First day at work. Have to remeber that password.
All of us, at some stage, have had to rock up to our first day of work, shown our desk, directed to the coffee machine and IT will kindly provide us with our credentials for accessing the PC. Normally this will
be in the form of a username and password. The username is usually our name or company email address (common for office 365) and we then log on to the desktop and access our welcome email and the programs that we need to do our work. The purpose for doing this is to verify the correct identity of the person who is accessing the system and resources of the companies internal information. The flip side, is that it presents a hurdle for those who do not have authorisation to access the system. The assumption being that if you do not know the secret key then access would be denied.
Password verification, what happens behind the scenes.
Organisations normally keep their core programs and data on a central server either held locally or remotely (cloud). When you sign in to the system the details are transmitted to the server and the details are compared with the user library and if the details (username and password) correspond then access is granted. Occasionally the server may request for a new password from the user which then updates the library. The reason for this is that it makes the user responsible as they are the only who knows the password. This kind of verification is an example of details that only the employee would know.
How do certificates work then?
The other method is by using a certificate which requires transfer digital bites of information across a network. The example given is a wearable smart card that can both access the front turnstiles, the lift and the computer console. This a private key of the client user confirming the public key of the server (see related article). The user logs into the server, the public certificate or key would send a digital piece of information that verifies their identity. That would then confirm that to the certificate that establishes a level of trust and the resources are than made available. That determines authenticity as the user has something that only they have in their possession.
If the user is are for a password on top of that, this adds a secondary level of only something they would know. A form of two factor authentication. All transmissions are encrypted (usually by a secure socket layer SSL)between the work station and the server to ensure that these details are not intercepted or tampered with in any way.
Depending on the type of organisation and sensitivity of information therein determines the effort and the suitability of these methods of authentication or whether it would be a mix of the two.
If you need any assistance with data protection see our Services page.