Questions and Answers
What is Digital Identity according to NIST SP 800-63-3?
What is the primary goal of digital user authentication?
What is one of the Derived Security Requirements for digital user authentication?
What should be done to passwords when new passwords are created?
Signup and view all the answers
What should be done to identifiers after a period of inactivity?
Signup and view all the answers
How should passwords be stored and transmitted?
Signup and view all the answers
What is the primary purpose of multifactor authentication?
Signup and view all the answers
Which type of authentication factor is a fingerprint?
Signup and view all the answers
What is the main difference between IAL2 and IAL3?
Signup and view all the answers
What is the purpose of Authenticator Assurance Level (AAL)?
Signup and view all the answers
Which of the following is an example of something the individual does?
Signup and view all the answers
What is the main purpose of NIST SP 800-63-3?
Signup and view all the answers
What is the purpose of the salt value in password hashing?
Signup and view all the answers
What is the main objective of password-based authentication?
Signup and view all the answers
What is an offline dictionary attack?
Signup and view all the answers
What is the purpose of password hashing?
Signup and view all the answers
What is the purpose of the ID in password-based authentication?
Signup and view all the answers
What is the characteristic of the hash algorithm used in password hashing?
Signup and view all the answers
Study Notes
Digital Identity
- A unique representation of a subject engaged in an online transaction.
Digital User Authentication
- The process of determining the validity of one or more authenticators used to claim a digital identity.
Basic Security Requirements
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Derived Security Requirements
- Use multifactor authentication for: • Local and network access to privileged accounts • Network access to non-privileged accounts
- Employ replay-resistant authentication mechanisms for: • Network access to privileged accounts • Network access to non-privileged accounts
- Prevent reuse of identifiers for a defined period.
- Disable identifiers after a defined period of inactivity.
- Enforce: • A minimum password complexity • Change of characters when new passwords are created
- Prohibit password reuse for a specified number of generations.
- Allow temporary password use for system logons with an immediate change to a permanent password.
- Store and transmit only cryptographically-protected passwords.
- Obscure feedback of authentication information.
Authentication Means
- There are four general means of authenticating a user's identity: something the individual possesses, does, is, or knows.
- Something the individual possesses: token, smartcard, electronic keycard, physical key.
- Something the individual does: voice pattern, handwriting, typing rhythm.
- Something the individual is: fingerprint, retina, face.
- Something the individual knows: password, PIN, answers to prearranged questions.
Multifactor Authentication
- Multifactor authentication (MFA) requires two or more pieces of evidence to verify identity.
- MFA provides increased security and confidence in identity proofing and authentication processes.
Identity Assurance Levels (IALs)
- IAL1: no need to link the applicant to a specific real-life identity.
- IAL2: provides evidence for the claimed identity using remote or physically-present identity proofing.
- IAL3: requires physical presence for identity proofing.
Authenticator Assurance Levels (AALs)
- AAL1: provides some assurance of authentication via user-supplied ID and password.
- AAL2: provides high confidence of authentication via proof of possession and control of two authentication factors.
- AAL3: provides very high confidence of authentication via proof of possession and control of two authentication factors.
Password-Based Authentication
- Password-based authentication contains a username/login (ID) and password.
- The ID determines whether the user is authorized to gain access to a system.
- The ID determines the privileges accorded to the user.
- The ID is used in discretionary access control.
Password Security Threats
- Forms of attack against password-based authentication include:
- Offline dictionary attack
- Specific account attack
- Popular password attack
- Password guessing against single user
- Workstation hijacking
- Exploiting user mistakes
- Exploiting multiple password use
- Electronic monitoring
Hashed Passwords and Salt Value
- Password hashing turns the password into a fixed-length string using a hashing algorithm.
- The salt value is a secret pseudorandom or random string combined with a password.
- The salt serves three purposes:
- prevents duplicate passwords from being visible in the password file
- greatly increases the difficulty of offline dictionary attacks
- makes it nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
The quiz covers digital identity, its representation, and the process of digital user authentication, including basic security requirements for identifying and verifying users, processes, and devices.
