Methods of Authentication
| Site: | Saylor Academy |
| Course: | CS406: Information Security |
| Book: | Methods of Authentication |
| Printed by: | Guest user |
| Date: | Saturday, April 20, 2024, 3:05 AM |
Description
This article calls the authentication factors we are familiar with the ownership factor, knowledge factor, and inherence factor. These names relate to something you have, something you know, and something you are, respectively.
System Fundamentals For Cyber Security/Authentication/Methods of Authentication
The ways in which someone may be authenticated fall into three categories, known as the factors of authentication:
- The ownership factor - Something the user has
- The knowledge factor - Something the user knows
- The Inherence factor - Something the user is or does
Each authentication factor covers a range of elements used to authenticate or verify a person's identity prior to being granted access, approving a transaction request, signing a document or other product, granding authority to others, or establishing a chain of authority.
Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified.
Source: https://csf102.dfcsc.uri.edu/wiki/System_Fundamentals_For_Cyber_Security/Authentication/Methods_of_Authentication
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Ownership Factor
Security Token
A security token may be a physical device that an authorized user is given to ease authentication. It acts as an electronic key to access something. Examples include:
- USB Devices
- Key Fob
- Smart Card
- RFID Tokens
Software Token
In contrast to hardware tokens, where credentials are stored on a dedicated device, software tokens are stored on general-purpose devices such as mobile phones.
Knowledge Factor
Password
A password is the most common form of authentication in use on computer systems. It is simply a word or string of characters known by the user that is used for authentication. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.
Most organizations specify a password policy that sets requirements for the composition and usage of passwords, typically dictating minimum length, required characters(e.g. upper and lower case, numbers, and special characters), prohibited elements (e.g. own name, D.O.B., address, telephone number). Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.
Password Cracking
Attempting to crack passwords by trying as many possibilities as time and resources permit is known as a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.
Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Passwords easily discovered are termed weak or vulnerable; passwords very difficult or impossible to discover are considered strong. There are several programs available for password attack (or even auditing and recovery by systems personnel), some of which use password design vulnerabilities to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users.
Inherence Factor
The inherence factor generally relates to the use of biometric data or some form of visual or audio recognition.
Examples include:
- Fingerprint scanners
- Retinal pattern
- DNA sequence
- Voice recognition
- Facial recognition