8.5 Authentication Facts
Requires two (or more) different authentication types to be deployed.
Two-factor Three-factor Multi-factor
To enter a secured building, you must insert your key card (Type 2) and undergo a retina scan (Type 3).
Two-factor Three-factor Multi-factor
Biometric systems include multiple scans of the biological attribute. Scans are then translated into a numeric constellation map of critical points. That mathematical representation is bound to a digital certificate that links to the subject's user account in the user database. Most biometric systems require implementation of a PKI system.
...
Enterprise environments frequently implement a type of Single Sign-on (SSO) authentication. SSO is a distributed access method that allows a subject to log in (sign on) once to a network and access all authorized resources on the network. The SSO system authenticates the subject against a master system and automatically logs the subject on to all servers the subject is authorized to access. Once authenticated, the subject can request access to additional resources without additional login credentials or passwords. An SSO system is commonly used in directory systems and some types of scripted access.
...
To access resources on a network, a user must prove who they are and that they have permissions to access the resources
...
Usernames are not a form of Type 1 authentication. Usernames are often easy to discover or guess. Only the passwords or other information associated with the usernames can be used to validate identity.
...
Improved effectiveness of disabling all network and computer accounts for terminated users because of SSO's ability to add and delete accounts across the entire network from a centralized database and one user interface.
Advantages of SSO
It is a more efficient logon process. Users only need to type their user ID and password once. The user can create stronger passwords because there aren't so many to remember.
Advantages of SSO
The need for multiple passwords and change synchronization is avoided. Access to all authorized resources with a single instance of authentication through a single set of user credentials.
Advantages of SSO
is the verification of the issued identification credentials. It is usually the second step in the identification process, and establishes the user's identity, ensuring that users are who they say they are.
Authentication
Uses credentials of only one type, but may require multiple methods within the same type
One-factor
Implementation with microcomputer systems is difficult and can prevent full implementation. Ticket schemes do not scale very well. SSO presents a single point of failure.
Disadvantages of SSO
Once a user's ID and password are compromised in the system, an intruder can access all of the resources authorized for the user without constraint. The system security policy must be followed to ensure access is granted and/or limited to appropriate users.
Disadvantages of SSO
is the initial process of confirming the identity of a user requesting credentials and occurs when a user types in a user ID to log on.
Identification
occurs during the identification phase as the user proves that they are who they say they are in order to obtain credentials. If a person has previously been identified, but cannot provide their assigned authentication credentials (such as a lost password), then identity proofing is called upon again.
Identity proofing
Requires that both parties authenticate with each other before beginning communications.
Mutual
To log in, your computer sends its digital certificate to prove its identity to a network server. The server then proves its identity to your computer before they will exchange messages.
Mutual
To log in, you supply a username and a password (the username is not used for authentication, so the only credential supplied for authentication is the password) To log in, you supply a username, PIN, and a pass phrase (all credentials are of the same type)
One-factor
uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. This is the most expensive and least accepted, but is generally considered to be the most secure form of authentication.
Something you are authentication
Photo IDs are very useful when combined with other forms of authentication, but are high risk if they are the only form of required authentication. Photo IDs are easily manipulated or reproduced, require personnel for verification, and cannot be verified against a system.
Something you have authentication
Swipe cards (similar to credit cards) with authentication information stored on the magnetic strip.
Something you have authentication
is authentication based on something a user has in their possession.
Something you have authentication
Passwords, codes, or IDs PINs Pass phrases (long, sentence-length passwords) Cognitive information such as questions that only the user can answer, including: Your mother's maiden name The model or color of your first car The city where you were born Composition passwords, which are created by the system and are usually two or more unrelated words divided by symbols on the keyboard
Something you know authentication
requires you to provide a password or some other data that you know. This is the weakest type of authentication.
Something you know authentication
Requires two or more methods, but they can be of the same type.
Strong
To log on to an online banking system, you enter your username, password, and then must answer a random personal question (such as your birthplace or mother's maiden name).
Strong
generates new passwords based on an event, such as pressing a key.
asynchronous dynamic password
Fingerprints (end point and bifurcation pattern) Hand topology (side view) or geometry (top down view) Palm scans (pattern, including fingerprints) Retina scans (blood vein pattern) Iris scans (color) Facial scans (pattern) Voice recognition Handwriting dynamics Keyboard or keystroke dynamics (behavioral biometric systems) Dwell time (key press time) Flight time (how fingers move from key to key)
biometric systems
generates a random challenge string. The challenge text is entered into the token, along with the PIN. The token then uses both to generate a response used for authentication.
challenge-response password
is the point where the number of false positives matches the number of false negatives in a biometric system. Select the system with the lowest crossover error rate within your budget.
crossover error rate
occurs when a person who should be allowed access is denied access. The False Rejection Rate (FRR) is a measure of the probability that a false negative will occur.
false negative
occurs when a person who should be denied access is allowed access. The False Acceptance Rate (FAR) is a measure of the probability that a false positive will occur. False positives are more serious than false negatives and represent a security breach because unauthorized persons are allowed access.
false positive
identifies the number of subjects or authentication attempts that can be validated. An acceptable rate is 10 subjects per minute or above.
processing rate
Smart cards contain a memory chip with encrypted authentication information. Smart cards can: Require contact such as swiping or they can be contactless. Contain microprocessor chips with the ability to add, delete, and manipulate data on it. Can store digital signatures, cryptography keys, and identification codes. Use a private key for authentication to log a user into a network. The private key will be used to digitally sign messages. Be based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart the password is saved on the token device. Swiping the token supplies the password for authentication.
static password
generates new passwords at specific intervals on the hardware token. Users must read the generated password and enter it along with the PIN to gain access.
synchronous dynamic password