認証器

Authenticator — Grokipedia Fact-checked by Grok 1 month ago Authenticator Ara Eve Leo Sal 1x An authenticator is a mechanism or object that a subscriber possesses and controls—such as a password , cryptographic token, or biometric identifier—to verify a claimant's identity during digital authentication , ensuring secure access to systems and resources. [1] In cybersecurity and information technology , authenticators form the core of authentication protocols, distinguishing between single-factor methods (relying on one element, like a password ) and multi-factor authentication (MFA), which combines two or more distinct factors to mitigate risks such as phishing and credential theft. [2] These factors are broadly categorized as something you know (e.g., memorized secrets like passwords or PINs), something you have (e.g., one-time password generators or hardware security modules), and something you are (e.g., biometrics like fingerprints or facial recognition, typically used as a secondary factor). [1] The National Institute of Standards and Technology (NIST) in its SP 800-63-4 guidelines recognizes specific authenticator types, including passwords , look-up secrets (pre-shared values like security questions), out-of-band authenticators (using secondary channels like SMS ), single- and multi-factor one-time password (OTP) devices, single- and multi-factor cryptographic authenticators (employing private keys), and syncable authenticators (software or hardware allowing key export for multi-device use). [1] Authenticators are evaluated based on assurance levels defined by NIST, ranging from AAL1 (basic single- or multi-factor authentication for low-risk scenarios, with reauthentication every 30 days) to AAL3 (high-confidence, phishing-resistant multi-factor cryptographic methods for sensitive environments, requiring reauthentication every 12 hours or after 15 minutes of inactivity). [2] These standards mandate features like FIPS 140-validated cryptography for federal systems, resistance to common threats (e.g., non-exportable keys at AAL3), and proper management practices, including issuance, renewal, revocation , and subscriber notification to prevent compromise. [1] By prioritizing phishing-resistant options like multi-factor cryptographic authenticators, modern implementations aim to address evolving cyber threats while balancing usability and privacy. [2] Fundamentals Definition and Purpose An authenticator is a digital or physical object, secret, or biometric trait that serves as a mechanism to prove possession and control of one or more authentication factors, thereby confirming a user's identity in digital systems. [3] According to NIST guidelines, authenticators enable the verification of a subscriber's identity by demonstrating control over these factors during authentication protocols. [4] As of July 2025, NIST's SP 800-63-4 provides the current guidelines, incorporating advancements such as syncable authenticators for multi-device use. [1] The primary purpose of an authenticator is to provide reliable evidence that binds a digital identity to a specific individual, thereby mitigating risks such as impersonation and unauthorized access in applications like online banking, email services, and network systems. [4] The concept of authenticators has evolved significantly since the introduction of simple passwords in the 1960s, when MIT researcher Fernando Corbató implemented the first password-based system for a time-sharing computer to manage user access among multiple individuals. [5] This marked the shift from physical to digital identity verification, addressing the need for controlled resource sharing in early computing environments. By the late 1980s, authentication systems advanced toward more robust network protocols, with a key milestone being the development of Kerberos during the 1980s at MIT's Project Athena , with a key paper published in 1988, which introduced ticket-based authentication using symmetric cryptography to secure client-server interactions without transmitting passwords over the network. [6] Over subsequent decades, the limitations of single passwords—such as vulnerability to guessing and reuse—drove the transition to multi-layered systems incorporating diverse authenticators for enhanced security. The basic authentication process involving an authenticator typically unfolds in three core steps: first, the user (claimant) submits the authenticator, such as entering a secret or presenting a token, through a secure channel to the verifying system. [3] The verifier then authenticates the submission by comparing it against stored or generated references, such as a hashed secret or time-based code, to confirm validity. [4] Upon successful verification, the system establishes a session, granting the user access while potentially enforcing ongoing protections like session timeouts. [4] Authentication Factors Authentication factors represent the foundational elements employed to confirm a user's identity during the authentication process, serving as the building blocks for both single-factor and multi-factor systems. These factors are classified based on the distinct attributes they leverage—either information known to the user, physical objects in their possession, or inherent personal characteristics—ensuring that authentication mechanisms can be tailored to varying security requirements. By combining or selecting from these categories, systems achieve appropriate levels of assurance, with single-factor authentication relying on one type and multi-factor authentication requiring at least two distinct types to mitigate risks like credential compromise. [7] [8] The first category, known as the knowledge factor or "something you know," involves information that only the legitimate user should possess, such as passwords, personal identification numbers (PINs), or security questions. This factor relies on the user's memory and secrecy maintenance, making it susceptible to phishing or guessing attacks if not managed securely. It forms the basis for many traditional login systems but is rarely used in isolation for high-security contexts due to its vulnerabilities. [8] [1] The possession factor, or "something you have," requires the user to present a physical or digital item under their control, such as hardware tokens, smart cards, or one-time password generators. These authenticators verify ownership through unique identifiers or cryptographic proofs, providing resistance against remote impersonation but potential weakness if the item is lost or stolen. Possession-based factors are integral to elevating security in scenarios like remote access. [7] [1] The inherence factor, referred to as "something you are," utilizes the user's intrinsic biological or behavioral traits for verification, including physiological biometrics like fingerprints, facial recognition, or iris scans, as well as behavioral biometrics such as gait analysis or keystroke dynamics . These methods offer convenience and difficulty in replication but raise privacy concerns and can be affected by environmental changes or spoofing attempts. Inherence factors are probabilistic in nature, contrasting with the deterministic outcomes of other categories. [8] [1] Emerging hybrid factors blend elements from multiple traditional categories to enhance adaptability and continuous verification, with behavioral biometrics serving as a prominent example by analyzing dynamic patterns like typing rhythm or mouse movements, which can incorporate contextual possession data for more robust authentication . These combinations, while often aligned with inherence , allow for seamless integration in multi-factor setups without requiring explicit user actions. [1] [9] This tripartite classification of factors underpins the design of authentication systems, enabling the prerequisite evaluation of security needs where single-factor approaches suffice for low-risk environments, while multi-factor configurations—mandating distinct factor types—provide layered defenses essential for protecting sensitive digital identities. [7] [4] Classification Knowledge-Based Authenticators Knowledge-based authenticators, often categorized as "something you know," are security mechanisms that verify a user's identity through information only the legitimate user is expected to recall and keep secret. These authenticators emphasize the memorization of unique data , making them one of the oldest and most ubiquitous forms of authentication in digital systems. [1] The primary types of knowledge-based authenticators include memorized secrets, such as static passwords and personal identification numbers (PINs). Passwords are fixed strings chosen by the user, while passphrases consist of longer sequences of words or characters intended for easier memorization yet higher security. Security questions are not permitted as memorized secrets. [1] While symmetric keys may be derived from user-memorized passphrases using password-based key derivation functions (PBKDFs) like PBKDF2 , which incorporate a salt and iteration count to enhance security against brute-force attacks, the resulting cryptographic authenticators are classified as possession-based. [10] Knowledge-based authenticators offer notable strengths, including low cost and ease of deployment, as they require no specialized hardware or infrastructure beyond standard input interfaces. However, their weaknesses are significant: they are highly susceptible to phishing attacks, where users disclose secrets to fraudulent sites; shoulder surfing, in which an observer visually captures the input; and password cracking methods like dictionary attacks, which systematically test common words or patterns from predefined lists. [1] [1] [11] Best practices for implementing knowledge-based authenticators focus on enhancing secrecy and resistance to guessing. Verifiers typically enforce password complexity requirements, such as a minimum