Cybersecurity - User Authentication Flashcards

1
Q

User Authentication

A

User authentication is the process of proving your identity before accessing a system. It makes sure that only the right person gets access.
πŸ“Œ Example: When logging into Facebook, you enter your email and password to prove it’s really you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

User Access Control

A

Access control decides who can access what based on their identity and permissions.
πŸ“Œ Example: At work, only IT staff can access server settings, while regular employees can’t.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authentication Factors

A

There are three main ways to prove identity:
1️⃣ Something you know – Passwords, PINs, security questions.
2️⃣ Something you have – Smart card, security token, OTP (One-Time Password).
3️⃣ Something you are – Fingerprints, facial recognition, iris scan.
πŸ“Œ Example: Bank apps use two-factor authentication (2FA), asking for a password + OTP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Multi-Factor Authentication (MFA)

A

MFA uses two or more authentication factors for extra security.
πŸ“Œ Example: Logging into Google with a password + phone verification code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Biometrics

A

Biometrics uses unique physical traits to identify a person. Examples:

Fingerprint scanner on your phone.
Face ID to unlock iPhones.
πŸ“Œ Example: Airports use facial recognition for passport checks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Tokens

A

A token is a physical or digital item that proves your identity.

Physical token: A smart card or USB key.
Digital token: A one-time password (OTP) generated by an app.
πŸ“Œ Example: YubiKey is a USB security token used for high-security logins.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cognometrics

A

Cognometrics is authentication using how you think or remember things.
πŸ“Œ Example: Answering security questions like β€œWhat is your pet’s name?” when resetting a password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Single Sign-On (SSO)

A

SSO allows you to log in once and access multiple services.
πŸ“Œ Example: Using your Google account to log into YouTube, Gmail, and Drive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Brute-Force Attack

A

A brute-force attack tries every possible password until it finds the right one.
πŸ“Œ Example: A hacker automatically tests millions of passwords to break into an account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Wordlist Attack

A

A hacker uses a list of common passwords instead of testing all possible combinations.
πŸ“Œ Example: Trying β€œpassword123” or β€œqwerty” because many people use them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Password Stuffing

A

A hacker takes leaked passwords from one website and tries them on others.
πŸ“Œ Example: If your LinkedIn password was hacked, a hacker might try it on Facebook.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Throttled vs. Unthrottled Guessing

A

Throttled Guessing – Slow attacks because login attempts are rate-limited.
Unthrottled Guessing – Fast attacks, usually done offline with a stolen password file.
πŸ“Œ Example: A login form might block users after 5 wrong attempts to prevent brute-force attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Secure Password Storage

A

Passwords should be stored safely using hashing, salting, and peppering.
πŸ“Œ Example: Websites use bcrypt hashing to protect passwords so hackers can’t read them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Password Complexity Rules

A

Complexity rules require users to create strong passwords (mixing letters, numbers, symbols).
πŸ“Œ Example: Websites force passwords like β€œP@ssw0rd!” instead of β€œ123456”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Password Expiry

A

Forcing users to change passwords regularly to prevent long-term access by attackers.
πŸ“Œ Example: Some companies require password changes every 3 months.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Intrusion Detection Systems (IDS)

A

An IDS monitors network activity and alerts admins when something suspicious happens.
πŸ“Œ Example: If someone logs in from Russia, but they usually log in from Denmark, the system raises an alert.

15
Q

Social Engineering

A

Hacking people instead of systems by tricking them into revealing passwords.
πŸ“Œ Example: A hacker pretends to be IT support and asks an employee for their login details.

16
Q

Phishing

A

Fake emails, messages, or websites trick users into entering passwords.
πŸ“Œ Example: A fake β€œPayPal” email asks you to click a link and log in, but it’s a scam.

17
Q

Shoulder Surfing

A

Watching someone enter their password by looking over their shoulder.
πŸ“Œ Example: A hacker at a cafΓ© watches you type your laptop password.

18
Q

Smudge Attack

A

Using fingerprint marks on a touchscreen to guess a password pattern.
πŸ“Œ Example: A hacker checks your phone screen to see the lock pattern you use.

18
Q

Network Sniffing

A

Capturing data being sent over the network to steal unencrypted passwords.
πŸ“Œ Example: Public WiFi without encryption lets hackers steal login details.

19
Q

TLS & HTTPS

A

TLS (Transport Layer Security) encrypts website traffic to prevent network sniffing.
πŸ“Œ Example: Google Chrome warns you if a website is not secure (HTTP instead of HTTPS).

20
Q

Certificate Pinning

A

Prevents hackers from impersonating a website by checking the site’s real certificate.
πŸ“Œ Example: Banking apps use certificate pinning to stop fake login pages.

21
Q

Alternative Authentication (Side-Channel Attacks)

A

Hacking an account using password recovery methods instead of the actual password.
πŸ“Œ Example: Resetting someone’s email password by answering their security question.

22
FIDO2 & WebAuthn (Passwordless Login)
FIDO2 lets users log in without passwords, using cryptographic keys stored in security devices. πŸ“Œ Example: YubiKey or Face ID lets users log in without typing a password.
23
Graphical Passwords
Instead of text, users select images or patterns for authentication. πŸ“Œ Example: Unlocking a phone using a swipe pattern instead of typing a PIN.
24
Access Control
Rules that define who can access files, networks, or systems. πŸ“Œ Example: Only managers can edit payroll data, while employees can only view it.
25
Discretionary Access Control (DAC)
Users can choose who gets access to files they own. πŸ“Œ Example: You share a Google Drive document with a friend.
26
Mandatory Access Control (MAC)
Access is strictly defined by security policies, often used in government/military. πŸ“Œ Example: Top-secret documents can only be viewed by users with high clearance.
27
Role-Based Access Control (RBAC)
Permissions are based on job roles. πŸ“Œ Example: HR staff can access employee records, but IT staff cannot.
28
31. Attribute-Based Access Control (ABAC)
Access is based on multiple conditions like time, location, or device. πŸ“Œ Example: Employees can only access company systems when inside the office.