Summarize authentication and authorization design concepts Flashcards
Authentication methods
Directory services Federation Attestation Technologies Smart card authentication
Directory services
What is directory services in cyber security?
Directory services are software systems that store, organize and provide access to directory information in order to unify network resources. Directory services map the network names of network resources to network addresses and define a naming structure for networks.
Federation
A collection of realms (domains) that have established trust among themselves. The level of trust may vary, but typically includes authentication and may include authorization.
Attestation
Attestation is a mechanism for software to prove its identity. The goal of attestation is to prove to a remote party that your operating system and application software are intact and trustworthy.
Technologies
Time-based onetime password (TOTP) HMAC-based one-time password (HOTP) Short message service (SMS) Token key Static codes Authentication applications Push notifications Phone call
Time-based onetime password (TOTP)
Its a temporary password
HMAC-based one-time password (HOTP)
Put in layman’s terms, HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. Each time the HOTP is requested and validated, the moving factor is incremented based on a counter.
An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
Short message service (SMS)
Texting the temporary password
Token key
A physical or virtual item that contains authentication and/or authorization data, commonly used in multifactor authentication.
Static codes
There are also simpler token keys and smart cards that simply transmit a static token programmed into the device. For example, many building entry systems work on the basis of static codes. These mechanisms are highly vulnerable to cloning and replay attacks.
Authentication applications
Authentication applications are downloaded to your device and generate secure, six-digit codes you use to sign in to your accounts. … Download and install an authentication app to your device. Some popular options include: Android options: Google Authenticator, Authy, LastPass, 1Password.
Push notifications
Push Notification Authentication enables user authentication by sending a push notification directly to a secure application on the user’s device, alerting them that an authentication attempt is taking place. Users can view authentication details and approve or deny access, typically via a simple press of a button.
Phone call
the code is delivered as an automated voice call to the registered phone number.
Smart card authentication
means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.
Biometrics
Fingerprint Retina Iris Facial Voice Vein Gait analysis Efficacy rates False acceptance False rejection Crossover error rate
Fingerprint
Retina
an infrared light is shone into the eye to identify the pattern of blood vessels. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries.
Iris
matches patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and a lot quicker.
Facial
Voice
Vein
Gait analysis
Efficacy rates
Calculated efficiency
False acceptance
Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
False rejection
Biometric assessment metric that measures the number of valid subjects who are denied access.
Crossover error rate
Biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
Multifactor authentication (MFA) factors and attributes
Factors
Attributes
Factors
Something you know
Something you have
Something you are
Attributes
Somewhere you are
Something you can do
Something you exhibit
Someone you know
Authentication, authorization, and accounting (AAA)
It is a framework used to control and track access within a computer network.
Cloud vs. on-premises requirements