Authenticating users

Question 1

Authentication

Answer 1

Process of determining whether someone or something is who or what it declates itself to be

Question 2

Where are users credentials stored for authentication?

Answer 2

Database of authorised, or registered, users

Question 3

Authentication vs Authorisation

Answer 3

Authentication is the process of validating the identity of a registered user before allowing access whereas,
Authorisation is the process of validating that the authenticated user has been granted permission to access the requested resources

Question 4

When can authentication be broken

Answer 4

When an attacker is able to be authenticated as a legitimate user
Happens when the attacker can guess, or brute force credentials.
When credentials are leaked and the attacker gets access

Question 5

Brute force attack

Answer 5

Trying all possible solutions to a problem until a correct solution is found
Can be used to break authentication methods

Question 6

Controlling brute force attacks

Answer 6

Strong password policy
Biometrics - fingerprint scanners
Notification of unrecognised login - users are notified and asked to confirm a login
Comprehensive login process - CAPTCHA(providing user is human) and Two Factor Authentication(more than just a password)
Limiting login attempts - lock user after certain number of attempts

Question 7

Multi-factor authorisation

Answer 7

Requires two or more proofs of identity to authenticate a user
One time passwords or ReCAPTCHA

Question 8

Why use MFA?

Answer 8

Helps prevent someone from signing into a user’s account, even if they know the password.
Passwords can be insecure

Question 9

Strong secondary authentication factors

Answer 9

OTP - one-time password,
Time-based PIN
Digital certificates

Question 10

What is an OTP

Answer 10

One time password - Unique and can only be used once
Usually, a short string of numbers is generated based on a secret stored in a physical device such as a smartphone or USB token

Question 11

Time-based PIN

Answer 11

A sequence of digits which have to be entered within a short window(30 to 60 secs)
Can be generated by a software application or hardware device with a very precise lock

Question 12

Digital certificates

Answer 12

Issued by a trusted certificate authority, is installed on a device or in the users browser
Only browser with valid certificate will be allowed to sign in

Question 13

What do CAPTCHAs provide

Answer 13

Challenges that are difficult for computers to perform but relatively easy for humans

Question 14

Types of CAPTCHA

Answer 14

Text based
Image based
Audio

Question 15

Which is the most difficult type of CAPTCHA for bots but the easiest for humans to interpret

Answer 15

Image-based - as it requires image recognition and semantic classification

Question 16

Advantages of CAPTCHA

Answer 16

Highly effective against all but most sophisticated bad bots

Question 17

Disadvantages of CAPTCHA

Answer 17

Disruptive and frustrating for users
May be difficult to understand or use for some users
Some CAPTCHA types don’t support all browsers
Some CAPTCHA types are not accessible to users who view a website using screen readers or assistive devices
Range of automated technologies, including APIs, browser plug-ins and extensions that enable attackers to bypass or solve CAPTCHA challenges

Question 18

What is a way of stopping brute force attacks

Answer 18

Lockout account after a defined number of incorrect authentication

Question 19

Why is locking out accounts not always the best solution

Answer 19

Because someone could easily abuse the security measure and lock out hundreds of user accounts

Question 20

What are sessions

Answer 20

An object that allows you to store information specific to a user(browser) from one request to the next

Question 21

What does a session persist across requests

Answer 21

A session persists state across requests

Question 22

What form can a session take

Answer 22

A client side cookie or server side token

Question 23

What are users which arent logged in called?

Answer 23

Anonymous - no identity

Question 24

What is a web session

Answer 24

A series of adjoining or connected actions by a user on an individual web application within a given time frame

Question 25

What is any user interaction with a single web application recorded as?

Answer 25

A web session by the application server

Question 26

What do web applications use to respond to the user’s interactions during a web session?

Answer 26

A session ID associated with the user