Authentication

Question 1

Authentication

Answer 1

The process of verification that an individual or entity is who they/it claims to be.

Question 2

Authentication Factors

Answer 2

1. Knowledge.
2. Ownership.
3. Inherence.

Question 3

Knowledge Authentication Factors

Answer 3

Something the user Knows:

Password, PIN, Security Question.

Question 4

Ownership Authentication Factors

Answer 4

Something the user has:

Wrist band, Credit Card, ID, Security Token.

Question 5

Inherence Authentication Factors

Answer 5

Something that the user is:

Fingerprint, retinal pattern, facial recognition.

Question 6

Entropy

Answer 6

Is a measure of how unpredictable a password is based on the selection process. Entropy is not a measure of the password itself, but what it could have been. The higher the Entropy the stronger the password.

Question 7

Password Rules

Answer 7

1. Password must have 3 of the following 4 complexity rules: at least 1 upper case character, at least 1 lower case character, at least 1 digit, at least 1 special character.
2. At least 10 characters.
3. Set maximum length, current recommendation is 128 characters.
4. Not more than 2 identical sequential characters.

Question 8

Authentication Process

Answer 8

1. Credentials only transported by POST using TLS (HTTPS).
2. Error messages should be generic and not identify the source of the failure.
3. Prevent Brute Force Attacks.

Question 9

JWT (JSON Web Tokens)

Answer 9

On login, the server generates a Secure Token with a JSON payload and a signature.

Question 10

Claim

Answer 10

The payload containing information about the user, when it expires, and what the user is allowed to do (Authorizations).

Question 11

Parts of a JWT Token

Answer 11

1. Header.
2. Payload.
3. Signature.

Question 12

Header JWT Token

Answer 12

Contains the Algorithm used to generate the Token and the type of Token generated

Question 13

Payload JWT Token

Answer 13

Contains the user’s “claim”. Who they are and what they can do.

1. sub (Subject) - whom the token is for (often the username).
2. auth (Authorities/Roles) - What the user is authorized to do in the application.
3. exp (Expires) - Timestamp of when the token expires.

Question 14

Signature JWT Token

Answer 14

Contains information the API server can use to verify that the JWT token is valid.

Question 15

Authorization

Answer 15

Is the process of giving users to access specific resources or functionality in an application. Authorities or Access Controls determine what privileges a user has within an application.

Question 16

Role-Based Authorization

Answer 16

1. Accessed decision based on the individual’s responsibilities within an organization ( Role ).
2. Easy to understand and administer (Manager vs Employee, Doctor vs Lab Tech vs Patient).

Question 17

Permission-Based Authorization

Answer 17

1. Accessed decision based on the identity of the individual.
2. Applies when permissions need to be user-specific ( user can see only their 401K or a paycheck, Only Aniyah can DROP the Customer Table).

Question 18

Difference between Authorization and Authentication

Answer 18

Is the process of giving users to access specific resources or functionality in an application and The process of verification that an individual or entity is who they/it claims to be.