8.2. 1. Authentication Methods

18.2 Authentication and Authorization

📁 [[Directory Services]]

- Centralized database for usernames, passwords, devices.

- Active Directory (AD) is the most common example.

- Protocols used: Kerberos, LDAP.

AD

Active Directory

AD is like the boss of a corporate office managing all employees (domain accounts).

Active Directory (AD) only manages domain accounts, not local accounts.

Active Directory is the manager of this "team." It’s a tool used by IT admins to organize and control who has access to what. For example:

- You can quickly create or remove user accounts.

- Decide what files or systems each user can access.

- Reset passwords for anyone on the "team."

![[Pasted image 20250302143549.png]]

Kerberos

• 🔐 Kerberos is a network authentication protocol.

• 🏢 Commonly used in Active Directory (AD) environments.

• 👤 Allows single sign-on (SSO)—users log in once to access multiple resources.

• 📜 Uses tickets issued by a trusted third-party server (called the Key Distribution Center – KDC).

• 🔄 Works on the basis of "mutual authentication" (both the user and the server verify each other).

• 📅 Relies on timestamps, so time synchronization is critical.

---

📝 Just Remember:

Kerberos = Ticket-based authentication for secure logins in enterprise networks (especially Active Directory).

LDAP

port 389

directory services

use LDAPS (636)

(Lightweight Directory Access Protocol)**

- Uses X.500 format:

- Example: CN=John, OU=Sales, DC=example, DC=com

- Common in enterprise networks.

#### ✅ What It Is:

- A protocol used to access and manage directory services.

- Think of it as a way to look up users, computers, printers, etc. in a directory like Active Directory (AD).

#### 🧩 What It Does:

- Helps applications and devices query and update info in a central directory database (like AD).

- Example: When you log in, LDAP is used to verify your username and password.

#### 🌐 How It's Used:

- Common in corporate networks.

- Works over:

- TCP/UDP port 389 (unencrypted)

- TCP port 636 for LDAPS (LDAP Secure — encrypted)

#### 🔐 Security+ Focus:

- Know that LDAP can be used for authentication.

- Know that LDAPS is the secure version, using TLS/SSL encryption.

---

### 📝 Just Remember:

> LDAP = Protocol used to query and authenticate against a directory service like Active Directory.

Federation

- Allows external users to log in using existing credentials (e.g., "Login with Google").

- Removes the need for a local account on your site.

- A trusted relationship between multiple domains or service providers.

- Allows users to authenticate once and access resources across multiple systems.

- Often uses Single Sign-On (SSO) as part of its framework.

![[Pasted image 20250408114005.png]]

Attestation & Remote Attestation

- Proves a device is trusted.

- Uses TPM (Trusted Platform Module).

- Includes identifiers like IMEI.

- Remote attestation sends encrypted reports to a verification server.

SMS-based

- One-time code via text message.

- Less secure (can be intercepted or redirected).

Push Notification

- Sent to a mobile app.

- Safer than SMS, but app vulnerabilities can exist.

TOTP

(Time-based One-Time Password)**

- Changes every ~30 seconds.

- Based on time and secret key (e.g., Google Authenticator).

HMAC

Hash-based Message Authentication Code.

It's a specific type of message authentication code (MAC) that uses a cryptographic hash function in combination with a secret cryptographic key.

HOTP

([[HMAC]]-based One-Time Password)**

- List of codes used once.

- Does not expire based on time, but on usage.

Phone Call Authentication

- Code is read out over a call.

- Same risks as SMS.

Static Codes

- PINs, passwords, passphrases (memorized info).

Smart Cards

- “Something you have” factor.

- May include a digital certificate.

- Used with other factors (e.g., PIN or biometric).