With local user access to computer system resources, the following is characteristic:
- the entire authentication and access control mechanism is located within the same security perimeter;
- the user interface is adjacent to the security perimeter;
- the reliability of the authentication system is compromised when the security perimeter is hacked.
Examples of computer systems with local authentication: portable personal computers, autonomous workstations (a drawback for organizations is the individual administration of each computer).
When trusting the security perimeter, easy-to-remember reusable passwords or RS codes can be used (the only possible attack is password guessing in the interactive mode). Biometric authentication can be used for user convenience. Since it is difficult to practically guarantee perimeter inaccessibility, the following protection methods can be additionally applied.
- Blocking a workstation (PC) in the absence of a user (vulnerable to attacks with the replacement of the operating system and opening the system unit).
- Audit of access to RS resources (to leave traces by the intruder).
- Differentiation of access to PC resources (vulnerable to introducing software bookmarks, replacing the operating system, and opening the system unit).
- Placement of the most confidential data on the server of the local network (additional authentication will be required).
- Encryption of confidential information on the PC (it requires knowledge of an additional secret – the encryption key, which is safer than access control implemented in software that is vulnerable to modification).
When a user remotely accesses the resources of a computer system, the following authentication schemes can be used:
When using direct authentication, there is one service point (server) or each service point independently authenticates its users (has its own database of accounts).
When using direct authentication, changes to the account database have an instant effect (the disadvantage is less reliability due to high centralization). Threats arising from this: attacks on remote client workstations and communication lines (the impossibility of biometrics and reusable passwords).
Remote Authentication Direct
The direct authentication process is protected by the use of cryptographic protocols based on one-time passwords (S / Key) or “handshake” (Challenge Handshake Authentication Protocol – CHAP).
The direct authentication scheme is inconvenient if the above conditions are not met (multiple registration during installation of additional servers, the difficulty of scaling the network with a single server).
Remote Authentication Indirect
There is an additional threat – falsification of the responses of the authentication server or the service server.
To increase fault tolerance, automatic replication of the database of accounts is supported to distribute the load between several authentication servers (problems may arise when combining computer systems of different organizations when it becomes necessary to trust user authorization performed by an authentication server belonging to another organization).
Offline Authentication with Remote Access
Autonomous authentication combines the benefits of local, direct, and indirect authentication schemes:
- authentication on the local computer without establishing a real-time network connection;
- authentication and access control mechanisms are combined in one computer;
- the ability to centrally manage the privileges of registered users.