Closed-loop authentication
Encyclopedia
Closed-loop authentication
, as applied to computer network
communication, refers to a mechanism whereby one party verifies the purported identity
of another party by requiring them to supply a copy of a token
transmitted to the canonical or trusted point of contact for that identity. It is also sometimes used to refer to a system of mutual authentication whereby two parties authenticate one another by signing and passing back and forth a cryptographically
signed nonce
, each party demonstrating to the other that they control the secret key used to certify their identity.
and thus masquerading as Bob.)
A use of closed-loop email authentication is used by parties with a shared secret
relationship (for example, a website and someone with a password
to an account on that website), where one party has lost or forgotten the secret and needs to be reminded. The party still holding the secret sends it to the other party at a trusted point of contact. The most common instance of this usage is the "lost password" feature of many websites, where an untrusted party may request that a copy of an account's password be sent by email, but only to the email address already associated with that account. A problem associated with this variation is the tendency of a naïve or inexperienced user to click on a URL if an email encourages them to do so. Most website authentication systems mitigate this by permitting unauthenticated password reminders or resets only by email to the account holder, but never allowing a user who does not possess a password to log in or specify a new one.
In some instances in web authentication, closed-loop authentication is employed before any access is granted to an identified user that would not be granted to an anonymous user. This may be because the nature of the relationship between the user and the website is one that holds some long-term value for one or both parties (enough to justify the increased effort and decreased reliability of the registration process.) It is also used in some cases by websites attempting to impede programmatic
registration as a prelude to spamming or other abusive activities.
Closed-loop authentication (like other types) is an attempt to establish identity. It is not, however, incompatible with anonymity
, if combined with a pseudonymity
system in which the authenticated party has adequate confidence.
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, as applied to computer network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
communication, refers to a mechanism whereby one party verifies the purported identity
Digital identity
Digital identity is the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things...
of another party by requiring them to supply a copy of a token
Security token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
transmitted to the canonical or trusted point of contact for that identity. It is also sometimes used to refer to a system of mutual authentication whereby two parties authenticate one another by signing and passing back and forth a cryptographically
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
signed nonce
Cryptographic nonce
In security engineering, nonce is an arbitrary number used only once to sign a cryptographic communication. It is similar in spirit to a nonce word, hence the name. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused...
, each party demonstrating to the other that they control the secret key used to certify their identity.
E-mail Authentication
Closed-loop email authentication is useful for simple situations where one party wants to demonstrate control of an email address to another, as a weak form of identity verification. It is not a strong form of authentication in the face of host- or network-based attacks (where an imposter, Chuck, is able to intercept Bob's email, intercepting the Nonce (slang)Nonce (slang)
In the United Kingdom and Australia, the term nonce is a slang word used to refer to a sex offender and/or child sexual abuser...
and thus masquerading as Bob.)
A use of closed-loop email authentication is used by parties with a shared secret
Shared secret
In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. The shared secret can be a password, a passphrase, a big number or an array of randomly chosen bytes....
relationship (for example, a website and someone with a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
to an account on that website), where one party has lost or forgotten the secret and needs to be reminded. The party still holding the secret sends it to the other party at a trusted point of contact. The most common instance of this usage is the "lost password" feature of many websites, where an untrusted party may request that a copy of an account's password be sent by email, but only to the email address already associated with that account. A problem associated with this variation is the tendency of a naïve or inexperienced user to click on a URL if an email encourages them to do so. Most website authentication systems mitigate this by permitting unauthenticated password reminders or resets only by email to the account holder, but never allowing a user who does not possess a password to log in or specify a new one.
In some instances in web authentication, closed-loop authentication is employed before any access is granted to an identified user that would not be granted to an anonymous user. This may be because the nature of the relationship between the user and the website is one that holds some long-term value for one or both parties (enough to justify the increased effort and decreased reliability of the registration process.) It is also used in some cases by websites attempting to impede programmatic
Internet bot
Internet bots, also known as web robots, WWW robots or simply bots, are software applications that run automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone...
registration as a prelude to spamming or other abusive activities.
Closed-loop authentication (like other types) is an attempt to establish identity. It is not, however, incompatible with anonymity
Anonymity
Anonymity is derived from the Greek word ἀνωνυμία, anonymia, meaning "without a name" or "namelessness". In colloquial use, anonymity typically refers to the state of an individual's personal identity, or personally identifiable information, being publicly unknown.There are many reasons why a...
, if combined with a pseudonymity
Pseudonymity
Pseudonymity is a word derived from pseudonym, meaning 'false name', and anonymity, meaning unknown or undeclared source, describing a state of disguised identity. The pseudonym identifies a holder, that is, one or more human beings who possess but do not disclose their true names...
system in which the authenticated party has adequate confidence.
See also
See :Category:Computer security for a list of all computing and information-security related articles.- Information SecurityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
- CryptographyCryptographyCryptography is the practice and study of techniques for secure communication in the presence of third parties...