Authentication, Authorisation and Access Control (AAA)
Context: Authentication is the process of identifying an entity, usually a user, to a system, providing confidence that an entity is genuine and is not attempting a “masquerade or unauthorised replay” of a previous connection. Key user inputs for authentication can include (1) something you know, such as a password or PIN that can be remembered, (2) something you have in the form of a token that the user can carry such as an ATM, smart card or mobile phone, or (3) something you are, e.g. biometrics or fingerprint identifying the user. Different authentication scenarios exist in various forms and varying degrees between users and devices, particularly user-device authentication and device-device authentication.
As ICT advancement facilitates increased ease and convenience of accessing ever-increasing volumes of information, access control approaches aim to properly regulate exchange of information and support privacy-preserving interactions among parties. However defining such access control frameworks is still a significant research and technology challenge. While initially more oriented towards direct user authentication, it is increasingly recognised that all access control decisions are not necessarily identity -based. Hence, efforts are increasingly focused on credential-based and attribute-based specifications, supported by certification authorities and an understanding of the broader properties/characteristics that a party requiring access may have. For example, understanding a person’s role (e.g. doctor, IT administrator) or a person’s nationality or date of birth may be more relevant than the user’s identity when making the access control decision.
Attempts to support authentication should be judged on criteria such as (1) the ease of use of the solution (2) the ability to provide strong security guarantees, (3) its ability to preserve privacy.
Challenges: Key research challenges relate to the existence of text-based passwords as the predominant form of user authentication, whereby users are forced to remember an increasing number of passwords across a range of accounts – suggesting a significant need for alternatives. Password managers have been developed, despite low adoption and usability issues among mainstream users. Single sign-on services also exist, with most popular ones being driven by large IT vendors (e.g. Facebook and Google) – however significant data privacy concerns make such formats unattractive. Two-factor authentication has been more successful in strengthening traditional password-based shortcomings in that an additional password is required under the scheme via a second independent channel.
Challenges also exist around authenticating devices to users (e.g. ensuring integrity of a bank’s web server to a user prior to them entering sensitive credentials) as well as authenticating between devices in an automated manner without the overhead of human intervention.
Other initiatives include supporting increased expressiveness of access control criteria while maintaining practical usability (e.g. via XACML and ontology-based semantic web solutions), development of anonymous credentials that support users in only revealing what is necessary and in maintaining privacy (e.g. U-Prove, Idemix), increasing use of contextual information (e.g. fingerprinting techniques), improving integration with pervasive web technologies and standards, and supporting co-ordinated access management for distributed infrastructures that are typically co-managed with third parties (e.g. in the cloud computing services context).
Return to SOTA
