Authentication Basics Introduction to Authentication Authentication = mechanism for proving identity via credentials. Ubiquitous: used when logging in to Facebook, online banking, corporate networks, etc. Basic traditional form: username + password pair. Modern trend: stronger / more advanced methods (e.g., smart ID cards with embedded digital certificates). Scope of What Must Be Authenticated Not limited to human users. Additional targets:Services or processes executing on hosts. Workstations and servers themselves. Network devices (switches, routers, IoT equipment). Goal: ensure no rogue services, systems, or devices can participate in the infrastructure. Conceptual framework in IT management: “People, Processes, Technology”.People → authenticate users. Processes → authenticate running services. Technology → authenticate devices. The Three Factors of Authentication (Focused on People) Factor 1 – "Something You Know" Factor 2 – "Something You Have" Factor 3 – "Something You Are" Any one factor alone = single-factor authentication; any combination ≥2 = multi-factor authentication (MFA). Factor 1 – Something You Know Secrets memorised or stored mentally. Common examples:Passwords & passphrases (complex strings, phrases). PINs used on smartphones/tablets. Unlock patterns (Android-style grid patterns). Security questions & answers (often used for account recovery or when logging in from unfamiliar locations). Factor 2 – Something You Have Tangible or virtual objects in the user’s possession. Illustrative items:Smart cards (e.g., federal employee ID cards with encrypted digital certificates). RSA tokens / hardware OTP (one-time-password) generators displaying rotating codes. Authenticator apps on mobile devices (Google Authenticator, Microsoft Authenticator, etc.).30 seconds {30\ \text{seconds}} 30 seconds 14 14 14 Hardware security keys (e.g., YubiKey) that plug into USB and store cryptographic credentials. Factor 3 – Something You Are (Biometrics) Characteristics intrinsic to the individual. Two biometric categories:Physiological biometrics: Behavioral biometrics: Combining Factors – Multi-Factor Authentication (MFA) Two-Factor Authentication (2FA) = most common MFA form. Principle: require at least two distinct factors to raise security posture; if one factor is compromised, attacker still lacks the second. Three-Factor Authentication (3FA) = uses three total factors (e.g., two known factors plus a biometric). 2FA Usage Scenarios Illustrated Online banking (e.g., Bank of America):Factor 1: password (something you know). Factor 2: one-time SMS code or email code sent to registered phone/email (something you have). Campus gym access (graduate-school example):Factor 1: biometric palm scan (something you are). Factor 2: student ID card (something you have). Federal-government laptop log-in:Factor 1: smart ID card inserted (something you have). Factor 2: PIN/password (something you know). Practical Implications & Security Posture MFA significantly reduces risk of credential-stuffing, phishing, and brute-force attacks. Authenticating devices and processes prevents rogue or malicious systems from infiltrating the network. Aligns with overarching IT governance triad (people, processes, technology). Key Takeaways & Study Reminders Always remember the three factors list and be able to give examples of each. Understand that authentication is broader than user log-in; it covers services, devices, and processes as well. 2FA ≠ 2 passwords; must combine different categories. Time-based OTP codes typically expire every 30 seconds {30\ \text{seconds}} 30 seconds Smart cards and hardware keys embed cryptographic certificates; they are not mere "memory sticks". Behavioral biometrics (voice, typing) are valid factors even if less common. Knowt Play Call Kai