Recall Emails sent in error from Outlook Web Access (OWA)

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Authentication Primer

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Aug 30, 2007
  • Category: Security
  • Votes: 5.0 out of 5 - 1 Vote
Cast your Vote
Poor Excellent

The value of our virtual identity grows with every service we subscribe to. Acting as a bridge between the real and virtual world, Authentication is there to verify the credentials linking us to our virtual identity.

Originally this article had to be the introductory section for an article discussing plain text authentication as applied to SMTP. However I later concluded that expanding this a bit more and presenting it as a separate short article, could be of more benefit to those interested in an introduction to this topic. So in this little primer we highlight the following key concepts:

  1. The important role authentication plays in security.

  2. The different level of security provided by differing authentication methods.

  3. The need for Authentication to provide a level of security reflecting the value and sensitivity of resources being ultimately authorized.

Authentication is a fundamental security element employed to verify the identity of a user or processes. Authentication can take many forms ranging from the username/password login, to smart cards, palm readers etc. All of these are intended to verify that a user or process is who he claims to be.

Establishing the identity allows us to move a step further, determining who is allowed to do what aka Authorization. These two security elements go together hand in hand so much that many confuse them to be the same thing. The critical role of Authentication becomes immediately clear as soon as we define the type of resources the identity is authorized to access.

As more services are made available online, our virtual identities grow in value. A network identity can cost one's job. Online profiles, email accounts and other identities may have a huge weight in personal and business relationships. I guess there is no need for me to mention e-government services, bank accounts and other services mushrooming around us.

Appreciating the value of the resources being accessed is the best way to appreciate the importance of Authentication. Clearly the value of resources varies widely. A corporate mailbox is likely to contain more confidential information than a free web mailbox. These differences are reflected in the type of authentication employed.

Highly valuable resources may require multi-factored authentication. Here different authentication methods are combined together. A common example involves the use of a smartcard and username/password logins. Less valuable resources may use a single authentication method.

Apart from classifying the various Authentication methods broadly, one certainly has to dig deeper in the underlying technology and differentiate further. Authentication often relies on a multi-step process and other technologies such as encryption, public/private keys and signatures. Bringing these elements together allows for a better appreciation of the suitability of different authentication methods in different applications.

A login process transmitting credentials (username/password) in clear text is clearly less secure than one encrypting the information. Additionally some encryption algorithms are harder to break than others. Furthermore we could compare these to the case using public/private keys where the password is never transmitted over the wire. The goal here is to appreciate the bigger picture and delving into any cryptography details is beyond the scope.

Final Tips

Experts evangelize that security is as hard as the weakest link. Authentication is one important component in the security stack. Using a weak authentication method in a stack authorizing access to sensitive data is not uncommon. In an upcoming article we continue this discussion by taking an in-depth look at plain text authentication, one of the weakest authentication methods.

Copyright © 2005 - 2016 All rights reserved. is not affiliated with Microsoft Corporation