2.4 Authentication & Authorization Flashcards
Define Federation
Using a third-party to provide authentication and then trusting that authentication
Define Attestation
Verifying that the hardware being used to connect to your network is the hardware provided to the user
Define TOTP for authentication
Time-based One Time Password - a numeric token is generated every x seconds that must be provided when logging in
Examples RSA Key Fob or Google Authenticator
Define HOTP for authentication
HMAC-based One Time Password - similar to TOTP, the number comes from a pre-generated list of numbers and each one is only used once
Define SMS authentication and vulnerability
A code is sent via text message that is provided to login, SMS messages are vulnerable to interception or a device can easily impersonate another device to receive the code
Define static codes authentication
A static code, i.e. password or PIN is used to authenticate
Define authentication applications (2 examples)
Applications that assist with providing login codes, such as an application that tells you the next code when using HMAC-based One Time Passwords for login
OR application that receives push-notifications you must respond to in order to login
Define Push-Notifications authentication and vulnerability
- An application is installed on a device that receives push-notifications when logging in (i.e. our GSPN login at work)
- Can be a vulnerability if the notifications are not strongly encrypted but generally more secure than SMS or phone call authentication.
Define Phone call authentication and vulnerability
- When logging in, the user receives a phone call with an access code that must be provided
- Same weaknesses as SMS authentication since phone numbers can be easily spoofed
Define Smart Card authentication
A card using either a chip, RFID, or NFC, and containing a certificate used to login. Usually in conjunction with other authentication methods
How are biometrics used for authentication?
Various biometric features, such face, gait, retina, veins, are unique to each of us and can be analyzed to prove identity
Define False Acceptance Rate (FAR) relative to biometric authentication
allowing when person should be denied
How can False Acceptance Rate (FAR) be reduced?
By increasing the sensitivity of the biometric reader
Define False Rejection Rate (FRR) relative to biometric authentication
denying a user who should be allowed
How can False Rejection Rate (FRR) be remedied?
By decreasing the sensitivity of the biometric reader
Define Crossover Error Rate (CER) relative to biometric authentication
the ideal spot where sensitivity and error rates meet to create the desired level of security
Define MFA
Multi-factor Authentication
Define 3 Factors of MFA
- Something you know
- Something you have
- Something you are
2 Examples of Something you Know
Password, PIN
3 Examples of Something you Have
- Smart card
- token on USB thumb-drive
- phone to receive code via SMS or voice call
Example of Something you Are
Biometrics
Define 4 Attributes of MFA
- Somewhere you are
- Something you can do
- Something you exhibit
- Someone you know
Example of somewhere you are
Geographic location, such as country, state, city
Example of something you can do
Signature
Example of something you exhibit
Way you walk aka gait
Example of someone you know
Digital signature or certificates
Define AAA
Authentication, Authorization, Accounting
Define Authentication
proving your identity
Define Authorization
whether or not you have access to something
Define Accounting
logging who has logged in and what has been accessed
2 Models (locations) to provide AAA
Cloud-based or on-premises
