2.4 Summarize authentication and authorization design concepts.

Question 1

Summarize DIRECTORY SERVICES

Answer 1

They are used for authentication of directories.

Question 2

Summarize a FEDERATION

Answer 2

A federated system involves the use of a common authentication system and credentials database that multiple entities use and share. This ensures that a user’s credentials in Company A would be acceptable in Company B and Company C, and only access permissions would be the determining factor in accessing systems and data.

Question 3

Summarize an ATTESTATION

Answer 3

Attestation assures that the hardware or software that created the authentication factors matches the standards and protocols it’s supposed to use. As you might expect, enabling attestation requires a lot more work and upkeep.

Question 4

Summarize TIME-BASED ONE-TIME PASSWORD(TOTP)

Answer 4

A time-based one-time password (TOTP) uses time as a factor to assist in generating the one time password. If the user is even one or two seconds off from using the correct TOTP displayed on the token, authentication fails. This has many advantages, including the prevention of replay attacks. Another advantage is that it can be very difficult to predict TOTPs, based upon the time factor that is input into the algorithm used to create them.

Question 5

Summarize HMAC-BASED ONE-TIME PASSWORD

Answer 5

the Hash-based Message Authentication Code (HMAC) provides for message authentication and data integrity. In the case of HOTP use, the user is authenticated against the centralized authentication database, and the authentication server calculates the HMAC value and sends it to the user via an authentication device such as a token.

Question 6

Summarize SHORT MESSAGE SERVICE (SMS)

Answer 6

Common systems send an OTP via short message service (SMS) to a smartphone, for example, or push notifications to a computer.

Question 7

Summarize a TOKEN KEY

Answer 7

Third-party, separate-from-the-two-sides-of-a-secure-communication tool will generate these passwords/keys in such a way that both sides of a communication trust the third party. This third-party password generator is known generically as a token or TOKEN KEY.

Question 8

Summarize STATIC CODES

Answer 8

These refer to personal identification numbers (PINs) that you use to log into a Microsoft account, for example, or to finish authenticating with an automated teller machine (ATM) at the bank. Most smartphones require a static code for login (i.e., authentication).

Question 9

Summarize AUTHENTICATION APPLICATIONS

Answer 9

You can use a general authentication application as a part of two-factor authentication at various Web sites.

Question 10

Summarize PUSH NOTIFICATIONS

Answer 10

Push notifications can be used to send a one time password to a user to use to authenticate.

Question 11

Summarize authentication with a PHONE CALL

Answer 11

Other systems make an automated voice phone call to verify and authenticate.

Question 12

Summarize SMART CARD AUTHENTICATION

Answer 12

Adding a storage chip to a standard credit card–sized plastic card creates a way for an individual to store personal information, a SMART CARD. Smart cards can store any binary data, not just certificates.

Question 13

Summarize BIOMETRICS

Answer 13

Biometrics use a person’s physical characteristics (something you are—the inherence factor) to provide strong user identification and verification.

Question 14

Summarize FINGERPRINT authentication

Answer 14

Every person has unique fingerprints, making those swirls and lines perfect for biometric authentication.

Question 15

Summarize RETINA authentication

Answer 15

The human retina and iris have unique patterns that lend themselves to identification. Retinal scanners for access controls date back to the early 1990s, but their cost relegated them to extremely secure environments.

Question 16

Summarize IRIS authentication

Answer 16

Improvements in camera resolution, computing power, and hardware pricing brought iris scanners into the forefront. Iris scanners are far more common than retinal scanners, while providing almost the same degree of accuracy.

Question 17

Summarize FACIAL authentication

Answer 17

Facial recognition has become a popular and powerful authentication method for several applications. Most facial recognition tools require extra functionality, especially cameras that include infrared so the camera can differentiate between a real face and a photograph.

Question 18

Summarize VOICE authentication

Answer 18

Voice recognition for speech to text holds a strong niche for dictation. Most mobile devices—like smartphones—and personal assistant hardware use voice recognition tools such as Google Assistant, Amazon Alexa, and Apple Siri. But voice recognition as authentication hasn’t gained any real acceptance due to its low accuracy compared to other biometric technologies.

Question 19

Summarize VEIN authentication

Answer 19

Vein matching uses the patterns of a person’s blood vessels to identify that person. The patterns in the palm of the hand, for example, provide data 100 times more unique than fingerprints, can be scanned without touching the skin, and ignore damage to the skin.

Question 20

Summarize GAIT ANALYSIS authentication

Answer 20

Gait analysis measures the unique way a person walks or runs by using machine vision–based tools—external cameras, in other words—or via the sensors built into existing smartphones. This latter technology shows a lot of promise, because it can tap into the accelerometer every current smartphone has to authenticate the user continuously.

Question 21

Summarize EFFICACY RATES

Answer 21

The efficacy rates of various systems depend on a lot of factors, such as error rates, security, privacy, user acceptance, and usability.

Question 22

Summarize FALSE ACCEPTANCE

Answer 22

The false acceptance rate, or FAR (also known as a type II error), is the rate at which a biometric system erroneously identifies and authenticates unauthorized individuals as valid users.

Question 23

Summarize FALSE REJECTION

Answer 23

The false rejection rate, or FRR (also known as a type I error), is the rate at which a biometric system erroneously rejects authorized users who should in fact be identified and authenticated as valid users.

Question 24

Summarize CROSSOVER ERROR RATE

Answer 24

Tuning a biometric machine too much to reduce one type of error usually results in increasing the other type, so a trade-off is involved. This trade-off is usually tuned to the level of the crossover error rate (CER), which is the point at which one error rate is reduced to the smallest point that does not result in an increase in the other error rate.

Question 25

Summarize MULTIFACTOR AUTHENTICATION(MFA) FACTORS AND ATTRIBUTES

Answer 25

Multifactor authentication (MFA) uses more than one factor or attribute. (You’ll also see the term two-factor authentication to describe systems that use two factors or attributes.) Using more than one factor or attribute at a time provides more security and represents better authentication.

Question 26

Summarize SOMETHING YOU KNOW

Answer 26

The knowledge factor relates to something you know, typically used when you identify yourself to a system with a user name and password combination. You know your user name and password, and use your memory to present them to the system.

Question 27

Summarize SOMETHING YOU HAVE

Answer 27

The possession factor relates to something you have. You physically possess an object to use as an authenticator. Scanning a gym membership card to gain access, for example, uses something you have.

Question 28

Summarize SOMETHING YOU ARE

Answer 28

The inherence factor relates to something you are, relying on a person’s unique physical characteristics that can be used as a form of identification, such as fingerprints, retinal eye patterns, iris patterns, handprints, and voiceprints.

Question 29

Summarize SOMEWHERE YOU ARE

Answer 29

The location attribute relates to your location when you authenticate. This attribute could use either physical or logical locations and requires you to be in a certain location when you authenticate to the system.

Question 30

Summarize SOMETHING YOU CAN DO

Answer 30

Something you do, meaning that when you present your credentials to the system, you must perform an action. The best example of this type of authentication attribute is when you use a finger or hand gesture on a smartphone or tablet to log in.

Question 31

Summarize SOMETHING YOU EXHIBIT

Answer 31

Something you exhibit can refer to something neurological that can be measured or scanned; it could be a personality trait or a mannerism. Speech analysis systems could very easily identify Barak Obama from the cadence of the way he talks, for example, with distinctive pauses.

Question 32

Summarize SOMEONE YOU KNOW

Answer 32

The someone you know attribute reflects a trust relationship. John Bob—known and trusted by the system—vouches for Rebecca Sue.

Question 33

Summarize AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING(AAA)

Answer 33

Identification, authentication, authorization, and accounting work together to manage assets securely. Authentication functions like a lock on that box. For a user to access the box, he must have some kind of key or credentials to get through the lock.
Authorization determines what the user can do with the contents of the box with the specific credentials he used.
Accounting means to keep a historical record of what users do to shared resources.

Question 34

Summarize CLOUD VS. ON-PREMISES REQUIREMENTS

Answer 34

In a nutshell, cloud deployments put fewer demands on local hardware, but higher demand on network bandwidth; security focuses on cloud solutions. On-premises networks require more local hardware firepower and a lot more local expertise from techs and administrators. And the differences are about responsibility for security.