Many companies I work with are interested in beefing up end-user authentication. Usually, this means they're considering going beyond the standard Windows name-and-password logon to bring in smartcards, physical tokens, or biometric identifiers. And as you've probably seen in Windows 8 TV commercials by now, Windows 8 adds Picture Passwords to the mix.
But you can't improve authentication if you don't really understand how Windows logon and authentication works under the hood. I find that most people -- even many security admins -- have only a vague idea. The key to getting a clue is to realize the differences among the main components in the authentication cycle.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Let's start from square one: Digital authentication happens when someone using a particular identity proves that identity to the system to which access is desired. The identity can be represented by a user name, a digital certificate, or another unique item within the authentication namespace. Unlike a password, an identity isn't meant to be secret.
The person possessing the identity must prove sole ownership of the identity by presenting info only he or she possesses, known as an authenticator. This can be a password, a private cryptographic key, a biometric trait, and so on. Successfully submitting the correct secret and having it verified by an access control system is the actual process of authentication. Once a person's identity has been authenticated, the computer system or network then trusts the identity, and the identity is not subsequently used for access control or auditing.
People sometimes mix up the identity with the authenticator. For example, a biometric fingerprint is an authenticator, not an identity. Usually, when someone logs on using a fingerprint and proves ownership of the identity, the fingerprint won't be flying around the network to control access; that role is typically handled by an authentication protocol. In Microsoft Windows, if you successfully logon to the computer using a password, smartcard, or biometric device, Windows then reverts to its authentication protocols (such as LAN Manager, NTLMx, or Kerberos) to do the heavy lifting.