OS Notes
Authentication in Operating Systems — methods of user identity verification including passwords, biometrics, multi-factor authentication, Kerberos protocol, and challenge-response mechanisms.
Introduction
Authentication is the process of verifying that a user (or process) is who they claim to be. It answers the fundamental question: "Are you really who you say you are?" Before the operating system grants access to any resource — files, memory, network connections, or hardware devices — it must first establish the identity of the requester. Authentication is the first line of defense in any security system.
Think of authentication like showing your ID at a building entrance. The guard (OS) does not care what you plan to do inside (that is authorization) — they only verify your identity first.
Authentication Factors
Authentication methods are categorized into three factors:
Something You Know
The most common factor — secret knowledge that only the legitimate user possesses.
Passwords: The traditional mechanism. The user provides a secret string that matches the stored value.
How passwords are stored:
| WRONG | Store plaintext passwords in a file |
| CORRECT | Store salted hash |
| salt | random value unique to each user (prevents rainbow tables) |
| hash | one-way function (SHA-256, bcrypt, argon2) |
When a user logs in, the OS hashes the provided password with the stored salt and compares it to the stored hash. Even if the password file is stolen, attackers cannot reverse the hashes.
Password vulnerabilities:
- Users choose weak passwords (dictionary attacks succeed)
- Password reuse across services (one breach compromises all)
- Keyloggers capture passwords as typed
- Shoulder surfing in public places
- Phishing tricks users into entering passwords on fake sites
Something You Have
A physical object that the legitimate user possesses:
- Smart cards: Contain a cryptographic chip; must be physically present
- Hardware tokens (YubiKey): Generate or store cryptographic credentials
- Mobile phone: Receives SMS codes or runs authenticator apps (TOTP)
- ID badges: Proximity cards for physical access
Advantage: Cannot be guessed or shared remotely. Disadvantage: Can be lost or stolen; requires hardware investment.
Something You Are
Biometric characteristics unique to the individual:
- Fingerprint: Most common biometric (phone unlock, laptop login)
- Face recognition: Camera-based (Windows Hello, iPhone Face ID)
- Iris/retina scan: Extremely accurate, used in high-security environments
- Voice recognition: Speaker verification based on vocal characteristics
- Behavioral biometrics: Typing rhythm, mouse movement patterns
Advantages: Cannot be forgotten or lost; difficult to forge. Disadvantages: Cannot be changed if compromised; false positives/negatives; privacy concerns.
Multi-Factor Authentication (MFA)
Combining two or more factors dramatically improves security. Even if an attacker steals your password (knowledge factor), they still need your phone (possession factor) to complete authentication.
Common MFA combinations:
- Password + SMS code (widely used but SMS can be intercepted)
- Password + Authenticator app (TOTP — Time-based One-Time Password)
- Password + Hardware key (YubiKey — strongest for phishing resistance)
- Biometric + PIN (phone unlock with fingerprint and backup PIN)
Authentication Protocols
Kerberos
The standard authentication protocol in enterprise networks (Windows Active Directory uses it). Kerberos uses tickets to prove identity without sending passwords over the network.
How Kerberos works:
| 1. Client | KDC (Key Distribution Center): |
| 2. KDC | Client: |
| 3. Client | KDC: |
| 4. KDC | Client: |
| 5. Client | FileServer: |
Key advantages: Password transmitted only once (to get TGT), tickets have expiration times, mutual authentication possible (server proves identity to client too).
Challenge-Response Authentication
Proves knowledge of a secret without transmitting it:
Advantage: The secret is never transmitted — even if an attacker captures the exchange, they cannot extract the password.
Authentication in Unix/Linux
Linux authentication uses the PAM (Pluggable Authentication Modules) framework:
# Password file structure (/etc/passwd)
username:x:UID:GID:comment:home_directory:shell
# Shadow file (/etc/shadow) — only root can read
username:$6$salt$hashed_password:last_change:min:max:warn:inactive:expireThe $6$ prefix indicates SHA-512 hashing. PAM allows plugging in different authentication backends: local passwords, LDAP, Kerberos, biometrics, or custom modules.
Common Attacks on Authentication
| Attack | How It Works | Defense |
|---|---|---|
| Brute force | Try all possible passwords | Account lockout, rate limiting |
| Dictionary attack | Try common passwords/words | Password complexity requirements |
| Rainbow tables | Precomputed hash lookups | Use salted hashes |
| Phishing | Fake login page captures credentials | MFA, security awareness |
| Credential stuffing | Use leaked passwords from other sites | Unique passwords, breach detection |
| Pass-the-hash | Use stolen hash directly | Kerberos with encryption |
| Man-in-the-middle | Intercept authentication exchange | TLS, mutual authentication |
Key Takeaways
- Authentication verifies identity; it must happen before authorization
- Three factors: knowledge (passwords), possession (tokens), inherence (biometrics)
- Multi-factor authentication combines factors for much stronger security
- Passwords must be stored as salted hashes, never in plaintext
- Kerberos avoids sending passwords over the network using ticket-based authentication
- Modern systems increasingly combine biometrics (convenience) with hardware tokens (security)
- No single authentication method is perfect — defense in depth is essential
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Authentication - User Verification.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Operating Systems topic.
Search Terms
operating-systems, operating systems, operating, systems, security, and, protection, authentication
Related Operating Systems Topics