User Authentication: Verifies the identity of a person.
*Knowledge-based Authentication: Something only the user knows, like a password
*Possession-based Authentication: Something only the user has, like a physical token
*Inherence-based Authentication: Based on biometric characteristics like a fingerprint
*Location-based Authentication: Relies on the user's location, which can be determined using GPS, IP address, etc.
*Behavior-based Authentication: Based on user's behavior, such as typing rhythm, mouse movement patterns, etc.
Machine Authentication: Verifies the identity of a device or system.
MAC address filtering: Allows only devices with specific MAC addresses.
Digital certificates: Uses certificates as proof of identity.
Network Access Control (NAC): Assesses device security posture before granting access.
Machine Passwords: Machines can also have passwords set for access.
MAC Address Authentication: Device is recognized by its unique MAC address.
IP Address Authentication: Machine is recognized by its unique IP address.
Hardware-based Authentication: Devices like TPM provide hardware-based cryptographic keys.
Device Fingerprinting: Machine has specific characteristics (like OS version, browser version, installed fonts, etc.).
Biometric Device Authentication: Devices have biometric features (like fingerprint scanners
Mutual TLS Authentication: Both the client and the server authenticate each other using Transport Layer Security (TLS) protocol.
Multi-Factor Authentication (MFA)
Uses multiple factors to verify identity.
Increases security by requiring multiple elements for authentication.
Password Policies
Problems with Password-Based Authentication:
Weak passwords.
Stolen or revealed passwords.
Organizational Approach:
Clear password policies.
Complexity requirements.
Minimum length requirements.
Mandatory resets.
Prohibited reuse.
Password Audits.
Reminders.
Biometric Authentication
Uses unique biological characteristics to verify identity.
Compares traits to stored data.
Encryption
Definition: Encoding messages to be viewed only by authorized individuals.
Keys:
Public Key: Available to everyone.
Private Key: Confidential to its owner.
Process: Data encrypted with a public key can only be decrypted by the corresponding private key, and vice versa.
*Symmetrical Encryption: Uses the same key for both encryption and decryption of data.
*Asymmetrical Encryption (public key encryption): Uses a pair of keys: a public key for encryption and a private key for decryption.
Challenges in Updating Security Measures
Change Resistance: Users resist complex or time-consuming changes.
Training and Education: Lack of understanding without adequate training.
Technology Compatibility: New practices must be compatible with existing systems.
*Focus on usability: Choose security controls and systems that balance ease of use as well as strength.
*Training Programs: Provide comprehensive training on new practices.
*Phased Implementation: Introduce the changes in stages, rather than all at once
Passkeys
Cryptographically generated keys stored on a device
Uses public key cryptography and digital signatures
A private key generated from your digital signature public key for authentication.