Difference between revisions of "Authentication Factor"
From MgmtWiki
(→Something you Know) |
(→Something you Have) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Authentication Factors== | ==Authentication Factors== | ||
| − | [[Attribute]]s or [[Credential]] that are used in support of [[Authentication]] of a user's [[Identifier]]. | + | [[Attribute]]s or [[Credential]]s that are used in support of [[Authentication]] of a user's [[Identifier]]. |
==Context== | ==Context== | ||
| Line 8: | Line 8: | ||
* Authentication = the establishment of a link between some real-world entity (person or machine) and a digital identity. | * Authentication = the establishment of a link between some real-world entity (person or machine) and a digital identity. | ||
* Machine = any device that can attach to an Internet address. | * Machine = any device that can attach to an Internet address. | ||
| − | * Digital Identity = a [[User Object]] or a list of | + | * Digital Identity = a [[User Object]] or a list of attributes attributed to you in an on-line database. |
* Digital Identifier = a collection of symbols that is used to find your digital identify in a data base | * Digital Identifier = a collection of symbols that is used to find your digital identify in a data base | ||
| − | * Passwordless = any online identification that does not include | + | * Passwordless = any online identification that does not include something you know. (See [https://www.linkedin.com/news/story/the-key-to-a-password-free-future-5775946/ key to a password-free future]) |
==Problems== | ==Problems== | ||
| Line 16: | Line 16: | ||
# Authenticating yourself to a web site over the internet | # Authenticating yourself to a web site over the internet | ||
# Authentication yourself to a physical access device | # Authentication yourself to a physical access device | ||
| + | There are attempts continually being proposed that will prevent [[Authentication Factor]]s from become a loss of [[Privacy]]. This is never completely achieved, but the efforts can mitigate the loss. | ||
==Something you Know== | ==Something you Know== | ||
| − | * This is the oldest factor for creating a digital Identity | + | This section addresses one [[Authentication Factor]] |
| − | # | + | * This is the oldest factor for creating a digital Identity. There are two primary sources of things that you know. |
| − | # | + | # Some attribute that only you would know, like a mother's maiden name or your first pet. |
| − | + | # An unguessable string of symbols that is called a password or pass phrase. | |
| + | Interestingly a collection of unguessable passwords can be put into a password manager on a thumb drive to become something you have. | ||
===Attacks=== | ===Attacks=== | ||
* The most common attack against passwords is to steal a list of passwords (or question answers) from some site that stores them. | * The most common attack against passwords is to steal a list of passwords (or question answers) from some site that stores them. | ||
| − | * One easy attack is brute force guessing of the password, which works well if the | + | * One easy attack is brute force guessing of the password, which works well if the [[Attacker]] has unlisted guess. This can be mitigated if the system does not allow a large number of guesses. |
| − | * Note that when the password is | + | * Note that when the password is hashed and the hash stored rather than the password, only limited protraction is give since the access to the hash allows unlimited brute force guesses. |
* Also if the hash secret is shared as happens on Active Directory sites, the hash along high be sufficient to access another protection zone if the user reused the password. | * Also if the hash secret is shared as happens on Active Directory sites, the hash along high be sufficient to access another protection zone if the user reused the password. | ||
| + | * Another attacked can occur if the same hash secret is used on multiple domains as has happened when a protected domain is created for security purposes. When that is done the token created in the unsecured domain will match one create in the protected domain if the user chooses the same password. This attack has been exploited. | ||
==Something you Have== | ==Something you Have== | ||
| − | Note that this case includes something called cross-device authentication which is logically indistinguishable from this case. | + | This section addresses one [[Authentication Factor]] |
| + | Note that this case includes something called cross-device authentication which is logically indistinguishable from this case. | ||
* Usually a digital artifact that is able to create a one-time access code (aka a one-tine password) | * Usually a digital artifact that is able to create a one-time access code (aka a one-tine password) | ||
===Attacks=== | ===Attacks=== | ||
| − | * Attacker takes the device away from you | + | * [[Attacker]] takes the device away from you |
| − | * Attacker has a device that can spoof a [[Relying Party]] into thinking it is working on your behalf. | + | * [[Attacker]] has a device that can spoof a [[Relying Party]] into thinking it is working on your behalf. |
==Something you Are== | ==Something you Are== | ||
| + | This section addresses one [[Authentication Factor]] | ||
* aka Biometrics, see the wiki pages on [[Biometric Attribute]] and [[Biometric Identifier]] | * aka Biometrics, see the wiki pages on [[Biometric Attribute]] and [[Biometric Identifier]] | ||
Latest revision as of 10:47, 19 December 2023
Contents
Authentication Factors
Attributes or Credentials that are used in support of Authentication of a user's Identifier.
Context
Taxonomy
Applicable only in this wiki page:
- Authentication = the establishment of a link between some real-world entity (person or machine) and a digital identity.
- Machine = any device that can attach to an Internet address.
- Digital Identity = a User Object or a list of attributes attributed to you in an on-line database.
- Digital Identifier = a collection of symbols that is used to find your digital identify in a data base
- Passwordless = any online identification that does not include something you know. (See key to a password-free future)
Problems
- Authenticating yourself to a device in hand
- Authenticating yourself to a web site over the internet
- Authentication yourself to a physical access device
There are attempts continually being proposed that will prevent Authentication Factors from become a loss of Privacy. This is never completely achieved, but the efforts can mitigate the loss.
Something you Know
This section addresses one Authentication Factor
- This is the oldest factor for creating a digital Identity. There are two primary sources of things that you know.
- Some attribute that only you would know, like a mother's maiden name or your first pet.
- An unguessable string of symbols that is called a password or pass phrase.
Interestingly a collection of unguessable passwords can be put into a password manager on a thumb drive to become something you have.
Attacks
- The most common attack against passwords is to steal a list of passwords (or question answers) from some site that stores them.
- One easy attack is brute force guessing of the password, which works well if the Attacker has unlisted guess. This can be mitigated if the system does not allow a large number of guesses.
- Note that when the password is hashed and the hash stored rather than the password, only limited protraction is give since the access to the hash allows unlimited brute force guesses.
- Also if the hash secret is shared as happens on Active Directory sites, the hash along high be sufficient to access another protection zone if the user reused the password.
- Another attacked can occur if the same hash secret is used on multiple domains as has happened when a protected domain is created for security purposes. When that is done the token created in the unsecured domain will match one create in the protected domain if the user chooses the same password. This attack has been exploited.
Something you Have
This section addresses one Authentication Factor
Note that this case includes something called cross-device authentication which is logically indistinguishable from this case.
- Usually a digital artifact that is able to create a one-time access code (aka a one-tine password)
Attacks
- Attacker takes the device away from you
- Attacker has a device that can spoof a Relying Party into thinking it is working on your behalf.
Something you Are
This section addresses one Authentication Factor
- aka Biometrics, see the wiki pages on Biometric Attribute and Biometric Identifier
