Solved

identifying who is login in the system

Posted on 2011-09-27
12
321 Views
Last Modified: 2012-05-12
How would a bank or system know that John Doe is login in?
How is that verified? If JOhn Doe says he is  from xyz company and a manager and he  creates a login id and pw. how would system confirm that? Im preety sure , bank will not let John access the account right away the first time he logs in. Im struggling to understand this security concept. thanks.
0
Comment
Question by:zachvaldez
  • 6
  • 4
  • 2
12 Comments
 
LVL 5

Expert Comment

by:Rainverse
ID: 36711571
One way would be to require the person signing up to provide a company email address for verification.
0
 

Author Comment

by:zachvaldez
ID: 36711871
How would I know that that person signing  and creating the ID and pw is the person and not impersonating?
0
 
LVL 5

Expert Comment

by:Rainverse
ID: 36711900
If they're providing a corporate email address, and have to click a link sent to that address before being allowed in to the system, then you know they at least have a corporate email address.  Beyond that, you really can't, unless you ask for some personal identification that you can then verify, like a SSN or something.  
0
 

Author Comment

by:zachvaldez
ID: 36711990
how do I authenticate that user says he is? that is my struggling question.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36712026
Hi,

The concept is different between services or application.You should understand the context of using the concept first.

1. Open context, email services like Yahoo, Gmail, Hotmail.
The security concept here are simple, but not the way they are using algorithm. Since they are public places they do not need to have validation on who you are. You can create as many account you like, but for them each account is different individu - even they know some have more than five email account on Yahoo alone.

In this case, they will not responsible if anything happen to your account and they have right to kick you out.So if your account got hacked then it is your problem, there is so little they do for you. You should check the EULA before creating the account.

The same concept goes to Paypal, you can subsribe as many account there. But paypal hold your credit card number as additional information. When you buying thing over the net using Paypal, the third party site will request for the payment from Paypal. Paypal then ask you to login and present payment information to you at the same broswer session for validation, if it is valid then you must press pay button before payment happen.

2. The Banking
Baking have strict procedure. You have to present them some information about yourself (Soscial Security Number or Passport) and maybe some biometric information like finger prints or signature. They then give you a card with personal PIN number. Using that card you then activate Internet Banking system. Depend on the system, you may need to supply temporary Internet PIN number which is different than the PIN of the card.

You then need to activate you Internet Banking using this temporary Internet PIN number together with ATM card number, and creating your User ID. The systemt then request for new password to replace the temporary Internet PIN number. To surely secure, the password not stored directly into database but instead it been hashed first.

When you login to the internet banking, the internet bank system will check your User ID and password entered. The password you entered get hashed and compare with the hashed password stored in the database. If it is same then they will allow you in, depending on the system the bank use, some will use secure cookies to know who you are and storing some information, but most banking are using secure token (you can see weired string on the browser address, better known alos as query string or GET method) or server session. Most of good banks will use secure HTTP or commonly known as HTTPS to do transaction between client and banking servers.

3. InHouse Application
Most of the inhouse application will gather data from the student record or HR record. Their account usuall prebuild into the database. They will need to put new password during first use. The data however can be stored as plain data or encrypted data depending on the system they build. The communication between server can be HTTPS but most of the time is not.

When user login to the inhouse application thru internet, the same case happen. User ID and password will be validate againts the information stored in database. If the password stored in database is encrypted then they need to be decrypted first before be able to compare. The information then stored in cookies or url token or server session to make the system know that it is the user who log into the system.

So, the big question is why the are using cookies, token or session to know if this user currently using the webpage is the one who logged into the system. It is because the HTTP/HTTPS are connectionless oriented, which means after you typing the address or clicking on the link and page finished loaded into you browser (no more spinning icon on tab or moving progress bar), connection between you and the server finished. Without cookies, url token or session then there is no way to know you are the one who logged before and been authenticated to access resouces on that site.

Of couse, talking is easy, implementing it on real environment is much more difficult. You will came accross many technology of cryptography, secure communication, secure coding, and many more security concern.

Feel free to ask more.
0
 
LVL 13

Accepted Solution

by:
khairil earned 300 total points
ID: 36712087
To simplify what I said:
1.User enters credential.
 2.System validates credential.
 3.Upon successful authentication, server saves user object into cookies, token or session.
 4.System grabs user info from cookies, token or session when user request a web page
 5.System displays webpage if session not yet expired.

I also found this cart for you, but as I said before, different system is using different method. You can be as creative as you are when designing authentication for user, of course with certain good security guidelines that you should follow.



Login-Flowchart.pdf
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:zachvaldez
ID: 36713922
On #2, 'System validates credential', On login the first time,not second time.. how does the system know that 'john doe' is that person entering the id/password.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36714390
No the system DO NOT now, the system ASSUME that the one who logged is john doe. And the system also ASSUME that john doe will not give his login information to anyone else (of course someone did).

If you got john doe Login ID and password that you can log on AND the system still ASSUME you are john doe. Unless the system is using biomatrix like finger print or retina scan then it is harder to crack.

0
 

Author Comment

by:zachvaldez
ID: 36716290
What you mean when pw is hashed?
0
 

Author Comment

by:zachvaldez
ID: 36719100
Thanks for enlightening responses.Now I understand the limitations .You were truly a great help.
0
 

Author Closing Comment

by:zachvaldez
ID: 36719106
Should be a 10!
0
 
LVL 13

Expert Comment

by:khairil
ID: 36805077
Password being hash means that the original string of password is not stored into the database, instead hashed value of the password.

Hashing is a one way function (well, a mapping). It's irreversible, you apply the secure hash algorithm and you cannot get the original string back. There's a lot of hash algorithm.

As sample:

Word "test" using MD5 hash function will be "098f6bcd4621d373cade4e832627b4f6"

The other similar thing is encryption. Encrypting is a proper (two way) function. It's reversible, you can decrypt the mangled string to get original string if you have the key.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now