Learn the basics of authentication before you invest in fancy biometric solutions or elaborate two-factor schemes Many companies I work with are interested in beefing up end-user authentication. Usually, this means they’re considering going beyond the standard Windows name-and-password logon to bring in smartcards, physical tokens, or biometric identifiers. And as you’ve probably seen in Windows 8 TV commercials by now, Windows 8 adds Picture Passwords to the mix.But you can’t improve authentication if you don’t really understand how Windows logon and authentication works under the hood. I find that most people — even many security admins — have only a vague idea. The key to getting a clue is to realize the differences among the main components in the authentication cycle.[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld’s Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ] Authentication 101 Let’s start from square one: Digital authentication happens when someone using a particular identity proves that identity to the system to which access is desired. The identity can be represented by a user name, a digital certificate, or another unique item within the authentication namespace. Unlike a password, an identity isn’t meant to be secret.The person possessing the identity must prove sole ownership of the identity by presenting info only he or she possesses, known as an authenticator. This can be a password, a private cryptographic key, a biometric trait, and so on. Successfully submitting the correct secret and having it verified by an access control system is the actual process of authentication. Once a person’s identity has been authenticated, the computer system or network then trusts the identity, and the identity is not subsequently used for access control or auditing. People sometimes mix up the identity with the authenticator. For example, a biometric fingerprint is an authenticator, not an identity. Usually, when someone logs on using a fingerprint and proves ownership of the identity, the fingerprint won’t be flying around the network to control access; that role is typically handled by an authentication protocol. In Microsoft Windows, if you successfully logon to the computer using a password, smartcard, or biometric device, Windows then reverts to its authentication protocols (such as LAN Manager, NTLMx, or Kerberos) to do the heavy lifting.Adding advanced authentication Only when you understand the basics of authentication do you realize what “advanced” logon methods — such as smartcards, biometrics, and other two-factor mechanisms — can and can’t give you.Basically, these advanced methods prevent a bad actor from easily logging in or authenticating as a specific identity. It’s harder for the malicious person to be identified as someone he or she is not. Advanced authentication mechanisms are great for meeting these types of challenges and defeating hackers, simply because it takes more effort for a hacker to defeat a biometric or two-factor authentication method than just stealing or hacking a password.But advanced authentication won’t prevent all hacking. For instance, I’ve encountered customers who mistakenly believe that smartcards will prevent hackers from penetrating their network. If the attacker can get onto a computer as local administrator (or root) using some other method, they can steal the ultimate authenticator and begin to impersonate the true owner. On Windows, an elevated hacker can steal a smartcard user’s password hash and use NTLM or Kerberos to authenticate as that smartcard user to other computers.The original Windows computer that was hacked was responsible for authenticating the smartcard user and requiring a valid smartcard logon. But once a smartcard user has been authenticated, his or her identity has been accepted, and the traditional authentication protocols kick in. The user’s identity is represented by password hashes or Kerberos tokens. Smartcard users may have their identities “stolen” and used on a network, even if the hacker doesn’t have their smartcards or PINs. Neither smartcards nor two-factor mechanisms nor biometrics can prevent stolen authentication credential assaults such as pass-the-hash attacks.I help clients install advanced authentication techniques all the time, but I make sure not to oversell the protection they provide. They beat passwords in most use cases, but they’re no panacea and won’t solve every hacker-related problem. This story, “Advanced authentication can’t cure all security ills,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe