Authenticating users Flashcards
Authentication
Process of determining whether someone or something is who or what it declates itself to be
Where are users credentials stored for authentication?
Database of authorised, or registered, users
Authentication vs Authorisation
Authentication is the process of validating the identity of a registered user before allowing access whereas,
Authorisation is the process of validating that the authenticated user has been granted permission to access the requested resources
When can authentication be broken
When an attacker is able to be authenticated as a legitimate user
Happens when the attacker can guess, or brute force credentials.
When credentials are leaked and the attacker gets access
Brute force attack
Trying all possible solutions to a problem until a correct solution is found
Can be used to break authentication methods
Controlling brute force attacks
Strong password policy
Biometrics - fingerprint scanners
Notification of unrecognised login - users are notified and asked to confirm a login
Comprehensive login process - CAPTCHA(providing user is human) and Two Factor Authentication(more than just a password)
Limiting login attempts - lock user after certain number of attempts
Multi-factor authorisation
Requires two or more proofs of identity to authenticate a user
One time passwords or ReCAPTCHA
Why use MFA?
Helps prevent someone from signing into a user’s account, even if they know the password.
Passwords can be insecure
Strong secondary authentication factors
OTP - one-time password,
Time-based PIN
Digital certificates
What is an OTP
One time password - Unique and can only be used once
Usually, a short string of numbers is generated based on a secret stored in a physical device such as a smartphone or USB token
Time-based PIN
A sequence of digits which have to be entered within a short window(30 to 60 secs)
Can be generated by a software application or hardware device with a very precise lock
Digital certificates
Issued by a trusted certificate authority, is installed on a device or in the users browser
Only browser with valid certificate will be allowed to sign in
What do CAPTCHAs provide
Challenges that are difficult for computers to perform but relatively easy for humans
Types of CAPTCHA
Text based
Image based
Audio
Which is the most difficult type of CAPTCHA for bots but the easiest for humans to interpret
Image-based - as it requires image recognition and semantic classification
Advantages of CAPTCHA
Highly effective against all but most sophisticated bad bots
Disadvantages of CAPTCHA
Disruptive and frustrating for users
May be difficult to understand or use for some users
Some CAPTCHA types don’t support all browsers
Some CAPTCHA types are not accessible to users who view a website using screen readers or assistive devices
Range of automated technologies, including APIs, browser plug-ins and extensions that enable attackers to bypass or solve CAPTCHA challenges
What is a way of stopping brute force attacks
Lockout account after a defined number of incorrect authentication
Why is locking out accounts not always the best solution
Because someone could easily abuse the security measure and lock out hundreds of user accounts
What are sessions
An object that allows you to store information specific to a user(browser) from one request to the next
What does a session persist across requests
A session persists state across requests
What form can a session take
A client side cookie or server side token
What are users which arent logged in called?
Anonymous - no identity
What is a web session
A series of adjoining or connected actions by a user on an individual web application within a given time frame
What is any user interaction with a single web application recorded as?
A web session by the application server
What do web applications use to respond to the user’s interactions during a web session?
A session ID associated with the user
