8. The Means of Cybersecurity: Access Control 187 increases the odds of the other. How to balance the two is determined by the relative priority of security and availability—another security trade-off like we saw in Chapter 5. Authentication is composed of two phases: the enrollment phase and the recognition phase. During the enrollment phase, the user’s access credentials are registered and stored in an authentication database. The user either creates a username or one is assigned. The system makes sure that the username is unique among all the registered users on the system. Email addresses are sometimes used as usernames because they connect users to the control of an external account that can be verified. Usernames may or may not be associated with a person’s legal name. During the enrollment phase the user is also asked to provide or is given an authentication token. An authentication token is an artifact that uniquely identifies a user. The username and token are stored together in the authentication database. Users need to go through the enrollment phase only once. Accounts are registered the first time a person uses a computer or visits a website. Figure 8.1 shows a minimal account registration page. Figure 8.1 An account registration page—the enrollment phase for password-based authentication. After enrollment, users go through the recognition phase when they need to access their account. During the recognition phase, the user’s identity is validated. Unlike the enrollment phase, the recognition phase is repeated frequently. This phase starts with the identification step. Users are asked to identify themselves by inputting their username. Usernames are not necessarily secret, and there is nothing that would prevent a user from inputting another person’s username. Once the username is entered, the computer asks for proof, in effect saying, “How do I know you are who you claim to be?” This is the authentication question. At this point the user provides their authentication token. This token is compared to the value stored in the authentication database, and if it matches, the user is authenticated.
RkJQdWJsaXNoZXIy MTM4ODY=