This chapter examines the different approaches to authentication, as well as what is considered good practice. It also gives an overview of some of the available technologies for authenticating a user.

‘Something you know, something you have, or something you are’

As explained in more detail in Chapter 3, the four main components of access control used in most information systems are:

• 1 Identification(also called registration): ‘Who are you?’ – the user provides information to identify him/herself, e.g. e-mail address, user ID, name or username.

• 2 Authentication ‘ Are you who you say you are?’ – the user verifies his/her identity or which organization he/she comes from.

• 3 Authorization ‘ What are you allowed to do?’ – the process of determining what the identified and authenticated user is allowed to access and what operations he/she is allowed to carry out. In case of licensed information resources, this is based on user profiles and licensing permissions.

• 4 Accounting The process of collecting statistics and/or billing data. The same tools can also be used to investigate which user accounts may have been compromised due to unauthorized access.

In this chapter we focus on the authentication aspect of access control.

Authentication is a process of establishing the user's right to an identity, in other words, the right to have a name (Lynch, 1998). While identification is usually non-private information provided by the users to identify themselves and can be known by system administrators and other system users, authentication requires private information (Zviran and Elrich, 2006). Names used to authenticate a user do not need to correspond to real names used by the user in real life (Lynch, 1998). Authentication is the first step towards protection of electronic library resources and information systems, so it is important to get it right in order to avoid security issues later.

There are many ways of authenticating a user, most commonly by means of a username and password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition or fingerprints.

Menkus suggested dividing authentication methods into three types (in Zviran and Elrich, 2006, 5):

• 1 Knowledge-based authentication ‘ Something you know’, e.g. password or PIN (personal identification number). It is based on private information supplied by the user.

• 2 Possession-based ‘ Something you have’, e.g. smart card tokens. It is based on private objects that the user possesses.