adam's notes

Authentication Tokens

An ownership factor means that the user possesses some type of device that only they can operate.

  • This is referred to as an authenticator
    • able to generate or receive a token that identifies and authenticates the user

Three Main Types of Token Generation

  • Certificate-Based Authentication
    • is when the supplicant controls a private key that can generate a unique signed token
    • identity provider can verify the signature via the public key
    • main drawback
      • administrative burden of implementing PKI to issue digital certificates
  • One-Time Password (OTP)
    • is when a token is generated using some sort of hash function on a shared secret value plus a synchronization seed, such as a timestamp (TOTP) or HMAC (HOTP)
    • token can only be used once
    • new token is generated for each authentication decision
    • still uses a key pair and hashing for security,
      • but it does not require PKI
  • Fast Identity Online (FIDO) Universal 2nd Factor (U2F)
    • uses a public/private key pair to register each account
      • avoids the need to communicate a shared secret
        • which is a weakness of HOTP and TOTP
    • private key is locked to the U2F device and signs the token
    • public key is registered with the authentication server and verifies the token
    • as no digital certificates are involved, the solution does not rely on PKI

Hard and Soft Authentication Tokens

Graph View

Backlinks