2.4 Authentication & Authorization Flashcards
Define Federation
Using a third-party to provide authentication and then trusting that authentication
Define Attestation
Verifying that the hardware being used to connect to your network is the hardware provided to the user
Define TOTP for authentication
Time-based One Time Password - a numeric token is generated every x seconds that must be provided when logging in
Examples RSA Key Fob or Google Authenticator
Define HOTP for authentication
HMAC-based One Time Password - similar to TOTP, the number comes from a pre-generated list of numbers and each one is only used once
Define SMS authentication and vulnerability
A code is sent via text message that is provided to login, SMS messages are vulnerable to interception or a device can easily impersonate another device to receive the code
Define static codes authentication
A static code, i.e. password or PIN is used to authenticate
Define authentication applications (2 examples)
Applications that assist with providing login codes, such as an application that tells you the next code when using HMAC-based One Time Passwords for login
OR application that receives push-notifications you must respond to in order to login
Define Push-Notifications authentication and vulnerability
- An application is installed on a device that receives push-notifications when logging in (i.e. our GSPN login at work)
- Can be a vulnerability if the notifications are not strongly encrypted but generally more secure than SMS or phone call authentication.
Define Phone call authentication and vulnerability
- When logging in, the user receives a phone call with an access code that must be provided
- Same weaknesses as SMS authentication since phone numbers can be easily spoofed
Define Smart Card authentication
A card using either a chip, RFID, or NFC, and containing a certificate used to login. Usually in conjunction with other authentication methods
How are biometrics used for authentication?
Various biometric features, such face, gait, retina, veins, are unique to each of us and can be analyzed to prove identity
Define False Acceptance Rate (FAR) relative to biometric authentication
allowing when person should be denied
How can False Acceptance Rate (FAR) be reduced?
By increasing the sensitivity of the biometric reader
Define False Rejection Rate (FRR) relative to biometric authentication
denying a user who should be allowed
How can False Rejection Rate (FRR) be remedied?
By decreasing the sensitivity of the biometric reader