Lesson 4: Implement Identity and Access Management Flashcards
Define Confidentiality in authentication
If account credentials are leaked, threat actors can impersonate the account.
Define Integrity in authentication
Authentication mechanism is reliable and not easy for threat actors to bypass or trick with counterfeit credentials.
Define Availability in authentication
Time taken to authenticate does not impede workflows and is easy enough for users to operate.
Define an ‘authentication factor’
Different technologies for implementing authentication
List main authentication factors
Knowledge (username/password/PIN), ownership/token, and biometric/inherence.
Define the term ‘password best practices’
Policies to govern secure selection and maintenance of authentication factors; Secrets, such as length, complexity, age, and reuse, smart card, biometric ID.
Define the term ‘account policies’
Policies governing user security information, such as password expiration and uniqueness.
Define a ‘Password Length’ policy
Enforces a min/max length for passwords.
Define a ‘Password Complexity’ policy
Enforces password entropy; Enforces complex passwords that aren’t easy to crack.
What are examples of password complexity?
No use of a username within the password and a combination of at least eight uppercase/lowercase alphanumeric and non-alphanumeric characters.
Define a ‘Password Age’ policy
Forces the user to select a new password after a set number of days.
Define a ‘Password Reuse and History’ policy
Prevents the selection of a password that has been used already.
Define the purpose of ‘history’ attribute of a ‘Password Reuse and History’ policy
How many previous passwords are blocked from use.
Define the purpose of ‘minimum age’ attribute of a ‘Password Reuse and History’ policy
Prevents a user from quickly cycling through password changes to revert to a preferred phrase.
Define a ‘password manager’
Software that can suggest and store passwords to reduce risks from poor user choices and behavior.
What is the purpose of a password manager?
To mitigate risk of poor user credential management practices.
What are the main risks of using a password manager?
Selection of a weak master password, compromise of the vendor’s cloud storage or systems, impersonation attacks.
Define ‘multifactor authentication (MFA)’
Authentication scheme that requires the user to present at least two different factors as credentials.
Define an ‘ownership authentication factor’
Something unique you have; smart card, key fob, cryptographic token.
Define a ‘biometric/inherence authentication factor’
Something you are; Fingerprint, retinal scan, facial scan.
Define a ‘location-based authentication factor’
Somewhere you are; system applies a location-based factor to an authentication decision based on location/IP address.
What does it take to configure biometric authentication?
- A sensor module to acquire biometric samples
- Extraction module that creates a ‘template’/mathematical representation of the sample
Define the process of biometric authentication
A user is rescanned and the scan is compared to their initial template.
List the 3 metrics that are used to evaluate biometric authentication performance
- False Rejection Rate (FRR)
- False Acceptance Rate (FAR)
- Crossover Error Rate (CER)
Define ‘False Rejection Rate (FRR)’
Measures the number of valid subjects who are denied access as a percentage.
Define ‘False Acceptance Rate (FAR)’
Measures the number of unauthorized users who are mistakenly allowed access as a percentage.
What is the outcome of a high False Rejection Rate (FRR)?
Causes inconvenience to authorized users.
What is the outcome of a high False Acceptance Rate (FAR)?
Can lead to security breaches.
Define ‘Crossover Error Rate (CER)’
Expressing the point at which FAR and FRR meet, with a low value indicating better performance.
Define throughput in biometric authentication performance
Time required to create a template for each user and the time required to authenticate.
Define ‘Failure to Enroll Rate (FER)’
Incidents in which a template cannot be created and matched for a user during enrollment.
What are user concerns with biometric authentication?
Users can find it intrusive and threatening to privacy; The technology can be discriminatory or inaccessible to those with disabilities.
What is the most common form of biometric authentication?
Fingerprint recognition.
List the 3 types of tokens in ownership authentication
- Certificate-Based Authentication
- One-Time Password (OTP)
- Fast Identity Online (FIDO) Universal 2nd Factor (U2F)
Define ‘Certificate-Based Authentication’
Supplicant provides a private key that can generate a unique signed token verified in the identity provider by the signature via the public key.
Define ‘One-Time Password (OTP)’
A token generated for each authentication decision using some sort of hash function on a shared secret value plus a synchronization seed, such as a timestamp; Does not require PKI
Define ‘Fast Identity Online (FIDO) Universal 2nd Factor (U2F)’
Uses asymmetric key pairs to register each account.
Define the authentication process of ‘Fast Identity Online (FIDO) Universal 2nd Factor (U2F)’
Private key is locked to the U2F device and signs the token; the public key is registered with the authentication server and verifies the token; Does not use PKI because there is no digital cert.
Define ‘hard authentication token’
Authentication token generated by a cryptoprocessor on a dedicated hardware device.
What makes hard authentication token secure?
As the token is never transmitted directly, this implements an ownership factor within a multifactor authentication scheme.
List the 3 types of hard authentication tokens
- Smart cards
- One-time password (OTP)
- Security key
Define a ‘Smart card’
A security device similar to a credit card that can store authentication information.
What authentication information is stored on a smart card?
User’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.
Define a ‘Security key’
Refers to a portable hardware security module (HSM) with a computer interface, such as USB or NFC; Most closely associated with U2F.
Define a ‘soft authentication token’
An OTP generated by the identity provider that is transmitted to the supplicant.
How can a soft authentication token be made more secure?
With the use of an authenticator app.