2.4 Authentication & authoriaztion

Question 1

Authentication methods: what is directory services ?

Answer 1

It is a central database used by many operating system to stores usernames, passwords, computers, printers and devices that might connected to network.
This is a large distributed DB constantly updated over the network.

Question 2

Authentication methods: why directory services is useful in authentication ?

Answer 2

All authentication request are referenced in this directory. So once someone try to login, it check the credentials against this DB

Question 3

Authentication methods: what are the most common directory services in use?

Answer 3

Microsoft Active Directory use with the Kerberos protocol or LDAP to be able to access that DB

Question 4

Authentication methods: what is federation ?

Answer 4

When you allow someone to authenticate to your network using credential that are stored with a 3rd party.
Ex: login with google, facebook account etc

Question 5

Authentication methods: how to set up federation authentication method ?

Answer 5

Need to coordinate the authentication and authorization process between your organization & the 3rd party providing the credentials

Question 6

Authentication methods: what is attestation ?

Answer 6

It prove the hardware that you are connecting with into the network is trusted

Question 7

Authentication methods: what is remote attestation ?

Answer 7

It is the automated process for attestion. It:
- provide an operational report to a verification server
- encrypt and digitally signed the TPM
- an IMEI or other unique hardware component can be included in the report

Question 8

Authentication methods: how SMS are used when you want to authenticate ?

Answer 8

A text message (login factor) can be sent to a predefined nb to confirm the authentication.
Ex: you try to login to an app and the app send you a code to enter allowing you to authenticate you on the app

Question 9

Authentication methods: what security issues exist with SMS authentication ?

Answer 9

• Phone nb can be reassigned to a different phone
• SMS can be intercepted

Question 10

Authentication methods: what is a push notification ?

Answer 10

Similar process to an SMS notification: authentication factor is pushed to a specialized app installed on another device (usually a phone.

Question 11

Authentication methods: what security issues exist with push notification ?

Answer 11

• application cen be vulnerable
• some push apps are not using encryption and send data in clear

However it is still more secure than SMS

Question 12

Authentication methods: what is a pseudo token generators?

Answer 12

A device (physical or app on the phone) that generate random nb on a periodic basis that you input while authenticate.
Ex: Sof had one when he worked at SG

Question 13

Authentication methods: what is a TOTP?

Answer 13

A technology use by pseudo token generator to generate the secret key on a timely basis

Question 14

Authentication methods: what is a HOTP?

Answer 14

Similar to TOTP except that you have a time secret key and never use it again (it doesn’t change every 30 min)

Question 15

Authentication methods: what is a static codes ?

Answer 15

An authentication factor that don’t change (ex: PIN, password, passphrase, smard card that you slide in your computer to gain access like in SG)

Question 16

Biometrics: what biometric authentication refers to ?

Answer 16

Something you are:
- fingerprint (phone, laptop),
- retinal,
- iris,
- voice recognition,
- facial recognition,
- gait analysis (identify a person based on how they walk
- vein (vascular scaners that match the blood vessels visible from the surface of the skin)

Question 17

Biometrics: what is a false acceptance rate (FAR) ?

Answer 17

This is how often the system will approve an unauthorized user by looking at the biometrics values

Question 18

Biometrics: how to prevent false acceptance rate (FAR) ?

Answer 18

By increasing the biometric sensitivity level

Question 19

Biometrics: what is a false rejection rate (FRR) ?

Answer 19

Likelihood that an authorized user will be rejected

Question 20

Biometrics: how to prevent false rejection rate (FRR) ?

Answer 20

By decreasing the sentivity of the biometric system

Question 21

Biometrics: what is a crossover error rate (CER) ?

Answer 21

It defines the overall accuracy. This is the rate at which FAR and FRR are equal.
The biometric system should be adjust to equalize both values.

Question 22

Multi-factor authentication: what is AAA framework?

Answer 22

AAA stand for:
- Authentication: Prove who you are with password or other authentication factors (ex: biometry)
- Authorization: based on your identification and authentication, what access do you have
- Accounting: keeping track af resources used while authenticated (login time, data sent/received, logout time)

Question 23

Multi-factor authentication: what are the differences between cloud vs on-premises authentication?

Answer 23

• Cloud: centralized platform that might include an API integration to have application access this and provide the same authentication to the centralized DB
• On-premises: internal monitoring and management, external access must be granted and managed

Question 24

Multi-factor authentication: what are the different factors when authenticate ?

Answer 24

What you know is associated with an individual. 3 factors:
- Something you know: password, PIN, pattern
- Something you have: smart card, USB token, hardware/software tokens, phone
- Something you are: biometric authentication

Question 25

Multi-factor authentication: what are the different attributes you can add to factors when authenticate ?

Answer 25

• Somewhere you are: provide a factor based on your location (IP address, mobile location)
• Something you can do: a personal way of doing things (signature, writing)
• Something you exibit: a unique trait, personal to you (gait analysis, typing analysis)
• Someone you know: a social factor (web trust, digital signature)