Cybersecurity - User Authentication Flashcards
User Authentication
User authentication is the process of proving your identity before accessing a system. It makes sure that only the right person gets access.
π Example: When logging into Facebook, you enter your email and password to prove itβs really you.
User Access Control
Access control decides who can access what based on their identity and permissions.
π Example: At work, only IT staff can access server settings, while regular employees canβt.
Authentication Factors
There are three main ways to prove identity:
1οΈβ£ Something you know β Passwords, PINs, security questions.
2οΈβ£ Something you have β Smart card, security token, OTP (One-Time Password).
3οΈβ£ Something you are β Fingerprints, facial recognition, iris scan.
π Example: Bank apps use two-factor authentication (2FA), asking for a password + OTP.
Multi-Factor Authentication (MFA)
MFA uses two or more authentication factors for extra security.
π Example: Logging into Google with a password + phone verification code.
Biometrics
Biometrics uses unique physical traits to identify a person. Examples:
Fingerprint scanner on your phone.
Face ID to unlock iPhones.
π Example: Airports use facial recognition for passport checks.
Tokens
A token is a physical or digital item that proves your identity.
Physical token: A smart card or USB key.
Digital token: A one-time password (OTP) generated by an app.
π Example: YubiKey is a USB security token used for high-security logins.
Cognometrics
Cognometrics is authentication using how you think or remember things.
π Example: Answering security questions like βWhat is your petβs name?β when resetting a password.
Single Sign-On (SSO)
SSO allows you to log in once and access multiple services.
π Example: Using your Google account to log into YouTube, Gmail, and Drive.
Brute-Force Attack
A brute-force attack tries every possible password until it finds the right one.
π Example: A hacker automatically tests millions of passwords to break into an account.
Wordlist Attack
A hacker uses a list of common passwords instead of testing all possible combinations.
π Example: Trying βpassword123β or βqwertyβ because many people use them.
Password Stuffing
A hacker takes leaked passwords from one website and tries them on others.
π Example: If your LinkedIn password was hacked, a hacker might try it on Facebook.
Throttled vs. Unthrottled Guessing
Throttled Guessing β Slow attacks because login attempts are rate-limited.
Unthrottled Guessing β Fast attacks, usually done offline with a stolen password file.
π Example: A login form might block users after 5 wrong attempts to prevent brute-force attacks.
Secure Password Storage
Passwords should be stored safely using hashing, salting, and peppering.
π Example: Websites use bcrypt hashing to protect passwords so hackers canβt read them.
Password Complexity Rules
Complexity rules require users to create strong passwords (mixing letters, numbers, symbols).
π Example: Websites force passwords like βP@ssw0rd!β instead of β123456β.
Password Expiry
Forcing users to change passwords regularly to prevent long-term access by attackers.
π Example: Some companies require password changes every 3 months.
Intrusion Detection Systems (IDS)
An IDS monitors network activity and alerts admins when something suspicious happens.
π Example: If someone logs in from Russia, but they usually log in from Denmark, the system raises an alert.
Social Engineering
Hacking people instead of systems by tricking them into revealing passwords.
π Example: A hacker pretends to be IT support and asks an employee for their login details.
Phishing
Fake emails, messages, or websites trick users into entering passwords.
π Example: A fake βPayPalβ email asks you to click a link and log in, but itβs a scam.
Shoulder Surfing
Watching someone enter their password by looking over their shoulder.
π Example: A hacker at a cafΓ© watches you type your laptop password.
Smudge Attack
Using fingerprint marks on a touchscreen to guess a password pattern.
π Example: A hacker checks your phone screen to see the lock pattern you use.
Network Sniffing
Capturing data being sent over the network to steal unencrypted passwords.
π Example: Public WiFi without encryption lets hackers steal login details.
TLS & HTTPS
TLS (Transport Layer Security) encrypts website traffic to prevent network sniffing.
π Example: Google Chrome warns you if a website is not secure (HTTP instead of HTTPS).
Certificate Pinning
Prevents hackers from impersonating a website by checking the siteβs real certificate.
π Example: Banking apps use certificate pinning to stop fake login pages.
Alternative Authentication (Side-Channel Attacks)
Hacking an account using password recovery methods instead of the actual password.
π Example: Resetting someoneβs email password by answering their security question.
