From Surf Wiki (app.surf) — the open knowledge base
Closed-loop authentication
Method for proving control of a contact point (e.g., an email address)
Method for proving control of a contact point (e.g., an email address)
Closed-loop authentication, as applied to computer network communication, refers to a mechanism whereby one party verifies the purported identity of another party by requiring them to supply a copy of a token transmitted to the canonical or trusted point of contact for that identity. It is also sometimes used to refer to a system of mutual authentication whereby two parties authenticate one another by signing and passing back and forth a cryptographically signed nonce, each party demonstrating to the other that they control the secret key used to certify their identity.
E-mail authentication
Main article: Opt-in email
Closed-loop email authentication is useful for simple situations where one party wants to demonstrate control of an email address to another, as a weak form of identity verification. It is not a strong form of authentication in the face of host- or network-based attacks (where an imposter, Chuck, is able to intercept Bob's email, intercepting the nonce and thus masquerading as Bob.)
A common use of closed-loop email authentication is account recovery in a shared secret relationship (for example, a website account protected by a password). Rather than emailing a copy of a password, modern sites send a time-limited, single-use reset link or token to the pre-registered address so the account holder can set a new password. Historically, some systems did email existing passwords or auto-generated new ones, but this is now discouraged because services should not store recoverable passwords.
A problem associated with this variation is the tendency of a naïve or inexperienced user to click on a URL if an email encourages them to do so. Most website authentication systems therefore permit unauthenticated password resets only via links sent to the account holder’s registered address; they do not email existing passwords or allow a user who does not possess a password to log in or specify a new one. Security guidance also cautions that email should not be treated as an out-of-band authenticator because it does not prove possession of a specific device.
In some instances in web authentication, closed-loop authentication is employed before any access is granted to an identified user that would not be granted to an anonymous user. This may be because the nature of the relationship between the user and the website is one that holds some long-term value for one or both parties (enough to justify the increased effort and decreased reliability of the registration process.) It is also used in some cases by websites attempting to impede programmatic registration as a prelude to spamming or other abusive activities.
Closed-loop authentication (like other types) is an attempt to establish identity. It is not, however, incompatible with anonymity, if combined with a pseudonymity system in which the authenticated party has adequate confidence.
References
:*
References
- "Forgot Password Cheat Sheet". OWASP Foundation.
- "Password Storage Cheat Sheet". OWASP Foundation.
- "Forgot Password Cheat Sheet". OWASP Foundation.
- (2023). "NIST SP 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management". NIST.
This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page.
Ask Mako anything about Closed-loop authentication — get instant answers, deeper analysis, and related topics.
Research with MakoFree with your Surf account
Create a free account to save articles, ask Mako questions, and organize your research.
Sign up freeThis content may have been generated or modified by AI. CloudSurf Software LLC is not responsible for the accuracy, completeness, or reliability of AI-generated content. Always verify important information from primary sources.
Report