• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 341
  • Last Modified:

identifying who is login in the system

How would a bank or system know that John Doe is login in?
How is that verified? If JOhn Doe says he is  from xyz company and a manager and he  creates a login id and pw. how would system confirm that? Im preety sure , bank will not let John access the account right away the first time he logs in. Im struggling to understand this security concept. thanks.
0
zachvaldez
Asked:
zachvaldez
  • 6
  • 4
  • 2
1 Solution
 
RainverseCommented:
One way would be to require the person signing up to provide a company email address for verification.
0
 
zachvaldezAuthor Commented:
How would I know that that person signing  and creating the ID and pw is the person and not impersonating?
0
 
RainverseCommented:
If they're providing a corporate email address, and have to click a link sent to that address before being allowed in to the system, then you know they at least have a corporate email address.  Beyond that, you really can't, unless you ask for some personal identification that you can then verify, like a SSN or something.  
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
zachvaldezAuthor Commented:
how do I authenticate that user says he is? that is my struggling question.
0
 
khairilCommented:
Hi,

The concept is different between services or application.You should understand the context of using the concept first.

1. Open context, email services like Yahoo, Gmail, Hotmail.
The security concept here are simple, but not the way they are using algorithm. Since they are public places they do not need to have validation on who you are. You can create as many account you like, but for them each account is different individu - even they know some have more than five email account on Yahoo alone.

In this case, they will not responsible if anything happen to your account and they have right to kick you out.So if your account got hacked then it is your problem, there is so little they do for you. You should check the EULA before creating the account.

The same concept goes to Paypal, you can subsribe as many account there. But paypal hold your credit card number as additional information. When you buying thing over the net using Paypal, the third party site will request for the payment from Paypal. Paypal then ask you to login and present payment information to you at the same broswer session for validation, if it is valid then you must press pay button before payment happen.

2. The Banking
Baking have strict procedure. You have to present them some information about yourself (Soscial Security Number or Passport) and maybe some biometric information like finger prints or signature. They then give you a card with personal PIN number. Using that card you then activate Internet Banking system. Depend on the system, you may need to supply temporary Internet PIN number which is different than the PIN of the card.

You then need to activate you Internet Banking using this temporary Internet PIN number together with ATM card number, and creating your User ID. The systemt then request for new password to replace the temporary Internet PIN number. To surely secure, the password not stored directly into database but instead it been hashed first.

When you login to the internet banking, the internet bank system will check your User ID and password entered. The password you entered get hashed and compare with the hashed password stored in the database. If it is same then they will allow you in, depending on the system the bank use, some will use secure cookies to know who you are and storing some information, but most banking are using secure token (you can see weired string on the browser address, better known alos as query string or GET method) or server session. Most of good banks will use secure HTTP or commonly known as HTTPS to do transaction between client and banking servers.

3. InHouse Application
Most of the inhouse application will gather data from the student record or HR record. Their account usuall prebuild into the database. They will need to put new password during first use. The data however can be stored as plain data or encrypted data depending on the system they build. The communication between server can be HTTPS but most of the time is not.

When user login to the inhouse application thru internet, the same case happen. User ID and password will be validate againts the information stored in database. If the password stored in database is encrypted then they need to be decrypted first before be able to compare. The information then stored in cookies or url token or server session to make the system know that it is the user who log into the system.

So, the big question is why the are using cookies, token or session to know if this user currently using the webpage is the one who logged into the system. It is because the HTTP/HTTPS are connectionless oriented, which means after you typing the address or clicking on the link and page finished loaded into you browser (no more spinning icon on tab or moving progress bar), connection between you and the server finished. Without cookies, url token or session then there is no way to know you are the one who logged before and been authenticated to access resouces on that site.

Of couse, talking is easy, implementing it on real environment is much more difficult. You will came accross many technology of cryptography, secure communication, secure coding, and many more security concern.

Feel free to ask more.
0
 
khairilCommented:
To simplify what I said:
1.User enters credential.
 2.System validates credential.
 3.Upon successful authentication, server saves user object into cookies, token or session.
 4.System grabs user info from cookies, token or session when user request a web page
 5.System displays webpage if session not yet expired.

I also found this cart for you, but as I said before, different system is using different method. You can be as creative as you are when designing authentication for user, of course with certain good security guidelines that you should follow.



Login-Flowchart.pdf
0
 
zachvaldezAuthor Commented:
On #2, 'System validates credential', On login the first time,not second time.. how does the system know that 'john doe' is that person entering the id/password.
0
 
khairilCommented:
No the system DO NOT now, the system ASSUME that the one who logged is john doe. And the system also ASSUME that john doe will not give his login information to anyone else (of course someone did).

If you got john doe Login ID and password that you can log on AND the system still ASSUME you are john doe. Unless the system is using biomatrix like finger print or retina scan then it is harder to crack.

0
 
zachvaldezAuthor Commented:
What you mean when pw is hashed?
0
 
zachvaldezAuthor Commented:
Thanks for enlightening responses.Now I understand the limitations .You were truly a great help.
0
 
zachvaldezAuthor Commented:
Should be a 10!
0
 
khairilCommented:
Password being hash means that the original string of password is not stored into the database, instead hashed value of the password.

Hashing is a one way function (well, a mapping). It's irreversible, you apply the secure hash algorithm and you cannot get the original string back. There's a lot of hash algorithm.

As sample:

Word "test" using MD5 hash function will be "098f6bcd4621d373cade4e832627b4f6"

The other similar thing is encryption. Encrypting is a proper (two way) function. It's reversible, you can decrypt the mangled string to get original string if you have the key.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 6
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now