Which of the following is an example of something you have authentication?

Multifactor Authentication

Multifactor authentication gets its name from the use of multiple authentication factors. So, what is a factor? You can think of a factor as a category of authentication. There are three authentication factors that can be used: something you know, something you have, and something you are. Something you know would be a password, a birthday or some other personal information. Something you have would be a one-time use token, a smart card or some other artifact that you might have in your physical possession. Something you are would be your biometric identity, like a fingerprint or a speech pattern. In order for something be considered multifactor authentication, it must make use of at least two of the three factors mentioned.

People often confuse two-factor authentication with dual authentication. Dual authentication is basically using any two forms of authentication in conjunction. For dual authentication, it doesn't matter if these two forms of authentication are from the same factor or not. In order for authentication to be truly two-factor, you must use authentication methods that are classified in two different factors.

Solutions Fast Track

Understand the Strengths and Weaknesses of Biometric Solutions

Know that biometrics is appropriate only in limited circumstances in SCADA security.

Analyze the number of authentication factors needed.

Make realistic choices concerning the physical traits measured for identity.

Choose Biometric Technology That Matches Your Security Priorities

Is speed of access or certainty of authentication more important?

What current, cost-effective product meets your company's needs?

Factor complexity and environmental concerns into your decision.

Learn About Your Biometric System's Vulnerabilities

Systems mteasuring physical characteristics external to the body may be fooled by presenting a false sample.

Biometric systems may be attacked through their software systems.

Data and software integrity is critical and must be monitored and confirmed on a regular basis in biometric scanning and comparison systems.

Prepare for Social and Legal Changes

Some people refuse to provide invasive biometric samples for any purpose, including security.

Current U.S law contains loopholes relating to storage and use of physical data for security purposes.

Expect changes in law and regulation of biometrics that could affect the use of this technology in your SCADA security system.

3.2.3.2 Hardware OTPs

OTPs a currently most widely used for two-factor authentication, i.e. in addition to another authentication factor. Protocols such as S/KEY, where a user may be identified by simply supplying a correct OTP, are no longer particularly popular.

Two-factor authentication using an OTP can take a number of forms, but the most widely (and almost exclusively) used versions involve a combination of “what the user knows” and “what the user has”. Generally, “what the user possesses” is a hardware element, such as an RSA SecurID token, and “what the user knows” is the OTP generated by the token, generally in addition to a token-specific Personal Identification Number (PIN) held by the user.

OTP calculation generally involves a time stamp, deduced from synchronization with the server. The user obtains an OTP that is only valid for a short period, between 30 sec and 1 min. All tokens must be initialized with a different seed in order to prevent multiple tokens producing the same OTP for the same time period.

The use of dedicated equipment with physical and logical countermeasures means that hardware OTPs offer an additional layer of protection during authentication. The limited validity period for an OTP also invalidates phishing or replay attacks. However, this also imposes constraints on the user, first in financial terms, due to the cost of hardware, and in practical terms, as authentication will not be possible if the user forgets or loses their token.

More advanced

The type of password cracking we are discussing here is called brute force cracking. This involves trying every possible combination of characters that the password could be composed of, in sequence, until we try them all. Given a powerful system on which to run the cracker and a poorly constructed password, this can be a very effective means of recovering passwords. We will discuss this at greater length in Chapter 12. This type of attack can be mitigated by limiting the number of attempts before the user is locked out. The problem with locking users out lies in impact to productivity and cost of the administrators time to subsequently unlock accounts.

In addition to constructing strong passwords, we also need to be careful to practice good password hygiene. One problem with strong passwords is that they can be difficult to remember. This might encourage us to take steps to remember our passwords, such as writing them down and posting them in a handy place, perhaps under our keyboard or on our monitor. This, of course, completely defeats the purpose of having a password if someone comes snooping around our desk.

A number of applications exist, generally under the label of “password managers,” also known as “password safes/wallets” that will help us manage all the logins and passwords we have for different accounts, some as locally installed software and some as Web or mobile device applications. There are a number of arguments for and against such tools, but when they are used carefully, they can be of assistance in maintaining good password hygiene.

Another password security issue is manual synchronization of passwords—in short, using the same password everywhere. If we use the same password for our e-mail, for our log-in at work, for our online knitting discussion forum, and everywhere else, we are placing the security of all our accounts with each system owner where we use the same password. If any one of them is compromised and its password exposed, we have a serious problem. All an attacker needs to do is look up our account name, luv2knit, on the Internet to find some of the places where the same name is used and start trying our default password. By the time the attacker gets into our e-mail account, the game is over.

Biometrics

When we look at biometrics, we should consider what exactly it is when we use it as an authentication factor. As we discussed in the “Identification” section at the beginning of the chapter, there is a difference between authentication and verification. When we complete an authentication transaction with a biometric identifier, we are essentially asking the user to provide evidence that he or she is who he or she claims to be; this is, by definition, verification, and not authentication. Although some biometric identifiers may be more difficult to falsify than others, this is only due to limitations in today’s technology. At some point in the future, we will need to develop more robust biometric characteristics to measure, or stop using biometrics as an authentication mechanism.

Additional Resources

Biometrics-equipped devices and readers are becoming common enough that we have begun to see very inexpensive (less than $20) versions of them on the market. It pays to research such devices carefully before we depend on them for security, as some of the cheaper versions are very easily bypassed.

This being said, we can use biometric systems in two different manners. We can use them to verify the claim of identity that someone has put forth, as we discussed earlier, or we can reverse the process and use biometrics as a method of identification. This process is commonly used by law enforcement agencies to identify the owner of fingerprints that have been left on various objects, and can be a very time-consuming effort, considering the sheer size of the fingerprint libraries held by such organizations. We also see similar use in the comparison of DNA samples taken from suspects in crimes compared to physical evidence recovered from the crime scene.

To use a biometric system in either manner, we need to put the user through the enrollment process. Enrollment involves recording the chosen biometric characteristic from the user—for instance, making a copy of a fingerprint—and recording the characteristic in the system. Processing of the characteristic may also include noting certain parts of the image, depending on the characteristic in question, to use for later matching in the system.

Measuring Performance

We can look at many factors when measuring the performance of a biometric system, but a few primary metrics stand out as being particularly important for gauging how well the system is working. False acceptance rate (FAR) and false rejection rate (FRR) are two of these [6]. FAR occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive. FRR is the problem of rejecting a legitimate user when we should have accepted him. This type of issue is commonly known outside the world of biometrics as a false negative.

Either of these situations is undesirable in excess. What we try to achieve with such systems is a balance between the two error types, referred to as an equal error rate (EER) [6]. If we plot out both the FAR and FRR on a graph, as we have done in Figure 2.3, the EER is the point where the two lines intersect. EER is sometimes used as a measure of the accuracy of biometric systems.

Figure 2.3. Equal Error Rate

Multifactor authentication

One method for ensuring proper authentication security is the use of multifactor authentication. Multifactor authentication gets its name from the use of multiple authentication factors. You can think of a factor as a category of authentication. There are three authentication factors that can be used: something you know, something you have, and something you are. Something you know would be a password, a birthday, or some other personal information. Something you have would be a one-time use token, a smartcard, or some other artifact that you might have in your physical possession. Something you are would be your biometric identity, like a fingerprint or a speech pattern. In order for something be considered multifactor authentication, it must make use of at least two of the three factors mentioned. For example, when a user attempts to authenticate, he or she may have to enter both their password and a one-time use token code.

Multifactor authentication is being offered by an increasing number of service providers, especially those that store sensitive data. Often this advanced functionality is not advertised prominently by cloud providers. So, if you feel that multifactor authentication is necessary in your deployment, you should ask the provider about it.

7.5 Authentication and Security

As discussed in Section 2.2, it is sometimes necessary to restrict access to parts of a digital library. Threats to the integrity of a digital library arise from human hackers (or crackers) and from the destructive programs they create, such as viruses and worms. Library administrators will almost always need to restrict access to the administrative functions of the software (the only possible exceptions might be public-editing open-content systems like Wikipedia). In some cases they will also need to restrict access to the content. Some of these restrictions are inevitable once a collection is placed on a network. Collection maintenance relies on the security of the underlying library software and of the associated applications, such as Web servers.

The next general step is to ensure that the content that is placed on your network-facing server is content that you really want to share. Many users place private documents on Web servers where they think they are concealed, but simple searches for terms like confidential and not for distribution show that Web servers and Web-indexing robots often conspire to reveal such documents. Once you have organized your content, arranged for regular and reliable backups, and changed any default passwords in your software, you are ready to consider how to configure access to your particular services.

Computer users are accustomed to providing usernames and passwords to log in to systems or gain access to resources. The username and password pair authenticates a person to the system, which then grants some privileges to the person. The password is an authentication factor. Authentication factors can be classified into three groups:

something you know: a password or personal identification number (PIN);

something you have: a token, such as bank card;

something you are: biometrics, such as fingerprints and voice recognition.

Sometimes the factors are combined. Using a bank card in an ATM is two-factor authentication: the card and the PIN. The more authentication factors used, the harder it is to bypass the authentication. But greater security is accompanied by increasingly complex access. This complexity is often desirable: we want it to be difficult to launch a nuclear missile, so we accept that launch systems should have complex multi-factor authentication. For users of Web-based systems, the one-factor pair of username and password is the de facto norm, but the appropriate level of authentication depends on the nature of the content or service. For example, the administrative functions of a digital library could require that access be from a particular network (e.g., a university campus) as well as be password-protected.

For something you know authentication factors to be effective, the something has to remain private— if others know your password, they can pretend to be you. When private data is used to authenticate over a network, it must be transmitted using a protocol that hides that data. On the Web, URLs that begin with https:// initiate a connection using the Hypertext Transfer Protocol Secure (HTTPS). HTTPS takes normal HTTP data and encrypts it to prevent third parties from observing the requests and responses using a cryptographic protocol such as Secure Sockets Layer (SSL) or its successor Transport Layer Security (TLS). Many Web browsers show a padlock icon when a HTTPS session is in progress, and most users are now generally aware that this indicates a secure connection.

Once user name and password have been securely transmitted to the digital library software, they need to be checked against a register, or directory, of valid usernames and passwords. A digital library system could manage this process itself or use an external module that provides a directory service. Many directory services support the widely used Lightweight Directory Access Protocol (LDAP) to manage user data; LDAP can be accessed by e-mail clients as well as other applications. Implementations of LDAP, including encryption, are available for many platforms and are often integrated into other applications, such as the Apache Web server.

The appropriate level of authentication for a digital library needs to balance the value of identifying users with the costs imposed by the authentication mechanisms. If restrictions are imposed on the content of passwords, they become burdensome for users to remember. If users are forced to choose a new password for every service they use, they are likely to simply re-use the same password. Some users react to password restrictions by writing them down on sticky notes attached to their displays, negating the security benefits. Because many services ask users to create usernames and passwords, an approach for reducing username/password overload has been devised, called single sign-on.

True single sign-on allows one set of authentication details to be used by many different services; users enter their credentials just once. Single sign-on is often adopted within organizations to reduce password overload and to lower barriers to access. There is no widely used single sign-on technology on the Internet. A related idea, sometimes also referred to as single sign-on, allows users to have one username/password pair for many different services. Although users still have to log in many times, they can do so with a single identity.

The OpenID standard is a mechanism for using one digital identity on the Web. A user first registers with an OpenID provider and generates an OpenID identifier (which can be a URL). A Web site that adopts this authentication process asks users for their identifier and redirects them to the provider to enter their password. The provider checks the password and sends a message back to the site to confirm the login. When many sites support OpenID, users can simply re-use their identifier without needing to remember many usernames and passwords. At the time of writing, OpenID claims tens of thousands of Web sites and hundreds of millions of users.

An alternative solution to password overload is the Shibboleth system, which is based on the Security Assertion Markup Language (SAML). SAML is a standard built on top of HTTP, XML Schema, and SOAP that uses XML to express statements about authentication and authorization. Shibboleth is broadly similar to OpenID but in practice it is usually institutionally oriented, because the server that authenticates your identity is managed by your organization. For example, a university might vouch for your online identity—a situation that is particularly useful for access to high-value resources where institutional weight enhances trust. Whereas your Shibboleth access may continue only so long as you remain with the same institution, OpenID is potentially a user-focused lifelong identity solution. However, given the speed with which the Web changes, reliable predictions are difficult to make.

Most digital library software comes with either a built-in authentication infrastructure or the ability to connect to existing external systems. Here are some practical suggestions for designing authentication for digital library collections:

Ensure that the system uses HTTPS connections on the Web to reassure users who are familiar with this idea.

Use organizational single sign-on systems wherever possible.

Consider cross-domain systems, such as Shibboleth or OpenID, to reduce barriers to access for external users.

Once everything has been set up, do not forget the ongoing maintenance element, which requires:

updating software with security patches and newer versions,

maintaining the user database as people leave and arrive,

checking that backups are really working, and

regularly checking your system's log files (and those of any associated Web servers) to monitor usage.

The security and integrity of a digital library system and its content are an ongoing concern, not just a one-off task. Backups are particularly important: The very term “library” encourages users to think that, as in a physical library, every precaution is taken not to lose material, and backups are insurance policies—people usually need backups only in a time of crisis, which is not a good moment to discover that something has gone wrong.

Which of the following is an example of an authentication protocol?

What are the 5 factors of authentication?

Which authentication factor is an example of somewhere you are?

Which of the following is the most common form of authentication?