identifying who is login in the system

Posted on 2011-09-27
Last Modified: 2012-05-12
How would a bank or system know that John Doe is login in?
How is that verified? If JOhn Doe says he is  from xyz company and a manager and he  creates a login id and pw. how would system confirm that? Im preety sure , bank will not let John access the account right away the first time he logs in. Im struggling to understand this security concept. thanks.
Question by:zachvaldez
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2

Expert Comment

ID: 36711571
One way would be to require the person signing up to provide a company email address for verification.

Author Comment

ID: 36711871
How would I know that that person signing  and creating the ID and pw is the person and not impersonating?

Expert Comment

ID: 36711900
If they're providing a corporate email address, and have to click a link sent to that address before being allowed in to the system, then you know they at least have a corporate email address.  Beyond that, you really can't, unless you ask for some personal identification that you can then verify, like a SSN or something.  
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Author Comment

ID: 36711990
how do I authenticate that user says he is? that is my struggling question.
LVL 13

Expert Comment

ID: 36712026

The concept is different between services or application.You should understand the context of using the concept first.

1. Open context, email services like Yahoo, Gmail, Hotmail.
The security concept here are simple, but not the way they are using algorithm. Since they are public places they do not need to have validation on who you are. You can create as many account you like, but for them each account is different individu - even they know some have more than five email account on Yahoo alone.

In this case, they will not responsible if anything happen to your account and they have right to kick you out.So if your account got hacked then it is your problem, there is so little they do for you. You should check the EULA before creating the account.

The same concept goes to Paypal, you can subsribe as many account there. But paypal hold your credit card number as additional information. When you buying thing over the net using Paypal, the third party site will request for the payment from Paypal. Paypal then ask you to login and present payment information to you at the same broswer session for validation, if it is valid then you must press pay button before payment happen.

2. The Banking
Baking have strict procedure. You have to present them some information about yourself (Soscial Security Number or Passport) and maybe some biometric information like finger prints or signature. They then give you a card with personal PIN number. Using that card you then activate Internet Banking system. Depend on the system, you may need to supply temporary Internet PIN number which is different than the PIN of the card.

You then need to activate you Internet Banking using this temporary Internet PIN number together with ATM card number, and creating your User ID. The systemt then request for new password to replace the temporary Internet PIN number. To surely secure, the password not stored directly into database but instead it been hashed first.

When you login to the internet banking, the internet bank system will check your User ID and password entered. The password you entered get hashed and compare with the hashed password stored in the database. If it is same then they will allow you in, depending on the system the bank use, some will use secure cookies to know who you are and storing some information, but most banking are using secure token (you can see weired string on the browser address, better known alos as query string or GET method) or server session. Most of good banks will use secure HTTP or commonly known as HTTPS to do transaction between client and banking servers.

3. InHouse Application
Most of the inhouse application will gather data from the student record or HR record. Their account usuall prebuild into the database. They will need to put new password during first use. The data however can be stored as plain data or encrypted data depending on the system they build. The communication between server can be HTTPS but most of the time is not.

When user login to the inhouse application thru internet, the same case happen. User ID and password will be validate againts the information stored in database. If the password stored in database is encrypted then they need to be decrypted first before be able to compare. The information then stored in cookies or url token or server session to make the system know that it is the user who log into the system.

So, the big question is why the are using cookies, token or session to know if this user currently using the webpage is the one who logged into the system. It is because the HTTP/HTTPS are connectionless oriented, which means after you typing the address or clicking on the link and page finished loaded into you browser (no more spinning icon on tab or moving progress bar), connection between you and the server finished. Without cookies, url token or session then there is no way to know you are the one who logged before and been authenticated to access resouces on that site.

Of couse, talking is easy, implementing it on real environment is much more difficult. You will came accross many technology of cryptography, secure communication, secure coding, and many more security concern.

Feel free to ask more.
LVL 13

Accepted Solution

khairil earned 300 total points
ID: 36712087
To simplify what I said:
1.User enters credential.
 2.System validates credential.
 3.Upon successful authentication, server saves user object into cookies, token or session.
 4.System grabs user info from cookies, token or session when user request a web page
 5.System displays webpage if session not yet expired.

I also found this cart for you, but as I said before, different system is using different method. You can be as creative as you are when designing authentication for user, of course with certain good security guidelines that you should follow.


Author Comment

ID: 36713922
On #2, 'System validates credential', On login the first time,not second time.. how does the system know that 'john doe' is that person entering the id/password.
LVL 13

Expert Comment

ID: 36714390
No the system DO NOT now, the system ASSUME that the one who logged is john doe. And the system also ASSUME that john doe will not give his login information to anyone else (of course someone did).

If you got john doe Login ID and password that you can log on AND the system still ASSUME you are john doe. Unless the system is using biomatrix like finger print or retina scan then it is harder to crack.


Author Comment

ID: 36716290
What you mean when pw is hashed?

Author Comment

ID: 36719100
Thanks for enlightening responses.Now I understand the limitations .You were truly a great help.

Author Closing Comment

ID: 36719106
Should be a 10!
LVL 13

Expert Comment

ID: 36805077
Password being hash means that the original string of password is not stored into the database, instead hashed value of the password.

Hashing is a one way function (well, a mapping). It's irreversible, you apply the secure hash algorithm and you cannot get the original string back. There's a lot of hash algorithm.

As sample:

Word "test" using MD5 hash function will be "098f6bcd4621d373cade4e832627b4f6"

The other similar thing is encryption. Encrypting is a proper (two way) function. It's reversible, you can decrypt the mangled string to get original string if you have the key.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
A look at what happened in the Verizon cloud breach.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question