Cybersecurity Fundamentals Chapter 3

Questions and Answers

What is the primary purpose of allowing temporary password use for system logons?

To improve system security permanently

To enhance user experience

To facilitate immediate change to a permanent password (correct)

To simplify the authentication process

Which of the following is classified as a dynamic biometric authentication method?

Face recognition

Voice pattern (correct)

Retina scan

Fingerprint

What does multifactor authentication (MFA) require from a user?

Only possession of a token

One piece of evidence for verification

A password shared with the system admin

Two or more pieces of evidence for verification (correct)

Which level of Identity Assurance Level (IAL) requires physical presence for identity proofing?

IAL3

What type of passwords should be stored and transmitted according to best practices?

Cryptographically-protected passwords

Which of the following is NOT a mean of authenticating a user's identity?

Something the individual imagines

At which Authenticator Assurance Level (AAL) is some assurance of authentication provided via user-supplied ID and password?

AAL1

Which of the following best describes static biometrics?

Physical features verified at one time

What is digital identity defined as?

A unique representation of a subject engaged in an online transaction.

Which of the following is a basic security requirement for user authentication?

Authenticate the identities of users, processes, or devices.

What is multifactor authentication primarily used for?

To enhance access control for privileged accounts.

Which security measure is intended to prevent the reuse of identifiers?

Defining a period during which identifiers cannot be reused.

What does enforced password complexity imply?

Passwords should include a minimum length and varied characters.

What is the purpose of replay-resistant authentication mechanisms?

To deter unauthorized users from accessing systems multiple times.

What is a consequence of having a defined period of inactivity for identifiers?

Identifiers are disabled to enhance security.

Which of the following statements about password reuse is true?

Prohibiting password reuse for a specified number of generations enhances security.

What ensures that the contactless RF chip in the eID card cannot be accessed without authorization?

Password Authenticated Connection Establishment (PACE)

Which method is commonly used to generate a time-based one-time password (TOTP)?

HMAC with a hash function

What is the risk associated with a one-time password (OTP) device?

The secret key is vulnerable to interception

In which scenario is the machine-readable zone (MRZ) primarily used?

To establish offline access with a card access number

What should systems using time-based OTP accommodate for successful authentication?

Clock drift between token and system

Which component of an OTP device is crucial for securely generating the password?

Tamper-resistant module

What is the purpose of the personal identification number (PIN) in the context of eID cards?

To provide confidential access to the RF chip

What distinguishes single-factor authentication from other methods?

It typically involves only one form of verification

What function does the eID PIN serve in online applications?

It functions as a signature key for electronic signatures.

Which of the following data can be accessed or read by eID functions?

Date and place of birth

What is the purpose of the electronic signature creation in eID?

To certify user transactions and identity.

What information would be typically included in an eID revocation query?

Validity of an ID or certification status

Which of the following is NOT a function of eID?

Social media management

What is one of the uses of the signature key in electronic signatures?

To verify authenticity of documents.

In the context of eID, what does 'PAC E Password' refer to?

A password required to access the electronic signature creation function.

Which of the following options relates to community ID verification in eID functions?

It checks the ID for expiration date.

What is a potential disadvantage of using mobile authentication apps?

Phone might be lost or stolen

Which attack method specifically targets a mobile user's access to their authentication?

SIM swap attack

What unique characteristic is NOT used in biometric authentication?

Password strength

What type of protocol is generally used to enhance security during remote user authentication?

Challenge-response protocol

Which of the following is a challenge faced specifically by remote user authentication?

Increased complexity and security threats

What is a common defense against password guessing attacks?

Use of larger entropy and limited attempts

What type of attack attempts to disable a user authentication service through an overload?

Denial of Service

Which biometric matching method is considered technically complex and expensive?

Biometric authentication

What is a risk associated with attackers using fake mobile towers?

Intercepting SMS messages

In the context of client attacks, what is a common method attackers use to achieve unauthorized access?

Spoofing user credentials

Study Notes

Digital User Authentication Principles

• Digital identity is a unique representation of a subject in online transactions (NIST SP 800-63-3).
• Digital user authentication determines the validity of authenticators claiming a digital identity.
• Basic security requirements include identifying users, authenticating identities, and employing multifactor authentication (MFA).

Password-Based Authentication

• Requires users to authenticate with something they know, such as a password or PIN.
• Security measures include enforcing complexity, preventing reuse, and disabling inactive accounts.

Token-Based Authentication

• Users authenticate with something they possess, like a smartcard or electronic keycard.
• One-time passwords (OTP) generated by devices increase security for transactions.
• Alternatives like time-based OTP (TOTP) rely on algorithms and a secure clock, but vulnerable to clock drift issues.

Biometric Authentication

• Utilizes unique physical characteristics (e.g., fingerprints, facial recognition) for user authentication.
• Technically complex and expensive compared to traditional methods, yet provides heightened security.

Multifactor Authentication (MFA)

• MFA involves using two or more factors for identity verification, such as passwords combined with tokens or biometrics.
• Enhances security compared to single-factor authentication methods.

Assurance Levels for User Authentication

• Identity Assurance Levels (IAL) define certainty in identity proofing:
  • IAL1: No link to real identity required.
  • IAL2: Evidence of identity through remote or in-person proofing.
  • IAL3: Physical presence is needed for proofing.
• Authenticator Assurance Levels (AAL) gauge authentication strength:
  • AAL1: User ID and password provide some assurance.
  • Higher levels require stronger proof mechanisms.

Security Issues for User Authentication

• User authentication is subject to attacks like eavesdropping, replay attacks, and client/host attacks.
• Common attacks include password guessing, token theft, and biometric spoofing.
• Defense strategies involve multifactor authentication, large entropy for identifiers, and rigorous password protection measures.

Remote User Authentication Challenges

• Increased complexity and vulnerability over networks due to threats like capturing passwords and replaying authentication sequences.
• Challenge-response protocols can mitigate some security risks associated with remote authentication.

Case Study: ATM Security Problems

• Small to mid-sized debit card issuers often rely on processors for core data processing and electronic funds transfer, leading to potential vulnerabilities in ATM security.

Description

This quiz covers essential concepts of user authentication, including password-based, token-based, and biometric methods. You will explore digital identity principles and prevalent security issues related to user authentication. Test your knowledge on the guidelines and best practices for ensuring secure user access.