Chapter 1, “Logon Problems” covered logon problems and, in particular, the problems with password authentication. Chapter 2 will cover the basics of authentication in general. With that said, it's a pretty in-depth look at authentication from top to bottom, from beginning to end, from simple logons to complex mega-systems, and everything in between. If you ever wanted to know about authentication and what it entails, this is the chapter to read.

You will hear about the CIA (Confidentiality, Integrity, and Availability) triad used to summarize the major security control categories. And certainly, authentication includes all those components, but it also includes more. Here are the components and considerations of any authentication system, all of which will be covered in this book:

• Confidentiality
• Integrity
• Availability
• Identity management life cycle
• Scope of control/security domain
• Usability
• User control
• Privacy
• Protocols/standards/APIs
• Auditing/accounting/event logging

The primary reason for authentication is to confirm a subject's ability to access protected resources (e.g., security domains, files, folders, sites, services). The process determines whether the subject is who they say they are and whether they can prove it.

Not all things require authentication. For example, most of the web surfing we do requires no authentication. We don't want to have to authenticate to do an Internet search, download a public document, or read the news. But much ...