Authenticating users

Question 1

Authentication

Answer 1

It is the process of determining whether someone (or something) is, in fact, who or what it declares itself to be.

Question 2

Authentication factor

Answer 2

a category of evidence that a person has to present to prove they are who they say they are.

Question 3

what are the 3 authentication factors

Answer 3

• Knowledge Factor –something you know, e.g., password
• Possession Factor –something you have, e.g., smart card
• Inherence Factor –something you are, e.g., fingerprint

Question 4

Authentication vs authorisation

Answer 4

• Authentication is the process of validating the identity of a registered user before allowing access to
  protected resources.
• Authorisation is the process of validating that the authenticated user has been granted permission to
  access the requested resources.

Question 5

User authentication process

Answer 5

1. Create and render a user login form.
2. Retrieve the login credentials (e.g., username & password) from the submitted user login form.
3. Query database for an existing user with the submitted username (Assume usernames are unique).
4. Ask user to enter login credentials again or register for an account if:
   a. no existing user with submitted username exists.
   OR
   b. user with submitted username does exist, but submitted password does not match existing password.
5. When login credentials match those of an existing user:
   a. Log user into application (we will look at this later).
   b. Redirect user to protected area (landing page).

Question 6

Authentication vulnerabilities

Answer 6

authentication vulnerabilities occur when an attacker is successful

This can happen for instance:
* When the attacker can guess the credentials, or brute force them.
* When the credentials are leaked, and the attacker gets access to them.
* We have seen how to hash and encrypt data.

Question 7

Brute force attack

Answer 7

*A Brute Force search (or exhaustive search) is a problem-solving technique that consists of trying all possible solutions to a problem until a correct solution (if it exists) is found.
*A Brute Force Attack primarily consists in an attacker configuring predetermined values (username/password combinations), making requests to a server using those values, and then analysing the response for success or failure.

Question 8

how to prevent brute force attacks

Answer 8

• A strong password policy
• Biometrics
• Notification of unrecognised login
  unrecognised device, location or IP address.
• Comprehensive login process
• Limiting login attempts

Question 9

Strong Secondary Authentication Factors

Answer 9

• One-time password (OTP) –A unique password which can only be used once.
• Time-based PIN –A sequence of digits which have to be entered within a short window, typically 30 to 60 seconds.
• Digital (PKI) certificates –A digital certificate, issued by a trusted certificate authority, is installed on the device or in the user’s browser.

Question 10

CAPTCHA

Answer 10

*CAPTCHA stands for the Completely Automated Public Turing test to tell Computers and Humans Apart.
*It is an automated tool used to differentiate between real users and automated users, such as bots.
*CAPTCHAs provide challenges that are difficult for computers to perform but relatively easy for humans.
- Three main categories: text- based, image-based, and audio

Question 11

reCAPTCHA

Answer 11

• Free CAPTCHA software by google

Question 12

Drawbacks of CAPTCHA

Answer 12

• Disruptive and frustrating for users.
• May be difficult to understand or use for some audiences.
• Some CAPTCHA types do not support all browsers.
• Some CAPTCHA types are not accessible to users who view a website using screen readers or assistive devices.
• There is a range of automated technologies, including APIs, browser plug-ins and extensions that enable attackers to
  bypass or solve CAPTCHA challenges.

Question 13

Limiting authentication attempts

Answer 13

*One way to block brute force attacks is to lock out accounts after a defined number of incorrect authentication
attempts.

*Note however, account lockout is not always the best solution, because someone could easily abuse the
security measure and lock out hundreds of user accounts.

Question 14

sessions

Answer 14

• A session is an object that allows you to store information specific to a user (browser) from one request to the next.
• A session persists state across requests.
• A session may take the form of a client side cookie or a server side token

Question 15

authentication vs login

Answer 15

*Users are only being authenticated at this point.
*Our applications so far cannot distinguish between different multiple users.
* Need to create an identifiable web session for each user so their requests can be distinguished from other users.

Question 16

Web sessions

Answer 16

A web session is a series of adjoining or connected actions by a user on an individual web application within a given time frame.

Question 17

What are the factors for password management

Answer 17

• Automatically create secure passwords.
• Secure password recovery.
• Change password.
• Password expiration.
• Re-authenticate in sensitive areas.

Question 18

Authorisation issues

Answer 18

• Authorisation protocols are difficult to implement and no matter how secure it might be there could be a way to exploit the system.

Question 19

path traversal

Answer 19

•The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory.

Question 20

Automatically creates secure passwords

Answer 20

*Browser offers an automatically generated password.
*Can be bypassed with user’s own password choice.
*Generated passwords are hard to remember.
*Generated passwords are easily forgotten.
*User ends up with multiple passwords.

Question 21

Secure password recovery

Answer 21

*Web applications typically include a ‘forgotten password’ link.
*Instructions usually sent to the user’s email account.
*Users may not be allowed to reuse a previous password.
*App needs to store previous passwords.
*User ends up with multiple passwords.

Question 22

Change password

Answer 22

*Web applications typically allow users to change their existing password.
*Users may not be allowed to reuse a previous password.
*App needs to store previous passwords.
*User ends up with multiple passwords.

Question 23

Password Expiration

Answer 23

*Web applications dealing with sensitive data may force users to change their password at set intervals.
*Users may not be allowed to reuse a previous password.
*App needs to store previous passwords.
*User ends up with multiple passwords.
*Web applications dealing with sensitive data may force users to reauthenticate.

Question 24

Authorisation Basics

Answer 24

*Authorisation is a security mechanism to determine access levels or user privileges related to system
resources
*Authorisation includes the process of granting or denying access to a system resource based on users’
identities.

Question 25

2 step access control process

Answer 25

1. Authentication -verifies the user identity.
2. Authorisation -allows the user to access the various resources based on the user’s identity.

Question 26

2 phases of authentication processes

Answer 26

1. Policy definition phase where access is authorised.
2. Policy enforcement phase where access requests are permitted or not permitted.

Question 27

Policy enforcement phase

Answer 27

*Policy enforcement is usually done by a reference monitor.
* Decides whether to grant or deny access

Question 28

Why should a reference monitor be NEAT

Answer 28

*Non-bypassable.
*Evaluable.
*Always-invoked.
*Tamperproof.
*Authorisation issues can arise if the monitor is not NEAT.
* If the monitor can be bypassed, then the authorisation process might be ignored.

Question 29

Web session steps

Answer 29

1. Login
2. Session Created. Return Session ID
3. User (browser) sends session ID for all subsequent requests
4. Send request with session ID
5. Return response for a given session ID.