Authenticating Users

Question 1

What is authentication and how is it different from authorisation?

Answer 1

Authentication is the process of determining whether someone (or something) is, in fact, who or what it declares itself to be.

Authorisation is the process of validating the authenticated user has been granted permission to access the requested resources. The two are often implemented together but are two distinct functions.

Question 2

How can you control a brute-force attack?

Answer 2

Common security mechanisms to help prevent brute force attacks are:
- A strong password policy
- Biometrics
- Notification of unrecognised login
- Comprehensive login process
- Limiting login attempts

Question 3

What is Multi-Factor Authentication and how is it useful?

Answer 3

MFA requires two or more proofs of identity to authenticate a user. As well as a username and password, many applications require proof that a user is a human (and not a bot or automated attack).

Having an additional authentication factor helps prevent someone from signing into a user’s account, even if they
know the user’s password. Other factors are needed because passwords, by themselves, aren’t always safe.

Question 4

Why can passwords be compromised without MFA? [3]

Answer 4

Most people choose an easy-to-remember password which is therefore easy to crack. For example, they use discoverable information.

Most individuals reuse the same password for several applications.

Cyber criminals themselves use many different and increasingly sophisticated techniques to compromise login credentials