Knowledge-Based Authentication and Security Keys

Questions and Answers

Knowledge-based authentication (KBA) often requires users to answer at least one ______ question.

secret

Dynamic KBA does not require the person to have provided the questions and answers ______.

beforehand

A ______ is a physical device used to add extra protection to online accounts and systems.

security key

Tokens or key fobs often display a number that changes periodically, typically every ______ seconds.

60

HOTP stands for HMAC-based One-Time ______.

Password

A soft token is generally an app downloaded on a computer or mobile ______.

device

Common access cards (DoD) are examples of ______ used for secure identification.

CACs

Soft tokens generate a one-time passcode for two-factor or multi-factor ______.

authentication

Also known as False Acceptance Rate (FAR) – identifies the percentage of times the false acceptance occurred (false negative) – true ______ (good)

negative

True ______ – accurately determines a positive match

acceptance

True ______ – accurately determines a non-match

rejection

______ analysis is the systematic study of animal locomotion

Gait

Multifactor Authentication requires two (or more) types, including something you know AND something you ______

HAVE

Fingerprint, Vein Matching, and Retina Imaging are examples of different types of ______

biometrics

______ Dynamics refers to the study of typing patterns and their variations among users.

Keyboard

In geolocation, a GPS-tracked individual allows systems to be authenticated through geographic ______

location

A ______ account is any account not owned by your organization.

third party

PayPal acts as a ______ in a retail transaction.

third party

Shared and ______ accounts can be used by more than one person.

generic

Privileged access management (PAM) helps protect organizations from ______.

cyberthreats

By using two different accounts, administrators can configure strict ______ access.

Conditional

Organizations often have account management policies that include disabling accounts rather than ______.

deleting

Disabling is preferred over deleting ______ due to potential loss of associated security keys.

user accounts

PAM is also known as privileged identity management (PIM) or privileged access ______.

security

Attestation security permissions are also known as identity and access ______.

attestation

Federation defines policies, protocols, and practices to manage ______ across systems and organizations.

identities

A one-way trust means the child trusts the parent but the parent does not trust the ______.

child

Security Assertion Markup Language (SAML) is used to enable single sign-on (SSO) through an ______ provider.

identity

OAuth is an open-standard authorization protocol providing secure designated ______.

access

SAML is designed for authentication and authorization while OAuth was built solely for ______.

authorization

Transitive trust means that trust extends to other trusted ______.

domains

Identity governance is vital to an organization's information ______.

security

Discretionary Access Control relies on decisions made by the end user to set the proper ______.

permissions

In Mandatory Access Control, access is based on the security ______ of the subject and classification of the object.

clearance

MAC is primarily used in environments requiring higher levels of ______ and structure.

security

In MAC, a subject cannot pass access ______ to another subject.

permission

A key to Mandatory Access Control is that the subject’s label must ______ the object’s label to gain access.

dominate

ABAC stands for Attribute-Based ______ Control.

Access

All files on one system in MAC can share the same ______.

label

A trusted computer system ensures that labels cannot be arbitrarily ______.

changed

Flashcards are hidden until you start studying

Study Notes

Knowledge-Based Authentication (KBA)

• Authenticates users by asking them secret questions.
• Often used as part of multi-factor authentication (MFA) or for password retrieval.
• Dynamic KBA verifies identity without requiring users to pre-set questions and answers

Something You Have

• Smart card - Requires Public Key Infrastructure (PKI) & Embedded certificate
• Tokens or Key Fobs - Display one-time passwords (OTPs) that change periodically.
  • HOTP - Uses HMAC (Hash-based Message Authentication Code) and a counter to create an OTP that remains valid until used.
  • TOTP - Similar to HOTP but uses a timestamp instead of a counter. OTPs expire after 30 seconds.
• CACs and PIVs - Common Access Cards (DoD) and Personal Identity Verification (Federal Agencies).

Security Keys

• Physical devices that add an extra layer of security to online accounts.
• Often resemble thumb drives or tags.
• May include features like near-field communication (NFC) or fingerprint scanners.
• Used for 2FA or MFA to protect against account takeover.

Soft Tokens

• Digital security devices that generate OTPs for 2FA or MFA.
• Typically apps installed on computers or mobile devices.
• Used to protect sensitive data and network information.

Types of Biometrics

• Fingerprint
• Vein Matching
• Retina Imaging
• Iris Scan
• Facial Recognition
• Voice Recognition
• Gait Analysis

Something You Do

• Signature Dynamics - Analyzed for user recognition
• Voice-Scan
• Keyboard Dynamics - Tracks typing patterns for authentication.

Somewhere a User is (Geolocation)

• Authenticates users based on their GPS location.

Multifactor Authentication (MFA)

• Requires two or more authentication factors.
• Common combinations:
  • Something you know (password) AND something you have (security key).
  • Something you know (password) AND something you are (biometrics).

Privileged Access Management (PAM)

• Protects organizations by monitoring, detecting, and preventing unauthorized access to critical resources.
• Also known as Privileged Identity Management (PIM) or Privileged Access Security (PAS)

Disabling and Deleting User Accounts

• Organizations often have policies for managing user accounts, including disabling or deleting accounts.
• Disabling is preferred over deleting, as deleting also removes encryption and security keys.

Attestation

• Verifies and manages access to systems, applications, and resources.
• Ensures only authorized individuals have access based on their roles and responsibilities.
• A key component of identity governance, crucial for information security.

Comparing Authentication Services

• Federation and Trusts (ADFS) - Defines policies for managing identities across systems and organizations. Allows access across domains.
  • Trust relationships can be:
    • One-way (child trusts parent)
    • Two-way (mutual trust)
    • Non-transitive (trust only between specific domains)
    • Transitive (trust extends to other trusted domains)

SAML (Security Assertion Markup Language)

• An open standard for exchanging authentication and authorization data.
• XML-based. Enables Single Sign-On (SSO).
• Identity providers (IdP) authenticate users and pass tokens to service providers (SP) for authorization.

OAuth

• An open standard authorization protocol. Allows applications secure access to resources.
• Example: Allowing ESPN to access your Facebook profile without giving them your password.
• Focuses on authorization, while SAML is designed for authentication and authorization.

Discretionary Access Control (DAC)

• Access permissions are set by the data owner.
• Subject's permissions can be inherited by programs they execute.

Mandatory Access Control (MAC)

• Based on security clearance of the subject and classification of the object (resource).
• Each user assigned a clearance level, and objects have classification labels.
• Access decisions are made by the system, not the data owner.
• Used in highly secure environments.
• Typically used for classified data.

Attribute-Based Access Control (ABAC)

• Assigns access and privileges based on attributes or characteristics.
• Attributes include:
  • Object or Resource Attributes
  • Subject Attributes
  • Environment Attributes
• Most flexible access control model.