Digital Identity and Authentication
18 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is Digital Identity according to NIST SP 800-63-3?

  • A unique representation of a subject engaged in an online transaction (correct)
  • A biometric authentication method
  • A digital certificate issued by a trusted authority
  • A unique username and password

What is the primary goal of digital user authentication?

  • To identify information system users
  • To authorize access to organizational information systems
  • To prevent unauthorized access to systems
  • To determine the validity of one or more authenticators (correct)

What is one of the Derived Security Requirements for digital user authentication?

  • Use single-factor authentication for all accounts
  • Use multifactor authentication for local and network access to privileged accounts (correct)
  • Disable identifiers after a short period of activity
  • Prohibit password changes for a specified number of generations

What should be done to passwords when new passwords are created?

<p>Enforce a minimum password complexity and change of characters (D)</p> Signup and view all the answers

What should be done to identifiers after a period of inactivity?

<p>Disable identifiers after a defined period of inactivity (B)</p> Signup and view all the answers

How should passwords be stored and transmitted?

<p>Store and transmit only cryptographically-protected passwords (D)</p> Signup and view all the answers

What is the primary purpose of multifactor authentication?

<p>To verify a user's identity using two or more pieces of evidence (D)</p> Signup and view all the answers

Which type of authentication factor is a fingerprint?

<p>Something the individual is (B)</p> Signup and view all the answers

What is the main difference between IAL2 and IAL3?

<p>The physical presence required for identity proofing (C)</p> Signup and view all the answers

What is the purpose of Authenticator Assurance Level (AAL)?

<p>To provide some assurance of authentication via user-supplied ID and password (A)</p> Signup and view all the answers

Which of the following is an example of something the individual does?

<p>Voice pattern (D)</p> Signup and view all the answers

What is the main purpose of NIST SP 800-63-3?

<p>To provide guidelines for identity assurance and authenticator assurance levels (C)</p> Signup and view all the answers

What is the purpose of the salt value in password hashing?

<p>To prevent duplicate passwords from being visible in the password file (C)</p> Signup and view all the answers

What is the main objective of password-based authentication?

<p>To authenticate the ID of the individual logging on to the system (B)</p> Signup and view all the answers

What is an offline dictionary attack?

<p>An attack that uses a list of words to guess the password (D)</p> Signup and view all the answers

What is the purpose of password hashing?

<p>To prevent cybercriminals from getting access to the passwords file (C)</p> Signup and view all the answers

What is the purpose of the ID in password-based authentication?

<p>All of the above (D)</p> Signup and view all the answers

What is the characteristic of the hash algorithm used in password hashing?

<p>It is designed to be slow to execute (B)</p> Signup and view all the answers

Study Notes

Digital Identity

  • A unique representation of a subject engaged in an online transaction.

Digital User Authentication

  • The process of determining the validity of one or more authenticators used to claim a digital identity.

Basic Security Requirements

  • Identify information system users, processes acting on behalf of users, or devices.
  • Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Derived Security Requirements

  • Use multifactor authentication for: • Local and network access to privileged accounts • Network access to non-privileged accounts
  • Employ replay-resistant authentication mechanisms for: • Network access to privileged accounts • Network access to non-privileged accounts
  • Prevent reuse of identifiers for a defined period.
  • Disable identifiers after a defined period of inactivity.
  • Enforce: • A minimum password complexity • Change of characters when new passwords are created
  • Prohibit password reuse for a specified number of generations.
  • Allow temporary password use for system logons with an immediate change to a permanent password.
  • Store and transmit only cryptographically-protected passwords.
  • Obscure feedback of authentication information.

Authentication Means

  • There are four general means of authenticating a user's identity: something the individual possesses, does, is, or knows.
  • Something the individual possesses: token, smartcard, electronic keycard, physical key.
  • Something the individual does: voice pattern, handwriting, typing rhythm.
  • Something the individual is: fingerprint, retina, face.
  • Something the individual knows: password, PIN, answers to prearranged questions.

Multifactor Authentication

  • Multifactor authentication (MFA) requires two or more pieces of evidence to verify identity.
  • MFA provides increased security and confidence in identity proofing and authentication processes.

Identity Assurance Levels (IALs)

  • IAL1: no need to link the applicant to a specific real-life identity.
  • IAL2: provides evidence for the claimed identity using remote or physically-present identity proofing.
  • IAL3: requires physical presence for identity proofing.

Authenticator Assurance Levels (AALs)

  • AAL1: provides some assurance of authentication via user-supplied ID and password.
  • AAL2: provides high confidence of authentication via proof of possession and control of two authentication factors.
  • AAL3: provides very high confidence of authentication via proof of possession and control of two authentication factors.

Password-Based Authentication

  • Password-based authentication contains a username/login (ID) and password.
  • The ID determines whether the user is authorized to gain access to a system.
  • The ID determines the privileges accorded to the user.
  • The ID is used in discretionary access control.

Password Security Threats

  • Forms of attack against password-based authentication include:
    • Offline dictionary attack
    • Specific account attack
    • Popular password attack
    • Password guessing against single user
    • Workstation hijacking
    • Exploiting user mistakes
    • Exploiting multiple password use
    • Electronic monitoring

Hashed Passwords and Salt Value

  • Password hashing turns the password into a fixed-length string using a hashing algorithm.
  • The salt value is a secret pseudorandom or random string combined with a password.
  • The salt serves three purposes:
    • prevents duplicate passwords from being visible in the password file
    • greatly increases the difficulty of offline dictionary attacks
    • makes it nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Description

The quiz covers digital identity, its representation, and the process of digital user authentication, including basic security requirements for identifying and verifying users, processes, and devices.

More Like This

Use Quizgecko on...
Browser
Open
Browser
Browser