers are not always synonymous with sophisticated computer users however. Sometimes the hacking is done by a person privy to confidential information that may be used to defraud security. Traditional hacking is done many times by someone with computer knowledge looking to fraudulently access a system for personal gain or pleasure and often leads to data breach. Common hacking phrases are malware, phishing and pharming.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act known as HIPAA for short is a set of government regulations for healthcare patient privacy. Created in 1996 the act requires certain precautions be taken when storing, transferring or accessing confidential patient data. Electronic medical records (EMR) have been causing the HIPAA Security Rule guidelines to expand due to new technology and new forms of data breech.
Machine-to-machine (M2M)
Machine-to-machine, also known as M2M, refers to technologies that enable wireless or wired communication between mechanical or electronic devices. Machine to machine allows networked devices to exchange information and perform tasks without the need of human interaction, but humans may maintain, reconfigure, or access data from M2M technology. In machine to machine communication, devices(sensors or meters) are used to capture an event(data such as electricity usage) and relying it through a network to an application(software) which captures the event into meaningful information(for example, improve energy efficiency). M2M technology is used in many machines we interact with on a daily basis including city infrastructure, remote patient monitoring and security systems. M2M communication can be used, for example, to efficiently monitor your house’s electricity meter, monitor a patient’s health remotely, or even help you create a shopping list based on what is in your refrigerator. The potential applications of M2M will increase as wireless sensors, networks and computers improve.
Malware
Malware is a term used to describe malicious software such as worms, viruses, backdoors, trojans and rootkits which are created by an attacker to either collect data or disrupt the flow of information, sometimes disabling a users computer altogether. Malware that steals data is a major issue when it comes to authentication and has been a large part of recent data breaches since many factors of authentication are transmitted to and from our computers.
Man-in-the-Middle Attacks (MITM)
Man-in-the-middle attacks are just what they sound like, an attacker places themselves between a sender and receiver intercepting information, changing the information along the way or using it to access confidential data. Man-in-the-middle attacks can take place without a user ever knowing, malware can be utilized to gain access to the device and eventually stolen information is used to access more sensitive data such as bank records.
Mobile Authentication
Any authentication solution that delivers any factor of the identification process through a mobile device is utilizing mobile authentication. This could be a one-time password transmitted through SMS text message or even email. Even an application on a mobile device that generates an OTP offline is also considered to be mobile authentication.
One-Time Password (OTP)
A one-time password (OTP) is a password that is only valid for one session or transaction. Unlike traditional static passwords, one-time passwords are not vulnerable to replay attacks. This means that if a potential intruder manages to record an OTP that was already used to log into a service or to conduct a transaction, he or she will not be able to use it again since the password is no longer valid. One-time password generations are random which make them hard to predict. There are different ways to make the user aware of an OTP. Some systems use electronic tokens that the user carries that generate a one-time password and show them using a small display. Other systems focus on software that run on a user’s mobile phone and there are systems that generate one-time passwords on the server side and then send them to the user using an out-of-band channel such as SMS messaging.
Out-of-Band Authentication
Authentication that requires utilizing a separate network for transmission of identification factors is considered out-of-band. An example would be during two-factor authentication when a user logs into an online banking account. When a bank account holder logs into the banks website from their home computer with traditional login credentials a one-time password may be delivered to their mobile phone through SMS text message. This mobile OTP is an out-of-band authentication solution because it utilizes the cellular phone company’s network for transmission as opposed to the network which established the connection.
Pass Code
Different from a password, a pass code is a numeric only version. The most common pass code used by almost everyone is a PIN for an ATM, the personal identification number is purely numeric. Pass codes do not offer a high level of security because the process for brute force cracking is much easier.
Pharming
The term pharming refers to hijacking a website through redirecting the DNS or changing the host file to direct traffic to a fraudulent site. It is used in online identity theft to steal information and has been used to target e-commerce and online banking websites. Pharming is a play on the word farming, as phishing is play on the word fishing.
Phishing Attacks
In internet security phishing refers to a cyber attack where criminals identify themselves fraudulently as a company you do business with through emails, on websites or even through hacked software. An attacker will illegally brand their website or correspondence, possibly with a large corporations branding, and solicit information that can be used during an authentication process. Phishing is a play on the word fishing because hackers are baiting the victim into divulging confidential information which could be used for data breaches. Due to phishing attacks companies will add a warning to any information sent to customers or during login which disclaims anyone from or associated with the business asking for private data.
Smartphone
Mobile phones with more advanced computing platforms are known as smartphones. Smartphones typically run applications with more functionality than traditional mobile phones as well as offering higher resolutions, touch screens and web browsing capabilities. Some authentication methods utilize smartphone technology for transmission of a one-time password through mobile applications.
Strong Password
All passwords are not created equally and a weak password could be easy to hack or crack. A strong password can protect against hacker attacks and social engineering by consisting of more characters than usual and utilizing different cases, symbols and numbers. By breaking up whole words a password could become more secure as well as utilizing both case types. For example the password “authentication” could be cracked fairly easily, however the password “Auth3nticati0n$” would be extremely difficult to hack, crack or figure out through personal information making it a strong password.
Two Factor Authentication Token
During the two factor authentication process which utilizes “something you have,” the two-factor authentication token refers to a physical property such as a USB token or a smart card that a user has. A commonly used two factor authentication token is a USB token that a user can stick into a computer via the USB drive to authenticate themselves. Two Factor authentication tokens can be useful for organizations that have employees who need to access company data stored in different forms such as websites and company applications where tokens can be easy and convenient to use instead of remembering multiple static passwords.
Two Factor Authentication – Dual Factor Authentication (2FA)
Two Factor Authentication (TFA or 2FA) is also called strong authentication and is a security process which requires two independent mechanisms for authentication. Two factor authentication implies the use of two out of the three factors to assert an entity’s identity to another entity. The three factors are: Something you know, like a Personal Identification Number (PIN); Something you have, like a mobile device for receiving a one time password or ATM card; Something you are, like a face scan, iris scan or your fingerprint. Two factor authentication is used generally in electronic computer authentication where stronger means of authentication is needed to protect sensitive data. For example, electronic personal health information (ePHI) on a computer accessed by many different individuals can be exposed and can result in HIPAA fines and violations for the medical institution. Two factor authentication can be used in these instances to decrease the probability of a non authorized user to access this information.
User Authentication
User authentication refers to identifying a user or entity and verifying that they are allowed access to restricted access. The most common way of identifying a user is through the use of a username and static password. Sometimes this refers to the CAPTCHA process of authenticating a user as human. In network security, user authentication refers to identifying a user along with which level of authorization their account may receive.
Web Access Management
Web access management refers to security controls used to identify a user for authorized accessibility remotely. The process for web access management begins with authentication of the user based on a policy. At this point the system will usually log the user’s access for reporting, auditing and optional single sign-on accessibility.
