2.4 - Authentication and Authorization

Question 1

What is a directory service?

Answer 1

It keeps all of the organization’s usernames and passwords in a single database (ex. AD).

Question 2

Define federation and a federated network.

Answer 2

Federation : Providing network access to to others outside of the organization, not just employees - partners, suppliers, customers, etc.

Federated Network: Allows for authentication and authorization between two organizations (logging in with google credentials).

Question 3

What is attestation?

Answer 3

Proving that the hardware is really yours or that the hardware is something that can be trusted interacting with or within a network.

Remote attestation: The device provides an operational report to a verification server. It is encrypted and digitally signed with the TPM. An IMEI or other unique hardware component can be included in the report.

Question 4

How might one authenticate with SMS?

Answer 4

After you provided your login information, you receive an SMS to a predefined phone number.

Question 5

What are some of the security issues that exist with SMS authentication?

Answer 5

1) The phone number can be reassigned to a
different phone
2) SMS messages can be intercepted

Question 6

How might one authenticate with a push notification?

Answer 6

A similar process to SMS. The authentication factor is pushed to a specialized app. This is usually on a mobile device. More secure that SMS.

Question 7

What are some of the security issues that exist with push notification authentication?

Answer 7

1) Applications can be vulnerable
2) Some push apps send in the clear

Question 8

How might one authenticate with an authentication app?

Answer 8

A pseudo-random token generator on your phone.

Question 9

Define TOTP.

Answer 9

Time-based One-Time Password algorithm

A secret key and the time of day are used to generate a token for authentication. The secret key is configured ahead of time, and timestamps are synchronized via NTP.

Google, Facebook, Microsoft, etc.

Question 10

Define HOTP.

Answer 10

HMAC-based One-Time Password algorithm

Keyed- hash message authentication code (HMAC)

One- Time passwords are generated, once a session and each authentication attempt. The keys are based on a secret key and a counter. The hash is different every time.

Question 11

How might one use a phone call to authenticate?

Answer 11

A voice call provides the token.

Question 12

What are the security issues with using a phone call to authenticate?

Answer 12

1) Phone call can be intercepted or forwarded
2) Phone number can be added to another phone

Question 13

What are some examples of static codes for authentication?

Answer 13

Personal Identification Number (PIN)
Password
Passphrase

Question 14

How might one use a smart card to authenticate?

Answer 14

A smart card (something you have) can be used. It includes an integrated circuit, and it can be through contact or contactless. You must have the physical card.

Can be used in conjunction with other authentication methods.

Question 15

What are some examples of biometric factors?

Answer 15

Fingerprint scanner, Retinal scanner, iris scanner, voice recognition, facial recognition

Gait analysis: Identify a person based on how they walk

Veins

Question 16

What are the five types of authentication factors?

Answer 16

1) Knowledge Factor
- Something you know
2) Possession Factor
- Something you have
3) Inherence Factor
- Something you are
4) Location Factor
- Somewhere you are
5) Behavior Factor
- Something you exhibit

Question 17

Define the False Acceptance Rate (FAR) in terms of biometrics.

Answer 17

The likelihood that an unauthorized user will be accepted. You can increase sensitivity to counter this.

Question 18

Define False Rejection Rate (FRR) in terms of biometrics.

Answer 18

The likelihood that an authorized user will be rejected. Might be too sensitive.

Question 19

Define Crossover error rate (CER) in terms of biometrics.

Answer 19

The overall accuracy of a biometric system or the rate at which FAR and FRR are equal. The sensitivity should be adjusted to equalize both values.

Question 20

What is the AAA framework?

Answer 20

1) Identification
-This is who you claim to be
- Username
2) Authentication
3) Authorization
4) Accounting

Question 21

What are the features of cloud-based authentication security?

Answer 21

Third-party can manage platform
Centralized Platform
Automation options with API integration
May include additional options (for a cost)

Question 22

What are some of the features of an On-premises authentication system?

Answer 22

Internal monitoring and management
Internal expertise
External access must be granted and managed

Question 23

List three authentication factors.

Answer 23

1) Something you know
2) Something you have
3) Something you are

Question 24

List four authentication attributes.

Answer 24

1) Somewhere you are
2) Something you can do
3) Something you exhibit
4) Someone you know

Question 25

What are some examples of Something you know?

Answer 25

Password
PIN
Pattern

Question 26

What are some examples of Something you have?

Answer 26

Smart card
USB token
Hardware or software tokens (can be on a mobile
phone)
Your phone

Question 27

What are some examples of Something you are?

Answer 27

Biometric
- Usually stores a mathematical representation of
your biometric
- Difficult to change

Question 28

What are some examples of the attribute Somewhere you are?

Answer 28

Location
IP address can be used to gauge location
GPS
Mobile device location

Question 29

What are some examples of the attribute Something you can do?

Answer 29

Handwriting
Signature

Question 30

What are some examples of the attribute Something you exhibit?

Answer 30

Gait analysis
Typing analysis

Question 31

What are some examples of the attribute Someone you know?

Answer 31

Digital signature
Web of trust
Social Factor