2.4 Authentication & authoriaztion Flashcards
Authentication methods: what is directory services ?
It is a central database used by many operating system to stores usernames, passwords, computers, printers and devices that might connected to network.
This is a large distributed DB constantly updated over the network.
Authentication methods: why directory services is useful in authentication ?
All authentication request are referenced in this directory. So once someone try to login, it check the credentials against this DB
Authentication methods: what are the most common directory services in use?
Microsoft Active Directory use with the Kerberos protocol or LDAP to be able to access that DB
Authentication methods: what is federation ?
When you allow someone to authenticate to your network using credential that are stored with a 3rd party.
Ex: login with google, facebook account etc
Authentication methods: how to set up federation authentication method ?
Need to coordinate the authentication and authorization process between your organization & the 3rd party providing the credentials
Authentication methods: what is attestation ?
It prove the hardware that you are connecting with into the network is trusted
Authentication methods: what is remote attestation ?
It is the automated process for attestion. It:
- provide an operational report to a verification server
- encrypt and digitally signed the TPM
- an IMEI or other unique hardware component can be included in the report
Authentication methods: how SMS are used when you want to authenticate ?
A text message (login factor) can be sent to a predefined nb to confirm the authentication.
Ex: you try to login to an app and the app send you a code to enter allowing you to authenticate you on the app
Authentication methods: what security issues exist with SMS authentication ?
- Phone nb can be reassigned to a different phone
- SMS can be intercepted
Authentication methods: what is a push notification ?
Similar process to an SMS notification: authentication factor is pushed to a specialized app installed on another device (usually a phone.
Authentication methods: what security issues exist with push notification ?
- application cen be vulnerable
- some push apps are not using encryption and send data in clear
However it is still more secure than SMS
Authentication methods: what is a pseudo token generators?
A device (physical or app on the phone) that generate random nb on a periodic basis that you input while authenticate.
Ex: Sof had one when he worked at SG
Authentication methods: what is a TOTP?
A technology use by pseudo token generator to generate the secret key on a timely basis
Authentication methods: what is a HOTP?
Similar to TOTP except that you have a time secret key and never use it again (it doesn’t change every 30 min)
Authentication methods: what is a static codes ?
An authentication factor that don’t change (ex: PIN, password, passphrase, smard card that you slide in your computer to gain access like in SG)
Biometrics: what biometric authentication refers to ?
Something you are:
- fingerprint (phone, laptop),
- retinal,
- iris,
- voice recognition,
- facial recognition,
- gait analysis (identify a person based on how they walk
- vein (vascular scaners that match the blood vessels visible from the surface of the skin)
Biometrics: what is a false acceptance rate (FAR) ?
This is how often the system will approve an unauthorized user by looking at the biometrics values
Biometrics: how to prevent false acceptance rate (FAR) ?
By increasing the biometric sensitivity level
Biometrics: what is a false rejection rate (FRR) ?
Likelihood that an authorized user will be rejected
Biometrics: how to prevent false rejection rate (FRR) ?
By decreasing the sentivity of the biometric system
Biometrics: what is a crossover error rate (CER) ?
It defines the overall accuracy. This is the rate at which FAR and FRR are equal.
The biometric system should be adjust to equalize both values.
Multi-factor authentication: what is AAA framework?
AAA stand for:
- Authentication: Prove who you are with password or other authentication factors (ex: biometry)
- Authorization: based on your identification and authentication, what access do you have
- Accounting: keeping track af resources used while authenticated (login time, data sent/received, logout time)
Multi-factor authentication: what are the differences between cloud vs on-premises authentication?
- Cloud: centralized platform that might include an API integration to have application access this and provide the same authentication to the centralized DB
- On-premises: internal monitoring and management, external access must be granted and managed
Multi-factor authentication: what are the different factors when authenticate ?
What you know is associated with an individual. 3 factors:
- Something you know: password, PIN, pattern
- Something you have: smart card, USB token, hardware/software tokens, phone
- Something you are: biometric authentication
Multi-factor authentication: what are the different attributes you can add to factors when authenticate ?
- Somewhere you are: provide a factor based on your location (IP address, mobile location)
- Something you can do: a personal way of doing things (signature, writing)
- Something you exibit: a unique trait, personal to you (gait analysis, typing analysis)
- Someone you know: a social factor (web trust, digital signature)
