Chapter 2 - Access Management Flashcards
What is:
- ) Identity
- ) Authentication
- ) Authorization
- ) Who you claim to be: Username
- ) Verification of Identity: Password
- ) Granted Accesses or Permissions
3 Types of Authentication
- ) Type 1 - Something you know. Pins, passwords, personal info
- ) Type 2 - Something you have. Smart card, token.
- ) Type 3 - Something you are. Biometrics.
Password Types
- ) Static
- ) Dynamic or OTP
- ) Cognitive - Type 1 - Fave color
- ) Passphrase - similar to Static, just more complex
Password Policies
- ) History
- ) Max Age
- ) Min Age
- ) Min Length
- ) Complexity
- ) Reversible Encryption - not recommended
Tool to Assist with Password Management
KeyPassXC
Strong Password - Complexity
12-15 chars
Upper and Lowercase
Numbers and Symbols
NIST Password Recommendations - 800-63B
- ) Encourage Passphrases
- ) 8 char Min
- ) No clear text - Salted and Hash Passwords for storage
- ) Up to 64 Char
- ) Password Blacklist
- ) Salted Hash takes care of complexity
- ) Passwords should NOT expire unless evidence of compromise.
What does Salting do?
Adds random bits to a value (password) and creates a Hexidecimal representation. SHA 3 (256) will create a 256 bit Hex Hash.
What is a smart card?
What is it an example of?
Card with an embedded certificate that identifies the individual. Usually used with a PIN or password. This is an example of 2FA.
What is a Hardware token?
Device that displays a number which changes every X seconds. Considered a dynamic or one time password. Used with Username and Password for 2FA.
What are the two types of Hardware tokens?
- ) Synchronous dynamic password - changes X seconds. Must be synced with Server
- ) Asynchronous dynamic password - Enter pin into device and get OTP.
Examples of Software Tokens and One Time Passwords (OTP).
- ) HOTP - HMAC (Hash Method Auth Code) - Incrementing Counter plus Secret Key that is reduced in size by HMAC Is Async
- ) OPIE - OTP In Everything - Used in Networks. Password + other data hashed to create OTP. Is Async
- ) TOTP - Time Based - Is Sync
What is a proximity card?
A card that has electronically embedded data that will be transmitted to a reader when the card passes through a magnetic field which excites the inductor in the card.
Examples of Biometrics
- ) Finger and Thumb prints - can be tricked with images and gummy bears
- ) Palm - reads vein pattern using infrared scanner. Hand hovers over scanner.
- ) Retina - reads blood vessel pattern with infrared scanner. Physical contact required. Can reveal medical conditions…which is personal/private information.
- ) Iris - cameras are used to match Iris patterns. Can be tricked with images. Can fail due to lighting.
Biometric Error Types
- ) False Rejection Rate (FRR)
- ) False Acceptance Rate (FAR)
- ) Crossover Error Rate (CER) - Point where FRR and FAR are equal. Low CER indicates a better performing system.
Example of 2 Step Verification
Corporate Google Accounts often use Username and Password followed by a 6 digit code sent to a users cell via SMS, voice call or Google mobile app.
What is SSO
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications