Levels of multifactor authentication

pcbinary June 27, 2021 0 Comments



Digital authenticationEdit


The term digital authentication, also known as electronic authentication ore-authentication, refers to a group of processes where the confidence for useridentities is established and presented via electronic methods to aninformation system. The digital authentication process creates technicalchallenges because of the need to authenticate individuals or entitiesremotely over a network. The American National Institute of Standards andTechnology (NIST) has created a generic model for digital authentication thatdescribes the processes that are used to accomplish secure authentication: 1. Enrollment – an individual applies to a credential service provider (CSP) to initiate the enrollment process. After successfully proving the applicant’s identity, the CSP allows the applicant to become a subscriber. 2. Authentication – After becoming a subscriber, the user receives an authenticator e.g., a token and credentials, such as a user name. He or she is then permitted to perform online transactions within an authenticated session with a relying party, where they must provide proof that he or she possesses one or more authenticators. 3. Life-cycle maintenance – the CSP is charged with the task of maintaining the user’s credential over the course of its lifetime, while the subscriber is responsible for maintaining his or her authenticator(s).[2][13]The authentication of information can pose special problems with electroniccommunication, such as vulnerability to man-in-the-middle attacks, whereby athird party taps into the communication stream, and poses as each of the twoother communicating parties, in order to intercept information from each.Extra identity factors can be required to authenticate each party’s identity.

Continuous authentication[edit]


Conventional computer systems authenticate users only at the initial log-insession, which can be the cause of a critical security flaw. To resolve thisproblem, systems need continuous user authentication methods that continuouslymonitor and authenticate users based on some biometric trait(s). A study usedbehavioural biometrics based in writing styles as a continuous authenticationmethod.[9][10]Recent research has shown the possibility of using smartphones’ sensors andaccessories to extract some behavioral attributes such as touch dynamics,keystroke dynamics and gait recognition.[11] These attributes are known asbehavioral biometrics and could be used to verify or identify users implicitlyand continuously on smartphones. The authentication systems that have beenbuilt based on these behavioral biometric traits are known as active orcontinuous authentication systems.[12][10]

Digital authentication[edit]


The term digital authentication, also known as electronic authentication ore-authentication, refers to a group of processes where the confidence for useridentities is established and presented via electronic methods to aninformation system. The digital authentication process creates technicalchallenges because of the need to authenticate individuals or entitiesremotely over a network. The American National Institute of Standards andTechnology (NIST) has created a generic model for digital authentication thatdescribes the processes that are used to accomplish secure authentication: 1. Enrollment – an individual applies to a credential service provider (CSP) to initiate the enrollment process. After successfully proving the applicant’s identity, the CSP allows the applicant to become a subscriber. 2. Authentication – After becoming a subscriber, the user receives an authenticator e.g., a token and credentials, such as a user name. He or she is then permitted to perform online transactions within an authenticated session with a relying party, where they must provide proof that he or she possesses one or more authenticators. 3. Life-cycle maintenance – the CSP is charged with the task of maintaining the user’s credential over the course of its lifetime, while the subscriber is responsible for maintaining his or her authenticator(s).[2][13]The authentication of information can pose special problems with electroniccommunication, such as vulnerability to man-in-the-middle attacks, whereby athird party taps into the communication stream, and poses as each of the twoother communicating parties, in order to intercept information from each.Extra identity factors can be required to authenticate each party’s identity.

Product authentication[edit]


Counterfeit products are often offered to consumers as being authentic.Counterfeit consumer goods such as electronics, music, apparel, andcounterfeit medications have been sold as being legitimate. Efforts to controlthe supply chain and educate consumers help ensure that authentic products aresold and used. Even security printing on packages, labels, and nameplates,however, is subject to counterfeiting.[14]Products or their packaging can include a variable QR Code. A QR Code alone iseasy to verify but offers a weak level of authentication as it offers noprotection against counterfeits, unless scan data is analysed at the systemlevel to detect anomalies.[15] To increase the security level, the QR Code canbe combined with a digital watermark or copy detection pattern that are robustto copy attempts, and can be authenticated with a smartphone.A secure key storage device can be used for authentication in consumerelectronics, network authentication, license management, supply chainmanagement, etc. Generally the device to be authenticated needs some sort ofwireless or wired digital connection to either a host system or a network.Nonetheless, the component being authenticated need not be electronic innature as an authentication chip can be mechanically attached and read througha connector to the host e.g. an authenticated ink tank for use with a printer.For products and services that these secure coprocessors can be applied to,they can offer a solution that can be much more difficult to counterfeit thanmost other options while at the same time being more easily verified.[citationneeded]

Access control[edit]


One familiar use of authentication and authorization is access control. Acomputer system that is supposed to be used only by those authorized mustattempt to detect and exclude the unauthorized. Access to it is thereforeusually controlled by insisting on an authentication procedure to establishwith some degree of confidence the identity of the user, granting privilegesestablished for that identity.

The problems with password-based security and counter-measures


One of the main troubles with passwords is that most users either don’tunderstand how to make strong and memorable passwords or underestimate theneed for security. Extra rules that increase complexity are seen to drive callvolumes for password-related issues to help desks proportionately. Thisproblem can result in IT and management letting password standards slip and asa result passwords of shorter length and complexity tend to happen, such assimple seven character words. These passwords can be cracked in a matter of afew short minutes making them almost as ineffective as no password at all or apassword that is discovered from a sticky note, either in use or carelesslydiscarded. While those avenues need to be guarded against, passwords also needto be less predictable to machines. A test of password entropy predicts howdifficult a given password would be to crack through guessing, brute forcecracking, dictionary attacks or other common methods.While it is clear that passwords need more entropy to be less predictable,employees need to be trained to create passwords with entropy that they canactually remember. Throwing a number of rules at employees often makes forpasswords no one remembers. Length is perhaps even more important in creatingentropy — users should be encouraged to create long but memorable phrases.The addition of capitols, numerals and perhaps a few special charactersgreatly increase entropy due to the larger character set. Password meters haveshown to be effective at motivating users to create stronger passwords,especially those that show a live updated numerical rating.Still, passwords may be cracked by brute force, dictionary and rainbow tableattacks, once an attacker captures the password database that resides on theprotected computer. Administrators also have to do their part to protectpasswords from dictionary attacks, for example by adding random characters tothe hashes of password encryption to make them less vulnerable to dictionarybased attacks, a technique known as password salting.With the speeds of CPUs today, brute force attacks pose a real threat topasswords. With developments like massive parallel general purpose graphicsprocessing (GPGPU) password cracking and rainbow tables, it’s possible forhackers to produce more than 500,000,000 passwords per second, even on lowerend gaming hardware. Depending on the particular software, rainbow tables canbe used to crack 14-character alphanumeric passwords in about 160 seconds.Rainbow tables achieve this by comparing password database to a table of allpossible encryption keys. This hugely memory-intensive task is only possiblebecause of the increasing amount of memory in computers. The threatscontinually become more advanced: Now purpose-built FPGA cards offer ten timesthe performance at a minuscule fraction of a graphics processing unit’s (GPU)power draw. A password database doesn’t stand a chance when it is a realtarget of interest against an attacker with extensive compute and technicalresources.Social engineering is a major threat to password-based authentication systems.To decrease its social engineering attack surface, an organization must trainall users, from management to staff. Password strength means nothing if anattacker tricks a user into divulging it. Even IT staff, if not properlytrained, can be exploited with invalid password-related requests. Allemployees must be aware of phishing tactics, where false emails and forgedwebsites may be used to acquire sensitive information from an unwittingrecipient. Other threats, such as Trojans may also come in email messages. Inshort, passwords are one of the most easily stolen/ broken types ofauthentication.The bottom line? Password-based security may be adequate to protect systemsthat don’t require high levels of security but even in those cases,constraints should be enforced to make them reasonably stringent. And for anysystem that needs high security, stronger authentication methods should beused.

Levels of multifactor authentication


A 2FA system strengthens security by requiring the user to provide dual meansof identification from separate categories. Typically, one proof of identityis a physical token, such as an ID card, and the other is something memorized,such as a security code or password. The second factor helps to ensure that,even if an intruder steals a user password, they would also have to access thephysical device to get into the user account.3FA adds another factor for further difficulty in falsifying authentication.Typically a biometric trait measurement is added for the inherence factor.Such a system verifies that the person logging in knows the password, hastheir ID card and that their fingerprint matches the stored record.4FA ups the authentication ante again taking four unique factors ofauthentication. It starts to seem like mission impossible in order to breakthe security. Like a spy using a portable compute device to hack a password,while plugging in cloned USB token, and finally the matching employee’s eyefor a retina scan.A five-factor authentication system would use the three commonly-used factors(knowledge, possession and inherence) plus location and time. In such asystem, a user has to reproduce something he knows or remembers, provide proofthat he has some item with him, provide a biometric sample for matching andhave his location verified — all within allowed times before he is grantedaccess. From that last scenario, it’s easy to see how increasing the number of factorsinvolved makes authentication more difficult to fake. That’s why SFA haslargely been abandoned and replaced with risk-appropriate levels ofmultifactor authentication.Glossary | NISTThis glossary contains brief descriptions of commonly used cybersecurity andrelated technology terms.Unless otherwise noted, definitions have been adapted from terms in the NISTComputer Security Resource Center Glossary.

Cybersecurity


An approach or series of steps to prevent or manage the risk of damage to,unauthorized use of, exploitation of, and—if needed—to restore electronicinformation and communications systems, and the information they contain, inorder to strengthen the confidentiality, integrity, and availability of thesesystems.

Encryption


The transformation of data (called “plaintext”) into a form (called“ciphertext”) that conceals the data’s original meaning to prevent it frombeing known or used. If the transformation is reversible, the correspondingreversal process is called “decryption,” which is a transformation thatrestores encrypted data to its original state.

Information Security


The approach to protect and manage the risk to information and informationsystems from unauthorized access, use, disclosure, disruption, modification,or destruction in order to provide confidentiality, integrity, andavailability.

NIST Cybersecurity Framework


A widely used, risk-based approach to managing cybersecurity composed of threeparts: the Framework Core, the Framework Profile, and the FrameworkImplementation Tiers. The Cybersecurity Framework includes references tostandards, guidelines, and best practices. The Framework is voluntary forprivate sector use; federal agencies must use this risk management approach.9

Physical Security/Safeguards


Physical measures, policies, and procedures to protect an entity’s electronicinformation systems and related buildings and equipment fromnatural/environmental hazards and unauthorized intrusion.

Leave a Reply

Your email address will not be published. Required fields are marked *