Authentication system. What is an authentication error? Technical means of authentication

Often, when connecting a computer, laptop or tablet to the Internet via Wi-Fi, the system displays an authentication error message. Let's look at what it is and for what reasons it occurs, and also give recommendations for eliminating them.

Authentication error: concept

The authentication procedure always involves verifying the authenticity of the user. Authentication involves entering a specific password. If the password is entered incorrectly, an authentication error is generated.

Authentication Error: Causes and Solutions

Having understood what an authentication error is, you should dwell on the reasons for its occurrence. As mentioned above, the error usually occurs due to an incorrectly entered password when connecting wireless network. You will need to make sure that you specified it correctly - the desired layout and language was used. If after this you still cannot authenticate, this means that there has been a failure in the network settings and you need to delete it. You need to do the following:

1. Go to the menu of your router and select the “Settings” section.
2. In the list that opens, click on the “Wireless networks” item, opposite it click on the “Delete network” button.
3. Click on the “Refresh list of networks” item, after which the network you are using will be available again.
4. Restart your router.
5. Open the authentication window and enter correct password.
6. After these steps, your computer will need to connect to Wi-Fi.

If during authentication the password is saved, but a message about WPA\WPA2 protection appears under the name of the network you are trying to connect to, then you need to change the settings of the router. This is done as follows:

1. Go to the router menu and select “Network mode”.
2. In the tab that opens, change the “Only” mode to “Auto” and save changes made.
3. Disable wireless connection on the device and reboot the router.
4. Check that the password entered for connection is correct Wi-Fi networks and her regime.

If after this an authentication error still appears, then you need to change the operating modes of the router. Proceed as follows:

1. Go to the “Settings” tab in the main menu of the router.
2. From the list that opens, select the “Wireless Network” section.
3. In the window that loads, set the following command opposite the Mode option: 11bgn mixed.
4. Save the changes by clicking on the appropriate button.
5. Reboot your router and try to authenticate.

If the system gives an error again, then again go to the “Wireless connect” section and enter this command in it: 11bg mixed. When repeated error You will need to enter 11g only next to the Mode option. Be sure to save your changes and restart your router before authenticating again.

To avoid problems with authentication, use a password consisting of only numbers. Be sure to write it down. In this case, you will not need to go through the password recovery procedure or reset it later.

Pay attention to the security settings of the router. They often cause problems with authentication. It would be better if they looked like this:

• Version: WPA-PSK
• PSK Password - eight numbers/symbols
• WPA/WPA2 - Personal (Recommended)

Although many people do not know what authentication is, every user global network encounters the procedure for completing it every day. Some begin their working day with this operation, others - turning on the computer, others - checking mail and visiting Internet pages, and others - in the process of connecting to the network.

What it is

Authentication is the basis for the security of any system on program level. Access to information is protected by an ID and password. The first role can be login, username, email or generated code.

Thus, a user who registers on a server or in any other system receives a unique id. Only he has it (this is a digital value that can be a regular serial number). Identification is the user's submission of data, and authentication is the server's acceptance of that information. These two procedures and the conditions for their implementation are related to each other.

Instead of the term authentication, simpler expressions are often used, which can be called synonyms:

• authentication;
• authorization.

Video: Biometric Authentication

Kinds

As a rule, authentication methods are divided according to the means used during the process and their number.

Types of authentication are divided into several groups based on the following criteria:

• informational component (when you know something that no one else knows, for example, a password);
• an object or means (in the case of using a card, key-stamp, token, special USB flash drive);
• biometrics (access by retina, fingerprint, blood type);
• user information (access to certain information depending on location, language, information from the browser cache).

Password protection

The most famous and common method is password protection. When going through the authorization process and entering a password, the system compares it with a specific identifier that is stored in the database.

There are two types of passwords:

• permanent;
• dynamic.

A permanent password is issued by the server during registration (in case of connection to access general information) or set by the user himself (in the case of storing personal information).

The dynamic password is issued by the server. And depending on the settings, it ceases to exist after some time or immediately after logging out of the system.

Dynamic password protection is more secure. But hackers manage to bypass it too, using the main vulnerability - the human factor, because in order to authorize the user there is a need to transfer him a new password.

Unique items

The most widely used method to protect banking systems and premises limited access carried out using plastic cards with an electronic chip containing unique information.

This option is also often used for controlled physical access to individual server machines or important client personal computers ( usb flash drive with a key program and a unique user identifier).

This security method is ideal for protecting against remote hacking. But it has its drawbacks. After all, every item can be lost or stolen by intruders.

Biometrics

The most expensive, but the most reliable way authentication is a biometric. To authorize the system, a scanning method is used, where the received image is compared with a saved copy in the database.

Modern methods make it possible to compare different areas or points each time, as well as identify the user by facial features and facial expressions.

This system is the most reliable in terms of security. However, it also has disadvantages. For it to function properly, there must be either backup codes“supervisor”, or a person responsible for protection has been appointed. This is done in case something happens to the user, but this fact greatly violates the ideality of the system.

User data

User data can be completely different and unique, for example:

• year of birth;
• Mother's Maiden Name;
• the name of your favorite animal;
• mobile number;
• location.

This information can be used in several cases and for different purposes:

1. to sort the information that is displayed to the user (for example, advertising for enterprises in Moscow will not be displayed for residents of Kyrgyzstan);
2. to pass an enhanced type of security called two-way authentication. This type is used in extremely secure systems and looks like a dialogue between the user and the server. Once you have completed the preliminary level and entered the correct password, you may be asked to select one of your birth dates.

Authentication technology and algorithm

Having analyzed the types of authentication, you can understand that none of them is ideal, and each has its own errors. Therefore, two-level authentication is most often used.

This means that in order to get full access information, you must first pass a basic verification: for example, enter your login and password in the system. Following this, you need to confirm your identity with a more stringent identification (subject, questions, biometrics, signature).

Mail server authentication technology

The easiest way to look at the work step by step and understand what it is two-factor authentication– analyze the process of receiving mail:

1. the second factor is the IP address. If you are logging in from a new IP for the first time, you may be asked to confirm your identity using the number mobile phone (sms message) is the second level of protection;
2. on mail servers There is also end-to-end authentication. In this case, you do not need to enter a password every time as long as you use the same computer and IP address. Authorization data is not just saved in the browser, it is loaded into cookies, and every time you access the server, it lets you through on the fly.

Authentication algorithm using the example of authorization in a local network

To identify computers in work local network and differentiation of access to resources, there are domain networks. The authorization process can be carried out simultaneously at several levels and using different factors. In one local network you can see almost all types of authentication.

To access the network, you can use a computer name or an IP address associated with a domain. At the same time, you need to enter a username and password (these are two identification factors).

The next type of authentication here is the relationship of a user, a range of addresses, or a specific computer to a group with delimited access rights.

What’s interesting about using a domain network is the ability to administer and limit access to absolutely any information, both on a local and global network, through multi-factor authentication.

If errors occur, what should I do?

Most errors occur due to incorrectly entered data: login, password, server name or IP address.

When using a particular resource, you may see a message stating that authorization or authentication on the server is temporarily unavailable. If this is one of the services on the Internet, then you should just wait or try contacting technical support.

If one of the servers or network devices (routers) located at your home, work, or on the same local network fails, you can, depending on the situation:

• check the device yourself;
• contact your provider;
• call the system administrator.

Everyone uses authentication unbeknownst to them many times a day when logging into operating system, on a server, on a social network or receiving mail.

User authentication in the system is a simple and everyday task. Having understood a little about the process and algorithm of action yourself, you can more accurately indicate the problem when contacting support or the network administrator, indicating at what level the error occurs.

The basis of any protection systems information systems are identification and authentication, since all information security mechanisms are designed to work with named subjects and objects of the AS. Let us recall that both users and processes can act as AS subjects, and information and others can act as AS objects. informational resources systems.

Assigning a personal identifier to subjects and access objects and comparing it with a given list is called identification. Identification ensures the following functions:

Establishing the authenticity and determining the powers of the subject upon his admission to the system,

Controlling established powers during a work session;

Registration of actions, etc.

Authentication (authentication) is the verification of the access subject's ownership of the identifier presented by him and confirmation of its authenticity. In other words, authentication is about checking whether the connecting entity is who he claims to be.

The general procedure for identifying and authenticating a user when accessing the AS is presented in Fig. 2.10. If the authentication of the subject is established during the authentication process, then the information security system must determine his powers (set of rights). This is necessary for subsequent control and differentiation of access to resources.

Based on the controlled component of the system, authentication methods can be divided into authentication of communication partners and authentication of the data source. Authentication of communication partners is used when establishing (and periodically checking) a connection during a session. It serves to prevent threats such as masquerade and replay of the previous communication session. Data source authentication is confirmation of the authenticity of the source of a single piece of data.

In terms of direction, authentication can be one-way (the user proves his authenticity to the system, for example, when logging into the system) and two-way (mutual).

Rice. 2.10. Classic identification and authentication procedure

Typically, authentication methods are classified according to the means used. In this case, these methods are divided into four groups:

1. Based on knowledge by a person entitled to access system resources of some secret information - a password.

2. Based on the use of a unique item: token, electronic card, etc.

3. Based on the measurement of human biometric parameters - physiological or behavioral attributes of a living organism.

4. Based on information associated with the user, for example, his coordinates.

Let's look at these groups.

1. The most common simple and familiar authentication methods are based on passwords - secret identifiers of subjects. Here, when the subject enters his password, the authentication subsystem compares it with the password stored in encrypted form in the reference database. If the passwords match, the authentication subsystem allows access to AS resources.

Password methods should be classified according to the degree to which passwords can be changed:

Methods that use permanent (reusable) passwords

Methods using one-time (dynamically changing) passwords.

Most speakers use reusable passwords. In this case, the user's password does not change from session to session during the validity period set by the system administrator. This simplifies administration procedures, but increases the risk of password compromise. There are many known ways to break a password: from peeking over your shoulder to intercepting a communication session. The likelihood of an attacker opening a password increases if the password has a semantic meaning (year of birth, girl's name), is short in length, typed in one register, has no restrictions on the period of existence, etc. It is important whether the password is allowed to be entered only in interactive mode or the ability to access from the program.

In the latter case, it is possible to run a password guessing program - a “crusher”.

A more secure way is to use one-time or dynamically changing passwords.

The following methods are known password protection based on one-time passwords:

Methods for modifying the simple password scheme;

Request-response methods;

Functional methods.

In the first case, the user is given a list of passwords. During authentication, the system asks the user for a password, the number in the list of which is determined by a random law. Length and serial number The initial character of the password can also be set randomly.

When using the challenge-response method, the system asks the user some questions general, the correct answers to which are known only to a specific user.

Functional methods are based on the use of a special password conversion function. This makes it possible to change (according to some formula) user passwords over time. The specified function must satisfy the following requirements:

For a given password x is easy to calculate New Password ;

Knowing x and y, it is difficult or impossible to determine the function.

The most famous examples of functional methods are: the functional transformation method and the handshake method.

The idea of ​​the functional transformation method is to periodically change the function itself. The latter is achieved by the presence in the functional expression of dynamically changing parameters, for example, a function of a certain date and time. The user is informed of the initial password, the actual function and the frequency of changing the password. It is easy to see that the user’s passwords for given time periods will be the following: x, f(x), f(f(x)), ..., f(x)n-1.

The handshake method is as follows. The password conversion function is known only to the user and the security system. When entering the AS, the authentication subsystem generates random sequence x, which is passed to the user. The user calculates the result of the function y=f(x) and returns it to the system. The system compares its own calculated result with that received from the user. If the specified results match, the user's authenticity is considered proven.

The advantage of the method is that the transmission of any information that could be used by an attacker is minimized.

In some cases, the user may need to verify the authenticity of another remote user or some AS that he is about to access. The most suitable method here is the “handshake” method, since none of the participants in the information exchange will receive any confidential information.

Note that authentication methods based on one-time passwords also do not provide absolute protection. For example, if an attacker has the ability to connect to the network and intercept transmitted packets, then he can send the latter as his own.

2. Recently they have become widespread combined methods identification that requires, in addition to knowing the password, the presence of a card (token) - a special device that confirms the authenticity of the subject.

Cards are divided into two types:

Passive (memory cards);

Active (smart cards).

The most common are passive cards with a magnetic stripe, which are read by a special device that has a keyboard and a processor. When using the specified card, the user enters his identification number. If it matches the electronic version encoded in the card, the user gains access to the system. This allows you to reliably identify the person who gained access to the system and prevent unauthorized use of the card by an attacker (for example, if it is lost). This method is often called two-factor authentication.

Sometimes (usually for physical access control) cards are used on their own, without requiring a personal identification number.

The advantage of using cards is that the processing of authentication information is performed by the reader, without being transferred to the computer memory. This eliminates the possibility of electronic interception via communication channels.

The disadvantages of passive cards are the following: they are significantly more expensive than passwords, require special reading devices, and their use requires special procedures for secure accounting and distribution. They also need to be protected from intruders, and, of course, not left in reading devices. There are known cases of counterfeiting of passive cards.

In addition to memory, smart cards have their own microprocessor. This allows you to implement various options password protection methods: reusable passwords, dynamically changing passwords, regular challenge-response methods. All cards provide two-component authentication.

To these advantages of smart cards we should add their versatility. They can be used not only for security purposes, but also, for example, for financial transactions. A concomitant disadvantage of cards is their high cost.

A promising direction in the development of cards is to equip them with the PCMCIA (PC Card) portable system expansion standard. Such cards are portable PC Card devices that are inserted into a PC Card slot and do not require special readers. Currently they are quite expensive.

3. Authentication methods based on measuring human biometric parameters (see Table 2.6) provide almost 100% identification, solving the problems of loss of passwords and personal identifiers. However, such methods cannot be used to identify processes or data (data objects), since they are just beginning to develop (there are problems with standardization and distribution) and still require complex and expensive equipment. This determines their use so far only at particularly important facilities and systems.

Examples of the implementation of these methods are user identification systems based on the pattern of the iris, palm prints, ear shapes, infrared patterns of capillary vessels, handwriting, smell, voice timbre, and even DNA.

Table 2.6

Examples of biometric methods

Physiological methods	Behavioral methods
Fingerprinting Iris scanning Retinal scan Hand geometry Facial feature recognition	Keyboard handwriting analysis

A new direction is the use of biometric characteristics in smart payment cards, pass tokens and cellular communication elements. For example, when paying in a store, the cardholder puts his finger on the scanner to confirm that the card is really his.

Let's name the most used biometric attributes and the corresponding systems.

· Fingerprints. Such scanners have small size, universal, relatively inexpensive. The biological repeatability of a fingerprint is 10-5%. Currently being promoted by law enforcement agencies due to large allocations to electronic fingerprint archives.

· Hand geometry. Appropriate devices are used when finger scanners are difficult to use due to dirt or injury. The biological repeatability of hand geometry is about 2%.

· Iris. These devices have the highest accuracy. The theoretical probability of two irises matching is 1 in 1078.

· Thermal facial image. The systems make it possible to identify a person at a distance of up to tens of meters. In combination with database searching, such systems are used to identify authorized employees and screen out unauthorized personnel. However, face scanners have a relatively high error rate when lighting changes.

· Voice. Voice verification is convenient for use in telecommunications applications. Required for this 16-bit sound card and a condenser microphone cost less than $25. The probability of error is 2 – 5%. This technology suitable for voice verification over telephone communication channels, it is more reliable compared to frequency dialing personal number. Nowadays, directions are being developed for identifying a person and his state by voice - excited, sick, telling the truth, not in himself, etc.

· Keyboard input. Here, when entering, for example, a password, the speed and intervals between keystrokes are monitored.

· Signature. Digitizers are used to control handwritten signatures.

4. The newest direction in authentication is to prove the authenticity of a remote user by his location. This protective mechanism is based on the use of a space navigation system such as GPS (Global Positioning System). A user with GPS equipment repeatedly sends the coordinates of specified satellites located in the line of sight. The authentication subsystem, knowing the satellite orbits, can determine the user’s location with an accuracy of up to a meter. The high reliability of authentication is determined by the fact that satellite orbits are subject to fluctuations, which are quite difficult to predict. In addition, the coordinates are constantly changing, which negates the possibility of their interception.

GPS equipment is simple and reliable to use and relatively inexpensive. This allows it to be used in cases where an authorized remote user must be in the desired location.

Summarizing the capabilities of authentication tools, it can be classified by level information security into three categories:

1. Static authentication;

2. Strong authentication;

3. Constant authentication.

The first category provides protection only against unauthorized access in systems where an attacker cannot read authentication information during a work session. An example of a static authentication tool is traditional permanent passwords. Their effectiveness mainly depends on the difficulty of guessing passwords and, in fact, on how well they are protected.

To compromise static authentication, an attacker can spy on, guess, guess, or intercept authentication data, etc.

Strong authentication uses dynamic authentication data that changes with each session. Implementations of strong authentication are systems that use one-time passwords And electronic signatures. Strong authentication provides protection against attacks where an attacker can intercept authentication information and try to use it in future sessions.

However, strong authentication does not provide protection against active attacks, during which a masquerading attacker can quickly (during an authentication session) intercept, modify and insert information into the stream of transmitted data.

Persistent authentication ensures that each block of data transmitted is identified, preventing unauthorized modification or insertion. An example of the implementation of this category of authentication is the use of algorithms for generating electronic signatures for each bit of transmitted information.

Network Authentication is something that is dealt with daily a large number of Internet users. Some people don't know what it means this term, and many do not even suspect its existence. Almost all users world wide web start their working day by going through the authentication process. It is needed when visiting mail, social networks, forums and other things.

Users encounter authentication every day without even realizing it.

Authentication is a procedure by which user data is verified, for example, when visiting a particular global network resource. It checks the data stored on the web portal with those specified by the user. Once authentication is completed, you will have access to certain information (for example, your mailbox). This is the basis of any system that is implemented at the software level. Often the specified term utilizes more simple values, such as:

• authorization;
• authentication.

To authenticate, you must enter the login and password for your account. Depending on the resource, they may have significant differences from each other. If you use identical data on different sites, you expose yourself to the risk of having your data stolen. personal information by intruders. In some cases, this information may be provided automatically for each user. To enter the necessary data, as a rule, a special form is used on a global network resource or in specific application. After introduction necessary information, they will be sent to the server for comparison with those in the database. If they match, then you will gain access to the closed part of the site. If you enter incorrect data, the web resource will report an error. Check that they are correct and enter again.

Which network identification to choose

Many people think about what network identification choose, because there are several types. First you need to decide on any of them. Based on the information received, everyone decides for themselves which option to choose. One of the newest network authentication standards is IEEE 802.1x. It has received wide support from almost all hardware developers and developers software. This standard supports 2 authentication methods: open and using a password (key). With the open method, one station can connect to another without requiring authorization. If you are not happy with this, then you need to recycle the key method. In the case of the latter option, the password is encrypted using one of the following methods:

• WPA-personal;
• WPA2-personal.

The most suitable option can be installed on any router.

Let's go to the router settings

Even an untrained user can do everything without any problems required configurations. To start setting up the device, you need to connect it to personal computer using a cable. If this action is completed, then open any web browser and in address bar Type http://192.168.0.1, then press Enter. Specified address Suitable for almost any device, but more precise information can be found in the instructions. By the way, this action is precisely authentication, after which you gain access to the private information of your router. You will see a prompt to enter the interface, which will help you make the necessary settings. If no one has changed the login and password, then by default almost all models from various builders use the word admin in both fields. The router you purchased has an open wireless network, so anyone can connect to it. If this does not suit you, it must be protected.

Protecting your wireless network

IN various models Menu and submenu names may differ. First you need to go to the router menu and select the Wi-Fi wireless network setting. Specify the network name. Everyone will see him wireless devices that need to be connected to the device. Next, we need to select one of the encryption methods, the list of which is given above. We recommend using WPA2-PSK. This mode is one of the most reliable and universal. In the appropriate field you need to enter the key you created. It will be used for

To authenticate, the user is prompted to enter a combination of certain data, for example, the login and password of the device being used. account. Necessary information is entered by the visitor into a special HTML form. After clicking the input confirmation button, the authentication program sends the specified data to the server for comparison with the records available in the database. If the combination stored on the site matches the entered information, the user is redirected to a closed part of the site. If the entered data does not match, the visitor is prompted to log in again.

The authentication procedure is carried out to provide the user with certain rights that unauthorized guests do not have. After successful implementation login user can access personal account, in which you will be able to change your account data and make additional settings and operations. For example, after authentication on social networks, the user receives the right to correspond and publish on his own behalf.

Authentication Methods

To gain access to the closed part of the Internet service, various authentication methods can be used, which are selected in accordance with security requirements.

Some resources offer authorization using an automatically generated one-time password, which is sent to the user when prompted. A numeric or text combination for logging in is sent via SMS or e-mail. Sometimes one-time passwords are generated special devices eToken.

Systems that require an increased level of security often use biometric authentication using an iris scan or palm print. In some cases, technology is used to automatically examine the user's handwriting or voice. There are also developments that allow authorization using human DNA.

The Internet authentication process is used on resources such as web forums, blogs, social media. Authorization using in various ways carried out in payment systems, online banking, online stores and on some corporate resources. Depending on the level of security of the site and the importance of the information stored on it, various methods gaining access.