Authentication Methods

Authentication, Authorization and Accounting (AAA)

• Identification

  • This process  allows us to provide our identity to the system.

  • Our identity may be in form of a username.

• Authentication

  • This process allows us to prove who we are to a system.

  • We may need to provide a password to prove our identity to a computer.

• Authorization

  • Authorization is used to apply policies and privileges to an authenticated users.

  • Determines what a user can and cannot do while logged-in.

  • Network resources are allowed only if the user has the necessary privileges.

• Accounting

  • Keep track or record of all actions performed by a user.

Multifactor Authentication

• Multifactor authentication (MFA) allows a user to enable additional security on their user account to prevent hackers from gaining access.

• MFA allows a user to setup more than one factor that is required to access a user account or system.

• Using a mobile App authenticator such as Google Authenticator can generate unique codes.

• Something you are

  • Biometric

  • Fingerprint

  • Facial recognition

  • Voice

  • Iris and Retina

• Something you have

  • Physical Token

  • Smart card

  • USB Token such as a YubiKey

  • Mobile phone - SMS is sent to your phone

• Something you know

  • Password

  • Passphrase

  • Personal Identification Number (PIN)

  • Pattern - Series of patterns to unlock a device.

• Somewhere you are

  • Uses your geo-location to authenticate to a system

  • Smartphones are able to use the GPS to provide geo-location

• Something you do

  • Your personal method of doing an action.

  • Handwriting

  • Typing

Authentication methods

Directory services

• On small networks, there are many individual systems which are interconnected but those systems and users are not centrally managed.

• On larger networks, a directory server allows system administrations to centrally manage the users, groups, computers, printers, services and even shared resources on the entire network.

• Using directory services, a database is create with accounts for both users and systems.

• System administrators can allow policies to users, groups and devices across an entire network.

• Directory services uses the X.500 standard for performing queries from a client to a directory server.

• Within a directory server, the objects are stored as Distinguished Name (DN).

Federation

• A federation allows you to grant access to resources to other users on another domain.

• Federations are used to allow access to users within another organization.

• This is a trust created between both organizations.

Single sign-on (SSO)

• Login once and access to everything

• The user will not need to reenter their username and password to access any other resources.

Attestation

• Attestation is used to verify a certain configuration should be in a certain state.

 Tokens

• Tokens are objects which are used to allow users to authenticate to a system.

• A token can store information about the user to help the system validate the identity of a user.

• Tokens can be physical such as Yubikey, disconnected such as using an Authenticator App on a mobile device, and contactless such as Near Field Communication (NFC).

Time-based onetime password (TOTP)

• This a type of randomly generated password created by a system for user which can only be used once.

• This password can only be used within a certain time period.

HMAC-based one-time password (HOTP)

• The system uses a secret key together with a random counter to create the HMAC value.

• The HMAC value is then used by the system to create the one time password which can be used only once.

Delivery methods of authentication codes

• Short message service (SMS)

• Static codes

• Authentication applications

• Push notifications

• Phone call

Biometrics

• Allows a user to use something they are to authenticate to a system.

• This type of authentication method is commonly used with Multi-Factor Authentication (MFA).

• Fingerprint

• Retina

• Iris

• Facial

• Voice

• Vein

• Gait analysis - Something you do

• Efficacy rates

• False acceptance rate (FAR) - An unauthorized user is granted access to a system.

• False rejection rate (FRR) - An authorized user has been rejected from the system.

• Crossover error rate (CER) - When the False Acceptance Rate (FAR) and the False Rejection Rate (FRR) cross. The CER should always be lower to ensure the system has very good accuracy on authenticating valid users on a system.

Authentication Protocol

• These are protocols which are used authenticate systems such as devices and users across a network.

Password Authentication Protocol (PAP)

• Sends the username in plaintext.

• Sends the password in plaintext.

Challenge Handshake Authentication Protocol (CHAP)

• This protocol uses a 3-way handshake.

• The user makes an authentication request to the server.

• The server sends a challenge back to the user.

• The user takes their password to encrypt the challenge.

• The challenge is then sent back to the server.

• The server will validate the response and determine whether the user is authorized.

• The user password never goes across the network.

• Commonly used in non-Microsoft environments.

•  MS-CHAP - Microsoft CHAP implementation

• MS-CHAPv2 - Provides mutual authentication between 2 systems.

Extensible Authentication Protocol (EAP)

• This is actual a framework which handles authentication between systems across a network.

• It is commonly implemented on IEEE 802.11 wireless networks.

• EAP-FAST - EAP Flexible Authentication via Secure Tunneling.

• EAP-TLS - EAP Transport Layer Security.

• EAP-TTLS - EAP Tunnel Transport Layer Security

• LEAP - Lightweight EAP

• PEAP - Protected EAP

IEEE 802.1X

• This is a standard which outlines how to implement network access control.

• Provides port-based authentication.

• Contains 3 components, supplicant (user system), authenticator (network device) and the authentication server.

• Can be implemented on both wired and wireless networks.

Remote Access Dial-In User Service (RADIUS)

• An open standard authentication protocol and mechanism.

• Uses UDP ports 1812 (authentication) and 1813 (accounting).

• Uses UDP ports 1645 and 1646 on older legacy systems.

• RADIUS only encrypts the password.

• RADIUS is used to centralized AAA services on a network.

• Components: Access client (user device), RADIUS client (network device) and the RADIUS server.

Terminal Access Control Access-Control System PLUS (TACACS+)

• This Cisco proprietary standard.

• TACACS separates Authentication and the Authorization roles.

• Uses TCP port 49.

• Provides encryption of TACACS messages.

• Supports multiprotocol.

Kerberos

• This an open source authentication protocol.

• Provides replay protection against replay attacks.

• Time-based authentication system.

• Kerberos has been implementing as part of Active Directory (AD) in a Microsoft Windows domain.

• Component: Authentication server, Key distribution center, Ticket-granting ticket and Ticket-granting service.

Kerberos Process

• A user sends an Authentication Request to the Kerberos Server.

• The Kerberos Server sends a Ticket-granting Ticket (TGT) to the user.

• The TGT is stored on the user device and has a timestamp associated with it.

• Anytime the user has to access a network-based resource, the user device will send the TGT back to server to verify the user can access the resource within the specific resource.

• The Kerberos Server will issue a Session Key to the user.

• The user will send the Session Key to the resource server.

• The Resource Server does not directly communicate with the Kerberos server.