Understanding Authentication Methods

Questions and Answers

Which of the following actions best describes the process of authentication?

• Granting permissions to access specific resources.
• Transforming data into an unreadable format.
• Ensuring data remains consistent during transfer.
• Verifying a user's identity to allow system access. (correct)

What is the primary goal of authentication in a system?

• To allow faster creation of user accounts.
• To confirm that a user is who they claim to be. (correct)
• To automatically monitor all user activity.
• To encrypt sensitive data stored within the system.

In single-factor authentication, which type of factor might be utilized?

• A unique biometric characteristic of the user.
• The user's current geographical position.
• A piece of information known by the user. (correct)
• A physical object possessed by the user.

Which combination accurately represents two-factor authentication?

Using a password in conjunction with a security token. (A)

Which of these is NOT considered a standard authentication factor?

Your body temperature. (D)

Which option exemplifies a knowledge-based authentication factor?

Entering a PIN. (A)

Which authentication method uses an object held by the user?

Using a security token. (B)

Which of the following is categorized as an 'inherence' factor in authentication?

An iris scan. (B)

What does the acronym 'MFA' stand for in the context of cybersecurity?

Mandatory File Access. (D)

Why is two-factor authentication considered more secure than single-factor authentication?

It uses multiple, different authentication factors. (B)

In a typical authentication flow, what information does the client usually provide first?

A security token. (D)

What does the server utilize to validate a user's credentials during authentication?

A database. (C)

After successfully authenticating a user, what does the server commonly generate to maintain the session?

Access and refresh tokens. (C)

In remote authentication, what primary security purpose does a 'nonce' serve?

To prevent replay attacks. (B)

For what specific purpose is a challenge-response protocol used?

Verifying remote user identities. (D)

Which authentication method relies on only one piece of identifying information?

Single-factor authentication. (C)

What does two-factor authentication combine?

A password and a biometric or security token. (A)

What constitutes three-factor authentication?

Using three different and independent factors. (C)

What additional capability is integrated into a smartcard beyond basic data storage?

Onboard memory and a processor. (D)

Which authentication factor is most susceptible to phishing attacks?

Knowledge-based factors. (C)

What is the main characteristic of an offline dictionary attack?

It compares password hashes against a list of common passwords. (D)

What makes a 'specific account attack' unique?

It broadly targets many accounts at once. (D)

What is a key characteristic of a popular password attack?

It attempts to brute-force a single account. (A)

What type of vulnerability is exploited when an attacker guesses a password based on personal information?

Token hijacking. (B)

What is 'workstation hijacking'?

Gaining unauthorized control over an unattended computer. (A)

What is the potential risk if a user writes down a system-assigned password?

The workstation becomes more vulnerable. (C)

Which countermeasure is most effective at mitigating offline dictionary attacks?

Protecting the password file. (B)

What is the primary function of an account lockout policy?

To prevent repeated login attempts. (C)

What is the main reason for enforcing strong password policies?

To make passwords more difficult for attackers to guess. (C)

What is the main purpose of using a salt value when hashing passwords?

To add random data to the password before hashing. (B)

Flashcards

What is Authentication?

Verifying a user's identity.

Primary purpose of authentication?

To confirm the user is legitimate.

Single-factor authentication factor?

Something you know, like a password.

What is two-factor authentication?

Combines two different types of authentication factors.

Not an authentication factor?

Temperature is not an authentication factor.

Example of knowledge-based factor?

A PIN is something you know.

Possession-based factor?

A token is a physical object that you have.

Inherence-based factor?

An iris scan uses a biometric trait.

What does MFA stand for?

Multi-Factor Authentication

Why is two-factor authentication more secure?

It adds an extra security layer by combining different factors.

What does the client submit first?

Login credentials (username and password).

What verifies credentials?

A database

What does the server generate after a match?

Access and refresh tokens

Purpose of a nonce?

Defend against replay attacks

Challenge-response protocol is used for?

Remote user authentication

Which method uses a single credential?

Single-factor authentication

What does two-factor authentication combine?

A password and a biometric or token

What is three-factor authentication?

Using three different factors

Additional function of a smartcard?

Memory and a processor.

Most vulnerable factor to phishing?

Knowledge-based

What is an offline dictionary attack?

Comparing password hashes to common ones.

Attack targeting a specific account repeatedly?

A specific account attack

What is a popular password attack?

Using common passwords on many accounts

Vulnerability guessing based on personal details?

Password guessing

What is workstation hijacking?

Taking over an unattended computer

Study Notes

Authentication

• Authentication verifies a user’s identity.
• The primary purpose of authentication is to confirm a user is legitimate.
• Single-factor authentication uses a knowledge factor, like a password.
• Two-factor authentication combines two different types of factors.

Authentication Factors

• Knowledge-based factors involves something you know.
• Possession-based factors involves something you have.
• Inherence-based factors involves what you are.
• Temperature is not an authentication factor.
• A PIN is an example of a knowledge-based factor.
• A security token is an example of a possession-based factor and is a physical object.
• An iris scan is an example of an inherence-based factor and uses a biometric trait.

Multi-Factor Authentication (MFA)

• MFA stands for Multi-Factor Authentication.
• MFA uses two or more different factors.
• Two-factor authentication is more secure than single-factor authentication because it adds an extra security layer.
• The client submits login credentials first in the authentication flow.
• The server verifies credentials by checking a database.
• After a successful match, the server generates access and refresh tokens for session continuation.
• Two-factor authentication combines factors from different categories.
• Three-factor authentication involves using three different factors and requires three distinct proofs

Authentication Methods

• Single-factor authentication uses a single credential and one barrier.
• Remote user authentication verifies users over networks and challenge-response protocol.

Security Vulnerabilities and Attacks

• Passwords are common targets for phishing attacks.
• An offline dictionary attack compares password hashes to common ones and uses known hash values to guess passwords.
• A specific account attack targets a specific account repeatedly and focuses on one account.
• A popular password attack tests well-known passwords across many accounts using common passwords
• Password guessing involves guessing based on personal details.
• Attackers use personal information to guess passwords in password guessing.
• Temperature is not used as a factor.
• Workstation hijacking exploits an unattended workstation and involves taking over an unattended computer.
• Writing down a system-assigned password increases vulnerability.
• The vulnerability that arises from using default passwords makes it easier for attackers because defaults are well known.
• Reusing a password across devices increases vulnerability and it raises the risk if one is compromised.
• Storing passwords in plain text leads to data breaches because it is easily compromised.
• If a password file is compromised, attackers can run cracking programs leading to brute-force attempts.

Countermeasures and Policies

• Protecting the password file reduces the risk of offline dictionary attacks.
• Account lockout limits repeated login attempts and blocks further attempts.
• Enforcing strong password policies increases security by making passwords hard to guess.
• Unique password policies prevents password reuse across devices and reduces risk.
• Intrusion detection systems (IDS) monitors for suspicious activity and detects unauthorized access attempts.
• Guidelines for strong password creation. helps users to create strong passwords.
• Using salt in hashing helps defend against dictionary attacks because salt complicates pre-computation.

Hashing and Encryption

• A salt value in password hashing adds random data and randomizes the hash output, diversifying the hash output.
• The UNIX crypt(3) function, used for password hashing, is based on DES.
• The UNIX password hashing scheme performs 25 iterations.
• Hashed password storage is vulnerable to guessing attacks allowing attackers to run cracking programs.
• Using a hashed password scheme slows down attackers and uses salt and a slow hash function.
• Hashed passwords secures stored data.
• Cryptographic hashing provides one-way encryption in authentication producing irreversible hashes.
• Encrypted communication links secures data in transit and secures password file transmission.
• The term "hashed password" means that a password has been processed by a hash algorithm.
• Multiple iterations of encryption slow down attackers and improves password security in UNIX systems.
• A nonce creates a unique session and defends against replay attacks in remote authentication.

Tokens

• A security token is a physical device for authentication and is a tangible authentication tool.
• Tokens allow session continuation.
• Access tokens allow continued access and maintain the session.
• A refresh token extends the session securely and renews session access.
• A memory card token type contains electronic memory inside.
• A smartcard token type includes a built-in processor and processes data internally.
• Tokens generated by the server manage the session and control session continuity.
• A stolen security token may allow access if unaccompanied by another factor.

Biometrics

• Biometric authentication uses unique physical traits and relies on physical characteristics.
• Fingerprint and facial recognition are two common biometric examples and and are physical traits.
• Iris scan is biometric and an inherence-based factor.
• A common risk of biometric authentication is privacy issues as it may raise privacy concerns.
• Biometric systems may be affected by environmental factors.
• A biometric system registers biometric traits during the enrollment process and compares presented biometric data with stored templates during verification.
• The biometric system matches the biometric template.
• A biometric method, like fingerprint scanning, requires a sensor to capture data.
• Identification biometric system relies solely on biometrics and does not need extra credentials.
• Biometric templates are compared during authentication serve as references.

ATM Security

• A dedicated data connection in ATM systems secures the connection and isolates sensitive data.
• Connecting ATM systems over internet-linked networks increases ATM vulnerability because Internet connectivity raises risks.
• When ATM data crosses an unsecured network, data can be captured by attackers, leading to data interception.
• Vulnerability that affects ATM transactions, data is exposed to interception, leading to confidentiality and integrity risks.

Replay Attacks

• A nonce creates a unique session.
• A replay attack reuses valid messages maliciously and entails reusing captured authentication messages.

Authentication Systems

• The advantages of multi-factor authentication requires multiple proofs.
• The key weakness of single-factor authentication is that only one barrier exists so it relies on a single proof.
• An authentication system grants access when a password is verified and it allows entry upon verification.
• The ultimate goal of user authentication is to confirm identity and it aims to verify who you are.