Lesson 7 Implementing Authentication Controls

0.0(0)
studied byStudied by 0 people
full-widthCall with Kai
GameKnowt Play
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/52

flashcard set

Earn XP

Description and Tags

Vocabulary-style flashcards covering IAM concepts, authentication methods, protocols, biometrics, and related technologies from Lesson 7.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

53 Terms

1
New cards

Identity and Access Management (IAM)

A set of processes and technical controls that identify subjects (users, devices, processes) and govern how they may interact with resources, typically described by four main processes: identification, authentication, authorization, and accounting.

2
New cards

Identification

Creating an account or ID that uniquely represents the user, device, or process on the network.

3
New cards

Authentication

Proving that a subject is who or what it claims to be by presenting credentials that are checked against stored credentials.

4
New cards

Authorization

Determining what rights a subject should have on each resource and enforcing those rights.

5
New cards

Accounting

Tracking authorized usage of a resource and alerting when unauthorized use is detected.

6
New cards

AAA

Authentication, Authorization, and Accounting—the three core IAM functions.

7
New cards

Something You Know

A knowledge factor used for authentication, such as a password, PIN, or passphrase.

8
New cards

Something You Have

An ownership factor used for authentication, such as a smart card, USB token, or fob.

9
New cards

Something You Are/Do

A biometric or behavioral factor used for authentication (e.g., fingerprint, gait, voice).

10
New cards

Something You Exhibit

A behavioral-based authentication factor based on how a person uses a device or system.

11
New cards

Someone You Know

A web-of-trust authentication model (e.g., PGP) where trust is vouched for by others.

12
New cards

Location-based authentication

Using geographic location or IP/zone information as part of the authentication/authorization context.

13
New cards

Authentication Attributes

Contextual properties or non-unique factors that cannot be used alone for authentication but inform decisions.

14
New cards

Multifactor Authentication (MFA)

Authentication that combines more than one type of factor (e.g., knowledge + possession or biometrics).

15
New cards

Two-Factor Authentication (2FA)

MFA using two distinct factors, such as a password plus a smart card or OTP.

16
New cards

Three-factor authentication

Authentication that uses three distinct factors (e.g., knowledge, possession, and biometrics).

17
New cards

Kerberos

A network authentication protocol for SSO that uses a Key Distribution Center (KDC) with AS and TGS to issue tickets.

18
New cards

Key Distribution Center (KDC)

The service in Kerberos that issues authentication tokens, including AS and TGS services.

19
New cards

Authentication Service (AS)

Kerberos component that authenticates user logons and issues the initial Ticket Granting Ticket (TGT).

20
New cards

Ticket Granting Service (TGS)

Kerberos component that issues service tickets after validating the TGT.

21
New cards

Ticket Granting Ticket (TGT)

A time-stamped ticket proving authentication; used to obtain service tickets for resources.

22
New cards

Service Ticket

A ticket that grants access to a specific application server, issued by the TGS.

23
New cards

Single Sign-On (SSO)

Authentication system where a user authenticates once to access multiple compatible applications without re-entering credentials.

24
New cards

Windows Kerberos SSO

Kerberos-based SSO implemented in Windows environments, often with Active Directory domain controllers.

25
New cards

PAP

Password Authentication Protocol; an unsophisticated, clear-text-style protocol used in PPP; insecure without encryption.

26
New cards

CHAP

Challenge Handshake Authentication Protocol; uses a three-way handshake with a hashed response to a server challenge; more secure than PAP.

27
New cards

MS-CHAP

Microsoft's CHAP variant; uses NTLM hashes and should be secured by a tunnel due to weaknesses.

28
New cards

RADIUS

Remote Authentication Dial-In User Service; UDP-based protocol with a shared secret, supports PAP/CHAP/EAP and is used for network access control.

29
New cards

TACACS+

Cisco's protocol for network device administration; TCP-based and encrypts all data (except the header); separates authentication, authorization, and accounting.

30
New cards

Extensible Authentication Protocol (EAP)

A framework for deploying multiple authentication methods, often used with 802.1X and certificates.

31
New cards

802.1X

Port-based Network Access Control that uses EAP methods to authenticate devices before network access; components include Supplicant, NAS, and AAA server.

32
New cards

EAPoL

EAP over LAN; encapsulates EAP messages for transmission over LAN between supplicant and NAS.

33
New cards

Smart Card Authentication

Cryptographic credentials stored on a smart card (with a PIN) used to support PKI and Kerberos logon.

34
New cards

Key Management Device (HSM)

Hardware device that provides centralized PKI management, tamper-evident security, and cryptographic key protection.

35
New cards

Trusted Platform Module (TPM)

A secure cryptoprocessor in a device used to protect keys and enable features like virtual smart cards.

36
New cards

Public Key Infrastructure (PKI)

A framework of policies and technologies for creating, distributing, and managing digital certificates and public-private key pairs.

37
New cards

Smart Card Authentication (PKI/PKI-based)

Use of cryptographic keys and certificates on a smart card to authenticate users, often with PKI and PIN.

38
New cards

FIDO U2F / U2F WebAuthn

Open hardware-based authentication tokens that store private keys and enable passwordless or MFA with PIN/biometrics.

39
New cards

Open Authentication (OATH)

Industry body and framework for open OTP-based authentication, including HOTP and TOTP algorithms.

40
New cards

HOTP

HMAC-based One-Time Password; uses a shared secret and a counter to generate a one-time code.

41
New cards

TOTP

Time-based One-Time Password; uses a shared secret and synchronized time to generate short-lived codes.

42
New cards

Google Authenticator

Popular mobile app implementing HOTP/TOTP for token-based authentication.

43
New cards

One-Time Password (OTP)

A password that is valid for a single use or short time window, enhancing security.

44
New cards

2-Step Verification (2SV) / 2FA limitations

Code-based verification (SMS, call, push, email) used as a second factor; shorter codes reduce risk but can be intercepted.

45
New cards

Password Management

Solutions (password managers, vaults, USB keys) that store and manage credentials securely, often with master passwords and optional hardware tokens.

46
New cards

Password Vault

Software-based password manager (often cloud-enabled) that securely stores credentials; examples include built-in OS vaults.

47
New cards

Biometric Performance Metrics

Key metrics for biometrics: False Rejection Rate (FRR), False Acceptance Rate (FAR), Crossover Error Rate (CER), and throughput.

48
New cards

Enrollment

Process of capturing a biometric sample and creating a template stored in the authentication server.

49
New cards

Biometric Modalities

Physical (fingerprint, iris, facial) and behavioral (voice, gait, typing) patterns used for authentication.

50
New cards

FRR

False Rejection Rate—the rate at which legitimate users are not recognized.

51
New cards

FAR

False Acceptance Rate—the rate at which an impostor is accepted.

52
New cards

CER

Crossover Error Rate—the point where FRR and FAR meet; lower CER indicates better accuracy.

53
New cards

FER

Failure to Enroll Rate—the rate at which templates cannot be created during enrollment.