Chapter 2 Understanding Identity and Access Management Flashcards
Allowing entities to prove their identity by using credentials know to another entity is
Authentication
Authentication occurs when an entity provides proof of an identity (such as a password). A second identity is the authenticator and it verifies the authentication.
Authorization provides access to resources based on a proven identity.
Accounting methods track user activity and record the activity in logs.
Five factors of authentication are: Something you know, Something you have, Something you are, Somewhere you are, Something you do.
Passwords should be strong and changed often. Complex passwords include multiple character types. Strong passwords are complex and at least 14 characters long.
Administrators should verify a user’s identity before resetting the user’s password. When resetting passwords manually, administrators should configure them as temporary passwords that expire after the first use, requiring users to create a new password the first time they log on. Self-service password systems automate password recovery.
Password policies provide a technical means to ensure users employ secure password practices.
Password length specifies the minimum number of characters in the password.
Password complexity ensures passwords are complex and include Password complexity ensures passwords are complex and include at least three of the four character types, such as special characters.
Password history remembers past passwords and prevents users from reusing passwords.
Minimum password age is used with password history to prevent users from changing their password repeatedly to get back to the original password.
Maximum password age or password expiration forces users to change their password periodically. When administrators reset user passwords, the password should expire upon first use.
Password policies should apply to any entity using a password. This includes user accounts and accounts used by services and applications. Applications with internally created passwords should still adhere to the organization’s password policy.
Account lockout policies lock out an account after a user enters an incorrect password too many times.
Smart cards are credit card-sized cards that have embedded certificates used for authentication. They require a PKI to issue certificates.
Common Access Cards (CACs) and Personal Identity Verification (PIV) cards can be used as photo IDs and as smart cards (both identification and authentication).
Tokens (or key fobs) display numbers in an LCD. These numbers provide rolling, one-time use passwords and are synchronized with a server. USB tokens include an embedded chip and a USB connection. Generically, these are called hardware tokens.
HOTP and TOTP are open source standards used to create one-time-use passwords. HOTP creates a one-time-use password that does not expire until it is used and TOTP creates a one-time password that expires after 30 seconds.
Biometric methods are the most difficult to falsify. Physical methods include voice and facial recognition, fingerprints, retina scans, iris scans, and palm scans. Biometric methods can also be used for identification.
The false acceptance rate (FAR), or false match rate, identifies the percentage of times false acceptance occurs. The false rejection rate (FRR), or false nonmatch rate, identifies the percentage of times false rejections occur. The crossover error rate (CER) indicates the quality of the biometric system. Lower CERs are better.
Single-factor authentication includes one or more authentication methods in the same factor, such as a PIN and a password. Dual-factor (or two-factor) authentication uses two factors of authentication,
such as a USB token and a PIN. Multifactor authentication uses two or more factors. Multifactor authentication is stronger than any form of single-factor authentication.
Authentication methods using two or more methods in the same factor are single-factor authentication. For example, a password and a PIN are both in the something you know factor, so they only provide single-factor authentication.
Kerberos is a network authentication protocol using tickets issued by a KDC or TGT server. If a ticket-granting ticket expires, the user might not be able to access resources. Microsoft Active Directory domains and Unix realms use Kerberos for authentication.
LDAP specifies formats and methods to query directories. It provides a single point of management for objects, such as users and computers, in an Active Directory domain or Unix realm. The following is an example of an LDAP string: LDAP:// CN = Homer, CN = Users, DC = GetCertifiedGetAhead, DC = com
LDAP Secure (LDAPS) encrypts transmissions with SSL or TLS.
Single sign-on (SSO) allows users to authenticate with a single user account and access multiple resources on a network without authenticating again.
SSO can be used to provide central authentication with a federated database and use this authentication in an environment with different operating systems (nonhomogeneous environment).