• Unit 5: Identification and Authentication

    As users or systems attempt to access secured data, their identities must be verified. The fundamentals of system access consist of both identification and authentication. A user identifies with a username and an authentication method to prove their identity. Authentication methods can be simple or more complex, depending on the desired level of security. Today, banks are requiring two-factor authentication, or two ways to authenticate a member's identity. With so many passwords to remember, users want the technology to log in with one password and to authenticate across all systems, or the capability of a single sign-on. This unit will discuss identification, types of authentication, human authentication factors, authentication forms, authentication protocols, methods for single sign-on (SSO), and public-key infrastructure (PKI).

    Completing this unit should take you approximately 7 hours.

    • Upon successful completion of this unit, you will be able to:

      • explain identification and authentication, and the methods used for each, such as passwords, tokens, and biometrics;
      • discuss human authentication factors: something you know, something you have, something you are;
      • differentiate between single-factor, two-factor, multi-factor, and mutual authentication;
      • explain the purpose, advantages, and disadvantages of single sign-on (SSO);
      • explain Kerberos-based authentication and its dependency on the key distribution center (KDC);
      • discuss the use and functionality of Lightweight Directory Access Protocol (LDAP);
      • compare and contrast the characteristics, advantages, and limitations of authentication protocols like Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS), and Diameter; and
      • explain public-key infrastructure (PKI) and the use of digital certificates.

    • 5.1: Identification

      Although they work together, there are differences between identification, authentication, and authorization. When logging into an application a username is commonly used for identification. Authentication means to prove the user’s identity, most commonly via a password. Once a user is authenticated, authorization or access to the system is provided. This section describes these three terms and how together they provide for confidentiality in systems.
      • Identification, Authentication, and Authorization Page
        To maintain access control, there must be a way to provide or deny access to users. In this section, you will learn what it means to identify, authenticate, and authorize a user. For example, when you log into a system you identify yourself, then you authenticate or prove who you are by providing a password. If the username and password match, the system will authorize your access provided you were previously approved for access to the system. Read the section on identification, authentication, and authorization to learn the terms and to be able to differentiate between them. You will also learn identification component requirements, authentication factors, and authentication methods such as biometrics, passwords, cryptographic keys, passphrases, memory cards, and smart cards.
      • Authentication and Authorization Basics Page
        View this video about identification, authentication, and authorization in computer systems. As you watch, list the common identification methods and common authentication factors. What can be used to prove something you know, something you are, something you have, something you do, and somewhere you are? What are four methods of authentication? What is an implicit deny?

    • 5.2: Authentication Types

      Now that you understand the principal of authentication, you will learn about some types of authentication to include passwords, tokens, and biometrics. As discussed in the previous section, authentication means to prove a user’s identity. Applications often require passwords to prove identity, but users do not always keep their passwords secure, and even if they do passwords can be cracked. Tokens may come with an increase in cost as they have to be issued, but you are probably familiar with tokens that are typically used as chips in bank cards. Biometrics are even more secure, but are also more expensive to use and sometimes present privacy or ethical issues. Biometrics are something you are and can include various metrics such as fingerprints or iris scans. Your organization may need secure ways to provide authentication, and your understanding of these methods will provide you with the knowledge to recommend a particular method of authentication based on the level of security needed and the desired cost.
      • Password Security Page
        Passwords must be kept confidential and follow certain guidelines or they will be easily hacked. Online tools are readily available to crack passwords but following a few rules can make them more secure. Read the sidebar on password security for some effective policies on how to create secure passwords. Be able to name and explain three methods that can be used to make or keep passwords secure.
      • Tokens and Biometrics Page
        Another way to authenticate users is to use tokens or biometrics. Tokens are something you have, but biometrics are something you are, such as your physical characteristics. A one-time password is an example of a token, as is a bank card with a chip. Fingerprints or iris scans are examples of biometrics. As you watch, pay attention to the description of tokens and biometrics, and the common tokens and biometrics used today. What are some common drawbacks with tokens and biometrics? How do tokens authenticate? Biometrics do not authenticate by comparing photographs of the fingerprints or iris, so how do they authenticate? Which biometric authentication is most secure? Which one is most expensive and which one is the least secure?
      • Biometrics Book
        Some consider biometrics as intrusive and as a violation of privacy. While you read, pay attention to how biometric systems authenticate and to the three main threats against biometric systems. What are these three threats and what are the cryptographic and non-cryptographic countermeasures?
      • Security and Accuracy of Biometrics Page

        If you are interested in more information about biometrics, watch this video. The panel discuss various methods of voice, facial, and DNA-recognition technology as well as issues of security, privacy, and the accuracy of biometrics.

    • 5.3: Human Authentication Factors

      You now understand the methods of authentication using passwords, tokens, and biometrics. In the previous section you learned that biometric authentication factors are something you are, but human authentication factors can also be something you know or something you have. A pin number or a password can be something you know, while something you have could be a token. When discussing authentication in this section you will learn about the terms something you are, something you know, and something you have in more detail. You should be able to categorize authentication factors by authentication type.

      • Human Factors Used in Authentication Book

        You learned about using passwords, tokens, and biometrics to authenticate a user. Authentication factors are discussed in terms of something you know, something you have, and something you are. This article explains these three factors.

      • Authentication Factor Descriptions Page
        This video discusses authentication factors in greater detail. How would you categorize authentication factors as something you know, something you have, or something you are? This video uses the language what you know, what you possess, and what you are to describe these concepts. Another authentication factor is where you are. Pay attention to this factor, and think about how it can be used alongside the other three.
      • Methods of Authentication Book
        This article calls the authentication factors we are familiar with the ownership factor, knowledge factor, and inherence factor. These names relate to something you have, something you know, and something you are, respectively.

    • 5.4: Authentication Forms

      The methods of authentication you have learned used one authentication factor. Authentication can be provided by more than one factor, and today many online applications are requiring multifactor authentication. For instance, most financial institutions are requiring two-factor authentication. When logging into a bank account with a username and password, the application may also require the user to provide a one-time pin that is received via email, text, or phone call. Multifactor authentication increases security that provides for system confidentiality. These methods of authentication are multifactor, two-factor, and mutual authentication and will be described in this section.

      • Authentication Forms Page

        Watch this video to learn about authentication forms. There is a difference between authentication and authorization. This video discusses those three factors in terms of what you know, what you are, and what you have. The factors can be used alone or can be combined into multifactor authentication. What is the purpose of multifactor authentication? What is single sign-on?

      • Multifactor Authentication Book
        Authentication can be accomplished with one factor, two factors, or multiple factors. Which one is the weakest level of authentication and which is the most secure and why? When would a more secure system be required? Be able to explain these multifactor authentication methods: password protection, token presence, voice biometrics, facial recognition, ocular-based methodology, hand geometry, vein recognition, fingerprint scanner, thermal image recognition, and geographical location. What are some challenges of multiple factor authentication when using biometrics? There is a lot of interesting information covered in this article that you do not need to memorize, but that you should be aware of.
      • Authentication Page
        Confidentiality, integrity, and availability are supported by authentication and authorization. This video also introduces a new term, accountability. Once you are given authorization, you are accountable for what occurs with your account. This is a good reason not to share authentication credentials. The video addresses four types of user authentication: password, certificate-based, biometrics, and e-tokens. Be able to describe the process for each type of authentication and the drawbacks of each one. You will recognize some information from the unit on cryptography.
      • Mutual Authentication Page
        Watch this short video on mutual authentication, and think about how it relates to the authentication methods we reviewed previously.

    • 5.5: Authentication Protocols: RADIUS, TACACS+, PAP, CHAP, MS-CHAP, and EAP

      Authentication types that humans can provide has been discussed, and now we go a step further to describe what a system does with the authentication data received. Authentication protocols receive the authentication data and transfers this data between systems or entities. If a user enters a username and password, the authentication protocol transfers the username and password to the system where user is requesting access. There are different types of authentication protocols and each one has a different method of, and different level of security. This section describes some older and some more advanced types of authentication protocols to include remote authentication dial-in user service (RADIUS), terminal access controller access control system (TACACS+), Diameter, password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), Microsoft CHAP (MS-CHAP), and extensible authentication protocol (EAP).
      • Authentication Protocols Page
        Four commonly used authentication protocols are Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS), and Diameter. This article explains these methods, their weaknesses, and their compatibilities.
      • Authentication Services Page
        When discussing authentication, it is important to know the function and purpose of authentication services. AAA stands for authentication, authorization, and accounting. The AAA protocols discussed in this video are Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS+). What are each of these services used for? What is encrypted when using each service? How are they similar, and how are they different?
      • Terminal Access Controller Access Control System (TACAS) Page
        You learned about single-factor and two-factor authentication in the previous unit. When you watch this video, make note of which type of authentication TACACS utilizes as opposed to TACACS+. Which one has the stronger authentication factor?
      • Diameter Book
        Read this article about the history of Diameter and why it was developed. What preceded Diameter as an authentication protocol? While you do not need to understand how Diameter authenticates, you should have a general idea of its authentication process.
      • PAP, CHAP, MS-CHAP, and EAP Page
        Four methods of authentication and authorization are discussed in this video. The four methods are password authentication protocol (PAP), challenge handshake authentication protocol (CHAP), Microsoft CHAP (MS-CHAP), and extensible authentication protocol (EAP). While watching this video pay attention to the method of authentication used by each protocol. Which method is the least secure and why? Which method is proprietary?

    • 5.6: Single Sign-On (SSO)

      As humans log into many systems with varying password requirements, trying to remember multiple passwords can be difficult and leads to password vulnerability. Out of necessity, users will writing passwords down because they cannot remember all of their username and password combinations. This is a common issue for organizations and the security professional may be asked to provide a solution to this problem. Single sign-on (SSO) helps to alleviate the problem of memorizing multiple passwords. SSO is when a user logs into a system with one set of credentials and then is allowed access to multiple applications on that system. This section explains some SSO methods as well as the benefits and the weaknesses that are presented when using these methods.
      • Kerberos Page
        This section will introduce you to single sign-on (SSO), and its advantages, disadvantages, and limitations. Then, we will look at the Kerberos authentication protocol. Take note of the Kerberos components such as key distribution center (KDC), ticket granting service (TGS), ticket granting ticket (TGT), and authentication server (AS).
      • Singe Sign-On (SSO) Page

        Watch this video to understand the concept of single sign-on (SSO). Why would a user want to use or not want to use a SSO? What is the name of a modern SSO and is it used for authorization, authentication, or both?

      • Kerberos Facts Page

        This short video will describe the origin of Kerberos, what it protects, and the type of cryptography that is used with Kerberos. Can you describe end-to-end security?

      • Kerberos History Book

        Kerberos can only be used within a trusted environment, and passwords are never sent over the network. Review the terms principal, realm, and ticket. What is the authentication flow for Kerberos? What are its limitations?

      • Kerberos Weaknesses Page

        You should be aware of some of the vulnerabilities of Kerberos. After watching this video name two Kerberos vulnerabilities and describe under what conditions an attacker can exploit these vulnerabilities.

      • Kerberos and Lightweight Directory Access Protocol (LDAP) Page

        Watch this video on Kerberos and lightweight directory access protocol (LDAP). Pay attention to the terms key distribution center (KDC), authentication server (AS), ticket-granting service (TGS), ticket granting ticket (TGT), and token. How do Kerberos and LDAP work? What ports are used by each protocol?

      • Lightweight Directory Access Protocol (LDAP) Book

        To understand Lightweight Directory Access Protocol (LDAP) you must first understand directory services. This article defines directory services and how LDAP structures the entries in a directory service. Pay attention to the basic LDAP components such as attributes, entries, and data information trees (DITs). How does LDAP organize data, and what is LDAP inheritance? Note that there are some variations in LDAP protocols.

      • Directory Services Overview Page
        Beyond directory services, what are some other uses for LDAP? What type of structure does LDAP use for data? You do not need to memorize the abbreviations used in LDAP, but you should be aware of them. This video reviews active directories, which use both LDAP and Kerberos for authentication.

    • 5.7: Public-Key Infrastructure (PKI)

      The last topic in this unit is public key infrastructure (PKI). This type of authentication is a cryptographic technique that uses public keys, digital certificates, and asymmetric encryption. Although the cost to implement PKI may be higher than other authentication methods, the system provides for secure data transmission as well as non-repudiation. In this section, you will learn the PKI process and about the role of the certificate authority (CA) and the registration authority (RA). This section will also describe how public and private keys are used together as well as digital certificates. As a security administrator, it is important to understand the benefits of using PKI and digital certificates, and how PKI could be more costly yet beneficial to an organization.
      • Public-key Infrastructure (PKI) Page
        Asymmetric encryption requires two keys instead of one as in symmetric encryption. In public key infrastructure (PKI), asymmetric encryption is used. Watch this video to learn about PKI and how the public and private keys are used to encrypt and decrypt information. Also, learn about the two types of certificate authorities (CAs). What are the advantages and disadvantages of the private CA? To understand PKI you should also understand the levels of certificate authorities, the concept of the digital certificate, and the components of the digital certificate.
      • More on Public-key Infrastructure (PKI) Page
        After watching this video as a continuation of public key infrastructure (PKI), you should be able to answer the following questions: What are the responsibilities of the certificate authority (CA)? What is the online certificate status protocol (OCSP)? What are the responsibilities of the registration authority (RA)? What is the purpose of a trust model?
      • Certificate and Registration Authorities Page
        One method of certification is using a certificate authority (CA) or registration authority (RA). Read the section on certificate authorities to understand the difference between a CA and an RA. How does the CA, or RA, publish a user's public key?
      • Certificate Authorities Page
        This video will explain and model how the use of a certificate authority (CA) can prevent a man-in-the-middle attack. Be able to explain how the use of a CA can prevent this attack.
      • Digital Certificate Defined Page
        To understand the concept of a digital certificate read this short article. Who typically grants a digital certificate and what is included with the certificate?
      • Digital Certificate Page
        To understand more about the digital certificate process, watch this video. What is the purpose of a digital certificate? Which key is used to create the digital certificate?

    • Unit 5 Assessment

      • Unit 5 Assessment Quiz
        Receive a grade

        Take this assessment to see how well you understood this unit.

        • This assessment does not count towards your grade. It is just for practice!
        • You will see the correct answers when you submit your answers. Use this to help you study for the final exam!
        • You can take this assessment as many times as you want, whenever you want.