L5 - Authentication Techniques

Question 1

Existing Authentication Techniques

Answer 1

What you know
- Username
- Password
- PINs

Shared, Easy to guess, Usually forgotten

What you have
- Cards
- NRIC, Passport
- Keys

Shared, Can be duplicated, Lost or stolen

What you know and have
- ATM + PIN

Shared, PIN is weak

What you are
- Fingerprint
- Face
- Voiceprint
- Iris scan

Not possible to share
Repudiation unlikely
Forging difficult
Cannot be lost or stolen

Question 2

What a user has

Answer 2

• NRIC, Passport
• OTP
  Methods of generating:
• Time-synchronised
• Challenge-based
  Methods of distributing:
• Over SMS on mobile phone
• On proprietary tokens

Question 3

What a user is

Answer 3

Standard biometrics
* Fingerprint, Retina, Face

Behavioral biometrics
* Keystroke dynamics;
* voice recognition;
* computer foot printing
* Gait (pattern of movement)

Cognitive biometrics
* Memorable events
* Identify specific faces

Question 4

Attacks on Authentication System

Answer 4

Recommended having a more generalized warning message like the one shown below “Invalid login”. Instead of “username does not exist” or “Wrong password”
- XSS attacks
- Brute-force attempts using bots
- SQL Injection Attack
- Multiple login attempts from single IP

Question 5

Prevention

Answer 5

Limiting the frequency of online login attempts to an account
through various actions:
* Enforcing multi-factor authentication, Anti-bot (e.g CAPTCHA), or other forms of verification
* Locking an account after a specified number of login attempts is reached
* Prohibiting multiple sessions for single user and location-based verification

Question 6

Multi-factor authentication

Answer 6

• Granting access to a website or application by presenting two or more pieces of evidence (or factors) to an authentication mechanism:
  – knowledge (something only the user knows)
  – possession (something only the user has)
  – inherence (something only the user is)
• Implement multi-factor authentication to prevent automated (bot), credential stuffing, brute force, and stolen credential re-use attacks.

Question 7

Steps for 2FA

Answer 7

1. System verifies userid and password
2. System generates a 6 digit SMS OTP to user
   - Saves a copy of OTP values and date/time in db
3. System prompts user for OTP
4. System checks if OTP entered is valid
   - Valid if OTP matches the one saved in db
   - If OTP matches, check if OTP is received before expired date/time
5. If user request OTP again due to timeout, repeat step 2-4
6. System create session and redirect to homepage

Question 8

Brute force attack

Answer 8

An attempt to crack a password, using trial and error approach and hoping, eventually, to guess correctly.

Question 9

Captcha - bot prevention

Answer 9

Completely Automated Public Turing test to tell Computers and Humans Apart

Question 10

Types of Captcha

Answer 10

• Text-Based Captcha
• Invisible ReCaptcha
• Mathematical Captcha
• Image-Based Captcha
• Interactive Captcha

Question 11

Account Lockout

Answer 11

• To disable user account if consistently receive high login failures
• Allow locked account to be recovered:
  
  • Automatically after a certain duration
  • Manually using Web forms with user challenge
• Fail-safe rule