Chapter 16: Identity and Access Fundamentals Flashcards
identification claim
username, account number, email address
authentication information
password
authorization
determines if a subject is given rights to carry out requested actions
three main types of factors for authentication
something a person knows (password), something a person has (token), something a person is (fingerprint)
two additional factors
somewhere a person is (geolocation), something a person does (keystroke behavior)
salts
random values added to plaintext passwords prior to hashing to add complexity and randomness
cognitive passwords
fact or opinion based questions, typically based on life experiences, used to verify an individual’s identity
Type I biometric authentication error
a legitimate individual is denied access
Type II error
an impostor granted access
CER
crossover error rate
crossover error rate of a biometric authentication system
the point at which the false rejection rate (Type I errors) is equal to the false acceptance rate (Type II errors)
ownership-based authentication
something a person owns, such as a token device
token device
password generator
password generator
token device; handheld device with a display synchronized with an authentication server and displays to the user a one-time password
OTP
one-time password
synchronous token device
requires the device and authentication service to advance to the next OTP in sync with each other
asynchronous token device
requires a challenge/response scheme to authentication the user
memory card
holds information but cannot process information
smart card
holds information and has the hardware and software to process that information
password manager
password vault; solution to remembering a myriad of complex passwords
JIT
just-in-time access
just-in-time access
provisioning method which elevates users to the necessary privileged access to perform a specific task
ASOR
authoritative system of record
authoritative system of record
hierarchical tree-like structure system which tracks subjects and their authorization chains
most commonly implemented directory services
Microsoft Windows Active Directory (AD)
directory services
map resource names to their network addresses
LDAP
Lightweight Directory Access Protocol
SSO
single sign-on
federated identity
portable identity and its associated entitlements which allow a user to be authenticated across multiple IT systems and enterprises
IDaaS
Identity as a Service
Identity as a Service
a type of Software as a Service (SaaS) offering which provides SSO, FIM, and password management services
three identity management services approaches
on-premise, cloud-based, and hybrid
biometrics
most expensive and most protection
passwords
least protection, cheapest
challenge/response protocol with token device
authentication service generates a challenge, smart token generates a response based on the challenge
mutual authentication
user authenticates to system and system authenticates to user
identification or authentication access control
biometrics
directories used in identity management are
hierarchical and follow the X.500 standard
Lightweight Directory Access Protocol
allows subjects and applications to interact with the directory; apps make LDAP request to the directory for information about a user, and users make LDAP requests for information about specific resources
password synchronization
allows user to maintain one password across multiple systems
biometric input for identity verification
app identifies points of data as match points, algorithm used to process the match points and translate it to numeric value, authentication approved or denied when the database value is compared with the end user input entered into the scanner
FRR
false rejection rate; rejects authorized individual
FAR
false acceptance rate; accepts impostor
Type I error
FRR
