86
'
Secure authentication' uses not only a password but also multiple
additional factors
39
to perform this check. The simplest example for two‐
factor authentication is the SMS‐TAN used in online banking.
Useful factors include: One‐time password, token or PIN, Biometric
information such as fingerprints, iris or retina templates or vein patterns,
Private keys (certificate)
The principle is the same in each case: Besides entry of a username and
password – generally chosen by the user after initial registration – an
additional factor (see above) is required as well.
The difference between the above factors lies in the comparison procedure.
Biometric multi‐factor authentication requires the initial creation of a
template which is stored along with the user.
Token systems are usually based on an alternating combination of numbers
whose cyclical alteration is synchronised between the user's token
generator and the authentication components on the server.
Providers of enterprise Cloud services today naturally cannot fit users with
small key rings with an iterating number combination; hence the use of
systems that enable users to download software components to generate a
number combination on their local computer upon initial registration, or
text message a token to the user's mobile device when they are ready to log
in (the latter naturally requires the relevant structures for centralised
identity management; see above).
Federation, centralised authentication and single sign‐on
Let us begin this final chapter on Identity and Access Management (IAM) by
dispelling a common misconception: Single sign‐on means that the user logs
in once per session and gains access to all systems that the user requires for
that session. Single sign‐on implies that the user is not promoted to log in
again by any subsequent system during that same session.
The following are not single sign‐on:
The separate entry of authentication data per Cloud service within
the same session (this would also be the case if a centralised
authentication centre was used, and that centre was prompted by
every single Cloud service to perform authentication again each
time)
39
Two‐factor authentication or multi‐factor authentication, depending on the case of use