Thread: Sign On Authentication
View Single Post
  #7 (permalink)  
Old 08-16-2005, 07:55 AM
Barry Margolin
Guest
  
Posts: n/a
Default Re: Sign On Authentication
In article <43016b0d@news.uni-ulm.de>, Volker Birk <bumens@dingens.org>
wrote:

> In comp.security.misc Barry Margolin <barmar@alum.mit.edu> wrote:
> > > Is there a way to automatically authenticate a user, not the user's
> > > computer, when he logs in to a website? The reason for this is to
> > > validate
> > > that a multiple choice test that is taken was performed by Bob X and not
> > > by
> > > Charles Y in a distance learning application.
> > Isn't this normally done with a username and password prompt? It can be
> > improved with token-based authentication like SecurID or Defender.
>
> No, it isn't.
>
> Every user, who has the security token, can log in.
>
> Passwords (and any other security token) are only working, if the user
> who owns the password has no interest to share it.

OK, if you don't trust the users, then I don't think there's any way to
accomplish your goal with the stated restrictions. Complete
identification and authentication requires three factors:

1) Who you are
2) What you have
3) What you know

A token implements #2, a password implements #3, but both of these can
be shared. To implement #1, you need to use biometrics, which requires
special hardware. But you specifically said that you can't require
hardware like a fingerprint reader.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

Reply With Quote