Guideline on User Authentication Techniques for Computer Network Access Control

This Guideline provides information and guidance to Federal agencies on techniques and practices which can be used to control access to computer resources via remote terminals and networks. A variety of methods are described for verifying the identity of persons using remote terminals, as a safeguard against unauthorized usage. This Guideline discusses the three basic ways which may serve as a basis for verifying a person's identity: something the person KNOWS, such as a password; something the person HAS, such as a key or access card; or something ABOUT the person, such as fingerprints, signature, voice, or other personal attribute. The ability to automatically verify a person's identity via a unique personal attribute offers the prospect of greater security, and equipment for accomplishing this is beginning to emerge. There are several promising laboratory developments, although such equipment has not yet been interfaced to computer terminals to any great extent. In view of the present dependence on authentication techniques other than personal attributes, this Guideline provides advice on the effective use of passwords. This Guideline also discusses a variety of cards and badges with various forms of machine-readable coding that may be used for access control. In order to protect information used for identity verification, encryption is recommended.