Chapter 2: Understanding Identity and Access Management Flashcards
Authentication
allows entities to prove their identity by using credentials known to another entity.
Identification
occurs when a user claims or professes an identity, such as with a username, an email address, a PIV card, or by using biometrics.
Authentication
occurs when an entity provides proof of an identity (such as a password). A second identity is the authenticator and it verifies the authentication.
Authorization
provides access to resources based on a proven identity.
Accounting
methods track user activity and record the activity in logs.
Five factors of authentication are:
Something you know, such as a username and password
Something you have, such as a smart card, CAC, PIV, or token
Something you are, using biometrics, such as fingerprints or retina scans
Somewhere you are, using geolocation, a computer name, or a MAC address
Something you do, such as gestures on a touch screen
The something you know factor typically refers to
a shared secret, such as a password or a PIN. This is the least secure form of authentication.
Passwords should be
strong and changed often. Complex passwords include multiple character types. Strong passwords are complex and at least 14 characters long.
Administrators should verify
a user’s identity before resetting the user’s password. When resetting passwords manually, administrators should configure them as temporary passwords that expire after the first use, requiring users to create a new password the first time they log on. Self-service password systems automate password recovery.
Password policies provide
a technical means to ensure users employ secure password practices.
Password length specifies
the minimum number of characters in the password.
Password complexity
ensures passwords are complex and include at least three of the four character types, such as special characters.
Password history
remembers past passwords and prevents users from reusing passwords.
Minimum password age is used with password history to prevent
users from changing their password repeatedly to get back to the original password.
Maximum password age or password expiration forces users to
change their password periodically. When administrators reset user passwords, the password should expire upon first use.
Password policies should apply to
any entity using a password. This includes user accounts and accounts used by services and applications. Applications with internally created passwords should still adhere to the organization’s password policy.
Account lockout policies
lock out an account after a user enters an incorrect password too many times.
Smart cards are
credit card-sized cards that have embedded certificates used for authentication. They require a PKI to issue certificates.
Common Access Cards (CACs) and Personal Identity Verification (PIV) cards can be used as
photo IDs and as smart cards (both identification and authentication).
Tokens (or key fobs)
display numbers in an LCD. These numbers provide rolling, one-time use passwords and are synchronized with a server. USB tokens include an embedded chip and a USB connection. Generically, these are called hardware tokens.
HOTP and TOTP are
open source standards used to create one- time-use passwords.
HOTP creates a one-time-use password
that does not expire
TOTP creates a one- time password
that expires after 30 seconds.