Identification Methods

Identification is the process of specifically and distinctly recognizing an individual. Identification is a part of every day life. You identify yourself at work, on the telephone, through e-mail; you identify yourself so much that you probably don’t even realize when you are doing it. Identification comes in many forms: you, photos of you, your fingerprints, your employee number, your bank account or credit card number, your frequent flyer number, your social security number, and of course, your username, all of which can represent you in the identification process.

Today, there are many forms of identification and many ways to identify yourself. Why you need to identify yourself and what or who you’re identifying to helps to determine what you use as the identification method. The methods for identification fall into two categories: user-supplied identity and technological identification.

User-Supplied Identification

Asking the user to supply their identity is the most prevalent method for identification today. In most computer applications, identification is based on the username. Your bank probably likes to identify you by your account number(s), and your favorite airline has transformed you into a series of alphanumeric characters. All of these names and numbers serve the single purpose of identifying who you are.

In all cases, the user is responsible for providing the correct identifying information. This is important because knowledge of a valid identity provides some security. For example, you can’t withdraw money from a bank account that doesn’t exist. You are unlikely to log on to the database if you cannot provide a valid database username. For hackers trying to penetrate a system, a good starting point is to obtain a list of valid users on the system.

Obfuscating the user’s name or choosing identifiers that don’t indicate the privileges of the person is valuable, too. The username “Administrator” connotes high privileges and thus a more valuable attack target for a hacker than does a more neutral name such as “User125.”

However, designing a security implementation exclusively based on the knowledge of the identifier—for example, a username or account number—is a risky proposition because it may be relatively easy to guess, predict, or obtain a valid identity from another source. This was discussed in Chapter 2 with regard to Default User Accounts.

The benefit to using user-provided identification is that the identifier (for example, username) is generally flexible. This allows administrators to create intuitive identifiers that are easy for the users to remember. For example, a username may be created based on the person’s first initial and last name (dknox for me). As discussed in the previous paragraph, the benefit is also the weakness. Identifiers that can be easily guessed or predicted may weaken the overall security. In the upcoming “Authentication” section, you’ll see how verifying the identity provides the ability to maintain the security while simultaneously allowing flexibility in the choice of identifiers.

Technological Identification

Technology also offers a choice of ways to identify ourselves including biometrics, computer identities, and digital identities.

Biometric

A quickly growing and exciting technology for supporting user identification is biometric technology. Biometrics refers to the biological characteristics of people that can be measured to distinguish the differences among them. You use biometrics constantly to identify people. Your brain uses facial recognition when you see familiar people and voice recognition when you answer a phone call from someone you know.

A mass of companies are currently trying to mature various biometric technologies. Facial recognition, iris scanners, hand geometry, and fingerprint readers are among the most popular.

Biometrics are ideal in many ways. Users can’t forget them, and they can be nearly impossible to guess. Theft of the biometric part is unlikely, but there is a risk associated with having the digital biometric representation stolen. If this occurs, there’s a chance that someone could pretend to be someone else by copying and replaying the biometric signature or altering the metadata that indicates whose biometric it is.

Confusion around how biometrics are used is common. This is because the same biometric can be used for both the identification and the authentication processes. With biometric identification, the biometric information is considered unique and can be used to accurately identify the person presenting the biometric. This differs from user provided identification because the user is not telling the system who they are; the system identifies them automatically. Note this is not authentication, this is only identification; biometric authentication is the process of comparing the biometric signature with a reference to prove or disprove an identity (i.e., the identity is already known).

Computer Identities

In the computing environment, identity may be based on other nonstandard elements such as the computer’s name, physical network address (i.e., MAC address—the unique identifier on the network card for the computer), logical network address (IP address), or some other device that may be affixed to a computer.

IP addresses and IP domains are used within security architectures quite frequently. The address or domain is either allowed access or not. Firewalls and various secure routing technologies are heavily dependent on MAC addresses and IP addresses. Application servers and the database security can also use IP addresses to help provide additional layers of security. You saw in Chapter 2 how the database listener can be configured to allow or disallow database connections based on the incoming IP address.

Digital Identities

Another prevalent form of identification is by way of digital representation or digital identities. An example seen today is the digital certificate used as part of Public Key Infrastructures (PKI). PKI provides many security capabilities, including identification, authentication, encryption, and nonrepudiation.

For identification, PKI uses digital certificates based on a standard format known as X.509. Entities, typically users or computer servers, are given unique digital certificates that represent their identity. The certificates include descriptive information about the entity such as their name, employee number, organization, and location. Think of a certificate as a digitized passport. The digital identities are well defined both structurally and semantically, and are consistent across all applications and platforms that support the certificate standards. This last point is critical to providing interoperability between applications and products provided by different vendors.

Digital certificates are popular not only because the certificates are standards based, but also because the certificates contain additional information that can be used in implementing effective security controls. For example, access to data can be based on both the user’s name and the user’s organizational affiliation and location.

For user identification, digital certificates are usually installed in the user’s Web browsers. They can also be embedded into physical devices such as smart cards. To secure the digital identity, the user may be forced to supply a PIN or password to unlock the certificate.

Many single sign-on technologies, including the Oracle database and the Oracle Application Server Single Sign-On, support digital certificates as an I&A method for users.