Database Authentication Methods
Your data is valuable. Therefore, protecting access to your data is critical. Data access in database can be restricted through authentication protocols. There are 5 main authentication types: password; certificate-based, token-based; biometric and multi-factor. These authentication types fall into three categories, or types. Type 1 is “Something You Know”. Type 2 is “Something You Have”. Type “3” is “Something You Are”.
Password Based Authentication
You are probably most familiar with password-based authentication. Password based authentication is an example of “Something You Know”. Just like you use a password to access your email, most database systems let you setup user accounts and passwords.
If you elect to use passwords to protect your database you should ensure that user passwords are not easy to guess. Passwords should never contain personal information like birthdates or family member names. They should be 8 characters or longer, using a mix of upper and lower case, numbers and special characters. To make them easy to remember your users can modify easy-to-remember phrases, with mixed case and special characters inserted.
Certificate Based Authentication
Certificate based authentication uses a digital certificate to uniquely identify a device or user. This certificate must be present on your computer, phone or tablet before you can gain access to your database. Certificate Based Authentication is an example of “Something You Have”. Unlike SSL or X.509 certificates, where your computer is trying to verify the identify of the server, in certificate-based authentication, the server is trying to verify you, based on the certificate your system presents. This means certificates can be used to authenticate the server and the client. Please note that once you have a certificate installed on your system, the whole process usually happens automatically in the background. You probably won’t even be aware that a certificate is being exchanged.
There are also other types of certificate exchange. “Mutual TLS” allows 2-way authentication, where the user can verify the authenticity of the server, and the server can verify the authenticity of the client. This process happens through the exchange and verification of certificates on both ends. In the context of a database “Mutual TLS” would be handy of the user wanted to make sure that the service they were submitted information to was legitimate, and the service wanted to make sure that the user was authorized to submit the information.
Other example of certificates includes “PIV”. PIV stands for personal identity verification. PIV is simply a mechanism that binds your personal information (like name and organization), to a private key certificate. This certificate can be stored on ID badges, ID cards and other physical devices, and can be automatically scanned when you require access to a service. When the certificate is scanned, a database lookup is performed, and corresponding personal information is returned. There are specialized versions of a PIV like a “CAC”, which is for the department of defense. The federal government also has its version of a PIV, that is now recognized as a valid form of ID similar to a passport, drivers license or military ID.
Token Based Authentication
Token based authentication provides a user with an access code, which can be used to access your database. The access codes are typically time limited and can be provided by apps (like Google Authenticator and Microsoft Authenticator). They can also be provided by physical hardware. Hardware tokens are usually small devices about the size of a credit card or USB flash drive, with a display showing a number, usually 6 digits long. This number usually changes a few times a minute. To access a database using token-based authentication you need the number generated by the device. This is an example of “Something You Have”.
Hard and Soft tokens offer many advantages:
- Token are stateless as they are self contained.
- Flexible generation as tokens can be generated from any location, providing you have the right software or hardware.
- Full control over access, as you can choose who has access to the token. Only people who have the token will be able to access your system.
Biometric authentication is an example of “Something You Are”. It uses biometric data that is unique to you. Types of biometric authentication include fingerprint scans, iris retina scans, or voice prints. Before you can access your database, you’ll need to prove you are who you say you are by providing the requested biometric information. Biometric authentication often requires 3rd party hardware like “Fujitsu palmsecure”.
Biometric authentication can even use ongoing behavior like “keystroke biometrics”, which measures your typing style. Unlike most authentication mechanisms that only verify your identity at the start of a section, keystroke biometrics can continually verify you are you say you are, by comparing your present behavior to your past behavior.
Multi-Factor authentication is exactly as the same implies – it’s a combination of 2 or more authentication techniques. Perhaps the most popular combination is a combination of passwords and tokens. This is an example of two factor authentication, a subset of multi-factor authentication.
There are many companies that offer multi-factor authentication services like “YubiKey”. YubiKey has a piece of hardware that plugs into your mobile device or computer, which can take fingerprint scans. Using this setup, before you can use access your system, you will need to scan your fingerprint on the device, and you will need to enter your username / password.
Difference Between Authentication and Authorization
Authentication and authorization are sometimes used interchangeable, but the terms refer to different security mechanisms. Authentication, the focus of this article, verifies that the user is who they say they are. On the other hand, authorization gives users access to specific functionality or resources. Therefore, a user be authenticated but not authorized.
One example of when this might happen is if a user only has permission to view information in your database, not update it. In this scenario the user would be fully authenticated by the database system, but would only be authorized to view data.
Authorization is typically restricted to user roles. For example, SQL offers roles that let you manage server permissions. What you are allowed to do with the database is governed by your role.
Tracker Ten Authentication
Our windows desktop Tracker Ten database system uses optional password protection. Passwords can be set for read and write access, or read access only. Passwords are linked to files, so each file can have its own password.