adam's notes

Authentication Methods

  • An account defines a subject on the computer or network system
  • authentication verifies that
    • only the account holder is able to use the account
    • the system may be used only by account holders
  • Authentication is performed when the account holder submits credentials to the system to request access
    • are compared to the credentials stored on the system
    • if match, account is authenticated

Info

  • Account creation should be managed by onboarding policies
    • define procedures for checking identity, issuing credentials securely, and allocating appropriate permissions
  • offboarding process should be applied to
    • adjust permissions
    • or ensure that the account is disabled or deleted

Authentication Factors

Authentication factor is the type of data used to create a credential.

  • categories:
    • knowledge factor
      • something you know
      • aka Type I
      • e.g., password
    • ownership factor
      • something you have
      • aka Type II
      • e.g., smart card
    • human or biometric factor
      • something you are
      • aka Type III
      • e.g., fingerprint
    • behavioral factor
      • something you do
      • e.g., making a signature
    • location factor
      • somewhere you are
      • e.g., being able to log into an account from a specific location
        • called geofencing
    • time factor
      • somewhen you are
      • e.g., only permitted to start a work session during work hours
        • using an access token before it expires

Multifactor Authentication (MFA)

Multifactor Authentication (MFA) is composed of at least 2 factors of authentication from something you know, something you are, and something you have.

  • authentication mechanism is considered strong if
    • uses more than one authentication type
  • single-factor authentication systems can be easily compromised
  • behavioral, location, and time factors are not specific or reliable enough to be used as single factors
    • can supplement other factors to strengthen authentication
  • two-factor authentication combines something like a smart card or biometric mechanism with a knowledge factor
  • three-factor authentication combines three of the possible technologies
    • e.g., smart card with integrated fingerprint reader
      • must possess the card, match the fingerprint, and input PIN

2-Step Verification

2-step verification generates a software token on a server and sends it to a resource assumed to be safely controlled by the user.

  • aka out-of-band mechanism
    • Use of a communication channel that is different than the one currently being used
  • token can be transmitted to the device in a number of ways:
    • short message service (SMS)
      • code is sent as a text to the registered phone number
    • phone call
      • code is delivered as an automated voice call to the registered phone number
    • push notification
      • code is sent to a registered authenticator app on the PC or smartphone
    • email
      • code is sent to a registered email account
  • this is sometimes described as two-factor authorization
    • but anyone intercepting the code can enter it as something-you-know without possessing the device
    • so it isn’t true 2FA

In-band authentication describes the use of authentication factors that rely on the same system requesting the authentication.

  • e.g., providing username and password credentials on a standalone server

Graph View

Backlinks