Seite 86 - Cloud Migration Version 2012 english

86 
'
Secure authentication' uses not only a password but also multiple 
additional factors 
39
to perform this check. The simplest example for two‐
factor authentication is the SMS‐TAN used in online banking. 
Useful factors include: One‐time password, token or PIN, Biometric 
information such as fingerprints, iris or retina templates or vein patterns, 
Private keys (certificate) 
The principle is the same in each case: Besides entry of a username and 
password  – generally chosen by the user after initial registration – an 
additional factor (see above) is required as well. 
The difference between the above factors lies in the comparison procedure. 
Biometric multi‐factor authentication requires the initial creation of a 
template which is stored along with the user. 
Token systems are usually based on an alternating combination of numbers 
whose cyclical alteration is synchronised between the user's token 
generator and the authentication components on the server. 
Providers of enterprise Cloud services today naturally cannot fit users with 
small key rings with an iterating number combination; hence the use of 
systems that enable users to download software components to generate a 
number combination on their local computer upon initial registration, or 
text message a token to the user's mobile device when they are ready to log 
in (the latter naturally requires the relevant structures for centralised 
identity management; see above). 
Federation, centralised authentication and single sign‐on 
Let us begin this final chapter on Identity and Access Management (IAM) by 
dispelling a common misconception: Single sign‐on means that the user logs 
in once per session and gains access to all systems that the user requires for 
that session. Single sign‐on implies that the user is not promoted to log in 
again by any subsequent system during that same session. 
The following are not single sign‐on: 
The separate entry of authentication data per Cloud service within 
the same session (this would also be the case if a centralised 
authentication centre was used, and that centre was prompted by 
every single Cloud service to perform authentication again each 
time) 
39
Two‐factor authentication or multi‐factor authentication, depending on the case of use