Key-Based Authentication

Validating the user identity, through secret keys using cryptographic algorithms

What is Key-Based Authentication?

A Key Based Authentication is a more secure and encrypted method of authorization that allows a user to gain access to target resources with the help of secret keys that are stored and guarded in a secure location by the end user. It is basically of two types namely SSH Key Based Authentication and Access Key Based Authentication.

SSH Key-Based Authentication: –

This method works with SSH Key Management accounts, which are user accounts responsible for remote system administration and secure file transfer on Unix-based devices authenticated with the help of a text, password, or RSA/DSA based key file. The text implies a Public Certificate, and the Key file is usually a pair of Public and Private Keys which are responsible for providing cryptographic security to the SSH Server.

SSH Key Based Authentication provides cryptographic security to the SSH server, where the encryption algorithm works with a Public Key and Private Key pair. The user is granted access to data on the SSH server by decrypting the user’s Public Key on the SSH Server with a Private Key for successful Authentication.

  1. Public Key is available to any user who needs it and is bound to a user’s identity by a Public Key Certificate. And if the SSH server considers Public keys to be trustworthy, they are called Authorized Keys.
  2. Private Key is specific to a user, which is secret and never shared with any user. It can be accessed through a Passphrase. A user with a private key to a corresponding public key only can be authorized to access data on the SSH server and are called Identity Keys.

Why Use Key-Based Authentication?

Aside from offering significant security benefits, this authentication provides a few other advantages as well. These are:

  • Policy is set on per-key or per-user basis.
  • Key access is centrally granted, managed, monitored, and revoked.
  • Granular security controls can be achieved with a few clicks.
  • Key-based authentication simplifies compliance as key usage is logged and auditable.

AWS Token-Based Authentication:-

Amazon Web Services accommodates two types of users namely a root user and IAM users. Root user is one who can log into the Amazon Management Console with the email id and password associated with his AWS account working on tasks specific to the root user. IAM user is one who can log into the console with their AWS account ID and password for working on everyday AWS tasks. AWS also allows another method of access, which is through access keys that allows a user to make programmatic calls to AWS or to use AWS tools for PowerShell or AWS Command Line Interface.

The credentials are account specific and must be stored carefully. Once you log in and check into the user’s profile, there is an option to the access keys tab, which is a set of Access key ID and Secret Key. Secrets Keys are limited to two per user and can be downloaded and stored upon its creation. These access keys can be used to gain programmatic access.

Should I Use Token-Based Authentication?

Token-based authentication bodes quite well; typically, when you:  
  1. Often grant temporary access – Your user base fluctuates based on time, date, or a special event. Granting and revoking access repeatedly is tiresome. Tokens could be helpful in that regard.
  2. Or require granular access – Granting different levels of access to different resources pertaining to different users. Passwords don’t allow that type of detail.

Is Token-Based Authentication Secure?

Yes. Instead of a cookie, a token is sent on every request, and this helps prevent CSRF attacks. Even if the token is stored within a cookie on the client-side, the cookie is just a storage mechanism and not an authentication one. Since we don’t have a session, there is no session-based information one can manipulate.

Moreover, the token expires after a set period of time, requiring the user to log in once again. Also, there is this concept of token revocation that allows clients to indicate to the authentication server that a specific token is no longer needed and must be invalidated.

How does Sectona Fulfil this requirement?

Sectona Privileged Access Management Solution has a built-in robust and automated password management module which facilitates Key Based Authentication of both SSH Key-Based Authentication and AWS Token-Based Authentication, ensuring access to the target assets is secured and protected. The preview below provides an overview of the authentication types and the variables required to configure the account.