2.4 Authentication and Authorization Design Concepts

Question 1

What is the best way to mitigate risks when using directory services in an application?

Answer 1

Use a single database

Each user should only have 1 set of credentials

Question 2

Allows network access to other third-parties such as vendors, suppliers, etc. Third parties must establish a trust relationship with your network.

Answer 2

Federation

Question 3

Verification that hardware on your network actually belongs to you. Can be set up to send operational reports to your server and can be encrypted using the TPM.

Answer 3

attestation

Question 4

Why are SMS authentication methods vulnerable to login attacks?

Answer 4

Phone numbers can be spoofed

SMS messages can be redirected

Question 5

Involves receiving an authentication notification on your phone. More secure than SMS.

Question 6

Psuedo-random token generator on your phone to provide MFA.

Answer 6

Authentication app

Question 7

A secret key generator for authentication that uses a secret key plus the time of day. Timestamp is synced with an NTP server and increments every 30 seconds. Utilized by Google, Facebook, Microsoft, etc.

Answer 7

Time-based One-time Password algorithm (TOTP)

Question 8

Authentication method that uses an encrypted key and a sequenced counter to generate a hashed one-time password.

Answer 8

HMAC (Keyed-Hash message authentication code)

Question 9

Authentication factors that don’t change such as a PIN number.

Answer 9

Static code

Question 10

Name the 7 most common biometric authentication factors used.

Answer 10

Fingerprint

Retinal

Iris

Voice

Facial

Gait

Vein Patterns

Question 11

What is the crossover error rate (CER) of a biometric authentication method in regards to the sensitivity of the scan?

Answer 11

Where the false acceptance rate (FAR) and the False rejection rate (FRR) meet

Strikes balance between sensitivity and errors

Question 12

What are the 3 A’s of the AAA framework?

Answer 12

Authentication - proof you are who you say you are

Authorization - your allowed access

Accounting - resource tracking

Question 13

What are the 3 MFA factors?

Answer 13

Something you know

Something you have

Something you are

Question 14

What are the 4 MFA Attributes?

Answer 14

Somewhere you are

Something you can do

Something you exhibit

Someone you know

Question 15

Example:

Password

PIN

Pattern

Answer 15

something you know

Question 16

Example:

smart card

usb token

your phone (sms codes)

Answer 16

something you have

Question 17

Example:

biometric authentication

mathematical storage of biometric data

Answer 17

Something you are

Question 18

Example:

IP address

GPS services

Answer 18

Somewhere you are

Question 19

Example:

handwriting analysis

unique characteristic

Answer 19

something you can do