unit 9.2

Authentication Methods

Identity Verification

  • Claiming Identity: Users must prove their identity once they have claimed it using methods such as usernames or certificates.

  • Authentication Process: The core of authentication involves providing proof that a claimed identity belongs to the user.

Password Authentication

  • Common Use: Passwords remain the most widely adopted means of authentication.

  • Flaws: Common issues include susceptibility to theft, brute-force attacks, and the importance of changing compromised passwords.

  • Multiple Factors: To mitigate the risks, multiple authentication factors are employed to prevent easy account compromise.

Passwordless Authentication

  • Increasing Trend: Reliance on devices you possess (security tokens) or biometric factors.

  • Security Keys: Hardware devices that support one-time passwords and security protocols like FIDO and U2F.

  • Operation: Users may plug in a USB security key and enter a PIN or use a fingerprint to authenticate without a password.

  • FIDO2 Standard: An open authentication standard supporting WebAuthn and CTAP, using public and private key pairs.

Multifactor Authentication (MFA)

Purpose of MFA

  • Added Security: Enhances security by preventing unauthorized access even if a password is compromised.

  • Default in Organizations: Increasingly common in security-conscious organizations.

Factors of Authentication

  • The Security+ outline defines four main types:

    • Something You Know: Passwords, PINs.

    • Something You Have: Security tokens, smartcards.

    • Something You Are: Biometric factors like fingerprints.

    • Somewhere You Are: Location-based factors utilizing GPS.

Error Types in Biometrics

  • Type I Errors (FRR): False rejections that occur if a legitimate measure is incorrectly identified.

  • Type II Errors (FAR): False acceptances where an unauthorized measure is mistakenly accepted.

Evaluating Biometrics

  • ROC Analysis: The Receiver Operating Characteristic graphically compares FRR and FAR.

  • Standards by FIDO Alliance: Requires 3% FRR and 0.01% FAR for certification.

  • Imposter Attack Presentation Match Rate (IAPMR): Evaluates the likelihood of successful attacks against biometric systems.

Account Management

Account Provisioning and Deprovisioning

  • Lifecycle Phases:

    • Provisioning: Creating accounts and assigning resources and permissions.

    • Deprovisioning: Terminating accounts and removing associated data.

  • Importance of Identity Proofing: Verification that the person claiming an account is legitimate, commonly done during onboarding.

Permission Management

  • Least Privilege Principle: Ensuring that users have the minimum permissions necessary for their role.

  • Permission Creep: Accumulation of excessive permissions over time, increasing security risks.

Account Types

  • User Accounts: Standard access accounts with typical rights.

  • Privileged Accounts: Elevated rights for administrative tasks.

  • Service Accounts: Associated with applications, typically should not have interactive logins.

  • Ephemeral Accounts: Temporary accounts with strict lifespans.

Best Practices for Authentication

Password Management

  • NIST Recommendations: Best practices for password security include using password managers, salting, hashing, and lockouts after multiple failures.

  • Password Configuration Settings: Include length requirements to avoid insecure hash storage, reducing complexity requirements, and considerations for expiration.

Using Password Managers

  • Functionality: Help users manage secure passwords across multiple platforms (e.g., 1Password, Bitwarden).

  • Risks: Breaches can expose users to security risks; monitoring and updating best practices following breaches is critical.

Conclusion

  • Understanding authentication methods, multifactor authentication, password management, and account lifecycle is crucial for maintaining security and protecting sensitive information in digital environments.