Identification and Authentication Overview

Questions and Answers

Which type of authentication involves something you know?

Type 2 Authentication

Type 3 Authentication

Multi-factor Authentication

Type 1 Authentication (correct)

Passwords are considered the strongest form of authentication.

False

What is an example of Type 3 Authentication?

Biometrics (e.g., fingerprint, iris scan)

Secret questions as knowledge factors are often _____ examples because they can be easily researched.

poor

Match the following types of authentication with their definitions:

Type 1 = Knowledge factors like passwords Type 2 = Possession factors like smart cards Type 3 = Biometric factors like fingerprints

What is a common characteristic of weak passwords?

They are easy to guess personal information

Key stretching adds time to password verification to prevent brute-force attacks.

True

Name one strategy to enhance password security.

Use a combination of upper/lowercase letters, numbers, and symbols.

What is a key limitation of brute force attacks when it comes to one-time pads?

They generate too many false positives.

Clipping levels are used to prevent users from guessing passwords by restricting logins.

False

What is the minimum password length recommended by the U.S. Department of Defense?

14 characters

A single-use password is also known as a _____ in online banking.

TAN

Match the following password management terms with their definitions:

Password history = Remembers the last 24 passwords used Maximum password age = Password must be changed every 90 days Minimum password age = Must wait 2 days before changing password again Complexity requirements = Passwords must include various character types

Which of the following is NOT a possession factor in Type 2 authentication?

Password

Single-use passwords are considered very convenient by most users.

False

How long is an account typically locked after too many failed login attempts?

One hour

Which of the following is NOT a method of biometric authentication?

Social Security number

Behavioral characteristics used in biometrics are permanent and never change.

False

Name one potential health issue that can be revealed through biometric authentication.

Vascular diseases

Biometric data collection can be more invasive, particularly when it involves __________.

Iris scans

Which of the following is a characteristic of contactless cards?

They can be read by proximity.

Match the following biometric methods with their characteristics:

Fingerprint = Unique to each individual Facial recognition = Can be easily photographed Iris recognition = More invasive but secure Voice pattern = Can be recorded and replicated

What is a major issue with biometric authentication?

It can't be replaced if lost.

HOTP stands for HMAC-based One-Time Password.

True

What does FRR stand for in biometric authentication?

False Rejection Rate

The U.S. Office of Personnel Management suffered a data breach involving biometric data.

True

Biometric identifiers are categorized as physiological and __________ characteristics.

behavioral

Biometric authentication can be compromised by __________ of the individual's features.

photographs

Match the following types of cards with their characteristics:

Smart Cards = Contain an integrated circuit chip Magnetic Stripe Cards = Swiped through a reader Tokens = Can be hardware or software based Biometric Authentication = Uses unique human physical traits

The Crossover Error Rate (CER) represents which of the following?

The intersection point of FRR and FAR

Contact cards can only be credit cards.

False

What are examples of something you are in authentication methods?

Fingerprint, iris scan, facial geometry

What is the main principle of the Least Privilege access control concept?

Users should have the minimum necessary access.

Mandatory Access Control (MAC) assigns access based on user identity alone.

False

What does RBAC stand for in access control?

Role-Based Access Control

Access control that uses labels to assign permissions based on clearance is known as _____ .

Mandatory Access Control (MAC)

Which method of access control is often used when confidentiality is most important?

Mandatory Access Control (MAC)

Define the term 'Need to Know' in access control.

A principle that states if a user does not need access to information, they should not have it.

Match the access control method with its primary focus:

DAC = Availability MAC = Confidentiality RBAC = Integrity ABAC = Conditions and Attributes

Attribute-Based Access Control (ABAC) is a policy-neutral access control mechanism.

True

Study Notes

Identification and Authentication

• Identification establishes the user’s identity through factors like name, username, or ID number.
• Authentication confirms identity with multi-factor methods for better security.

Authentication Types

• Type 1 (Knowledge Factors): Use something known (e.g., passwords, PINs).

  • Most common form; weakest due to vulnerability to compromise.
  • Ensure passwords are complex (14+ characters, include numbers and symbols).
  • Password policies include expiration dates and limits on reuse to enhance security.
  • Secret questions are often poorly chosen and can be easily researched.

• Type 2 (Possession Factors): Use something possessed (e.g., ID cards, tokens).

  • Forms of possession include credit cards and smart cards.
  • Single-use passwords enhance security but may be inconvenient for users.
  • Magnetic stripe cards are easy to duplicate; smart cards use integrated circuits.
  • Tokens can be hardware or software-based, with HOTP and TOTP protocols.

• Type 3 (Biometric Factors): Use unique biological traits (e.g., fingerprints, facial recognition).

  • More secure but can have false acceptance/rejection issues.
  • Biometric systems must balance false rejection rate (FRR) and false acceptance rate (FAR) to achieve a crossover error rate (CER).
  • Physiological characteristics are stable, while behavioral characteristics may change.

Issues with Biometric Authentication

• Biometric data can expose sensitive information about health and identity, raising privacy concerns.
• Attacks can involve duplicating biometric traits from images or recordings.
• Lost passwords or ID cards can be replaced; compromised biometrics cannot.

Authorization

• Authorization determines what information users can access.
• Implement access control models based on security goals, including Least Privilege and Need to Know principles.

Access Control Models

• Discretionary Access Control (DAC):

  • Object owners assign permissions at their discretion; common in file systems.
  • Utilizes Discretionary ACLs (DACLs) based on user identification.

• Mandatory Access Control (MAC):

  • Access is based on labels and classifications; prioritizes confidentiality.
  • Requires user's clearance level to surpass the object's security label.

• Role-Based Access Control (RBAC):

  • Access is based on user roles, simplifying management of permissions within large organizations.
  • Enforces separation of duties to prevent privilege creep.

• Attribute-Based Access Control (ABAC):

  • Combines user, object, and environmental attributes to determine access.
  • Offers flexibility in access management based on dynamic conditions.

Description

This quiz covers the fundamental concepts of Identification and Authentication, including the different types and levels of authentication, as well as the importance of multi-factor authentication. Explore how personal information and various authentication methods contribute to secure online identity management.