CompTIA Security+ SY0-601 Topic: 2.4 Authentication and Authorization Design Concepts
December 13, 2022
  1. Authentication methods

In this video, we’re going to be talking about different authentication methods, and there are quite a few of them. I’ll provide some good explanations, and we’ll look at some physical ones as well as what this technology means for authenticating any device. So, before I begin, I’d like to go over the various methods for authenticating to a system. There are three factors of authentication that you should be familiar with for your exam. The three factors are something you know, something you have, and something you are. So something you know is generally like a password or a PIN. Something you have is going to be some kind of RSA token.

Or this is a hardware token that displays a number; a smart card or bank card would be something you have. And then something about you is generally biometric. So maybe a thumbprint, a retina scanner, an iris scanner, or a hand geometry scanner are basically going to be something you are. So don’t forget something you know is going to be there, which is the first factor.

Type one authentication: something you know is a password. Type two: something you have is going to be something you physically possess, like a smart card. And then something about you is generally biometric. Type three, step one, type two, and type three. So these are the three factors of authentication. When we say “multifactor authentication,” what we mean is combining multiple of those.

For example, using a password with an RSA token, using a password with a smart card, or using a password and putting in a thumbprint That’s two factors. Some systems have all three, right? So then you put a password in, you would push a smartcard into the system, and you’d have to use a thumbprint. That’s three factors.

Now, generally all of this is referred to as “multi-factor authentication.” You have a dual factor, which is any two. “Multi” means any two or all three of them. Okay? So just keep that in mind as I go through some of these authentication methods, because I will be referring to some of them as I go through these particular ones. So let’s take a look here. So, authentication methods The first thing you want to know is how to authenticate using Directory Services. Directory services will be similar to using micro’s-I-C-R-O.

You guys still laugh at my spell? All right. Microsoft Active Directory ad So Microsoft Active Directory is what we’ll be using for directory services. This is very popular in organizations today. So what Active Directory do you have? You set up Active Directory domain controllers. The domain controllers will store the usernames and passwords for the users.

Now, it doesn’t actually store the passwords; just know that it holds the keys needed to log into it. This is something that we have covered a little bit in A+ and a network plus Active Directory. Learn more about this when you study for your MCSE.

We will be taking a look at Active Directory later on in the course when we look at different types of group policies. However, Directory Services is essentially a directory service in which you will store all of the users in that specific domain. The other term we receive is something called “federation.” So federation is when multiple companies work together to authenticate each other. This creates a type of single-sign-on environment. So here’s what I mean: Imagine my company works at another company that works with another company, and we create a trust relationship between all of us.

Now, when you log in to my company, you can also, with just that login, gain access to resources in the other businesses. This creates federated services. For example, one of the most popular federated services out there is SAML. Now we’re going to talk about SAML later on in this course, when we get to the third section of SAML. Essentially, it allows me to implement a single sign-on system in web applications, so that when you log into one web application, it grants you access to other web applications that have trust within the actual SAML environment. Okay, the next thing we have is an esthetician’s attestation, which is essentially asking someone who is not qualified to attest to that authenticator. The other thing I have here is going to be smart card authentication.

So right here, I have a smart card. This particular smart card is now used to gain access to our Virginia, Washington, DC location. With this smart card, you basically cap it, and it opens doors for me. This is a physical card. But you do have smart cards that we’re going to use to plug into laptops or desktops or to actually log into computer systems, not just to go into physical spaces. So smart cards are used for both logging into computers and physical spaces. This is something that’s really common in today’s world of logging in. Sometimes they’re not so big, and sometimes they’re really small. They can be smaller devices. They don’t have to be actual, physical cards like this one.

Okay, let’s take a look at some of the technological terms that we should be familiar with. So here we have what are known as time-based one-time passwords and HMAC-based one-time passwords. As a result, one-time passwords will be used on devices. So that means these devices that you’re going to have are basically going to pop up a number, and this number is going to keep changing. Now one of them is based on a clock. So the one-time basis is based on a clock, and this one here is based on a counter. So it’s an incremental counter that’s using it. Now, basically, a device like this And I have an RSA token here. I also have another token.

I’ll show you. So what happens in this one is that it keeps popping up a number, right? So this is a token, a small little device. I have one here that you can see is a small device that I use to log in to my bank. And you see, it has a little number screen there. So, in the numbers screen, this number keeps changing over and over again. And I don’t know if you guys can see this. I still have to put it on though.So every time I log in, there’s like a little number there that’s popping up every time I try to log in. Every time I tried to log in to where I use this token, it basically said, “Hey, what’s the number on the token for me to log in to it?”

This one does have a secondary authenticator on it because, in this particular one, you have to use a PIN to even get the number. In this one, you don’t. Another way of doing this would be with “soft tokens.” So, in terms of soft tokens, you can have Google do this for you. So in order to log into Google systems, you can download this. You have to set this up in your Google account. And basically, what you’re going to do with this is install it. You have to go into your account. If you have a phone, it will tell you, like on my phone, that I have it. If you try to log in to my Gmail, you’re going to have to use the authenticator app that I have installed, and I have it here.

And basically, it’s going to give you a six- or seven-digit PIN that you have to install. So this is good to use. It really helps with the security of it. So listen, I can give all of you guys my Gmail password right now. It wouldn’t mean much because I have this enabled online, and when you try to log in, it’s going to ask for that particular pin. So I think this is a great idea when it comes to security. Okay? They could also send you SMS messages as another option. You’re probably seeing that when trying to log into certain applications, they might send you a PIN to your cell phone. That’s pretty popular. Or, in some cases, they will call you to identify you.

I forgot to turn it back. So, as I mentioned earlier, SMS would send you a PIN to your cell phone. They would text you a pin to your cellphone, and you would have to put it into your login. That’s also pretty common sometimes. Also, I’ve noticed that on Amazon, I once failed to get there. They said, “Oh, we’re going to call you.” I didn’t have access to my email at that time. I didn’t have it installed on my phone. They said, “Okay, they can call me, and they will give me a pin over the phone.” So that was pretty cool. Also, there are push notifications.

The authentication is pushed when you log in. It pushes the authentication to you to let you know that, hey, someone has been logging into your account. Now, the authentication application we just looked at—that’s the Google Authenticator that you can use to do dual factor authentication—is These are, after all, token keys, correct? These are different tokens. You saw the RSA token that we had here. So this would be an RSA token. This would be a hardware token. But don’t forget, you do have them in software like this here.The Google Authenticator app would be considered a software token. You can also see that even though they have this hardware token, this is the physical hardware. But you can also download I don’t have this on my phone, but you can also get the RSA token in the Google Play Store as a piece of software now.

So you don’t need that physical token. In fact, most businesses don’t even use that physical token anymore. We all use the soft token. And finally, static codes This is not recommended, so static code is used instead. When I set up Gmail to do two-factor authentication, Google allows me to store a string of codes that I can keep. If you ever lose it or are unable to use the dual factor authentication, enter the static code and you will be able to login. Although not the best idea because it kind of defeats the purpose of two-factor authentication, Okay, in this video, we covered a lot. We discussed smart card authentication with Directory Services Federation.

We talked about this one. This one employs various technologies. So we have to use P, which is a time-based one-time password or an HMAC-based one-time password. One of them uses a clock, right? An increment. It keeps time with a clock. The other one is just counter-incremental. Counter. While one is actually based on the time, by the way, it’s actually using the system time to do that. So the clocks are off. It may not even work. We talked about how it may send messages via SMS or a phone call. It does tell you about push notifications. People may be logging in to authentication applications like Google Authenticator. Static codes are generally not a good idea. And of course, for token keys, you can get hardware or software tokens.

2. Biometrics

In this video, I’m going to be talking about biometrics. Now you’re probably all familiar with biometrics already, considering you’re probably using your phone. And you probably just use your thumbprint to log into your phone. Or maybe you have an iPhone, and you have facial recognition. In today’s world, biometrics is extremely common. But you go back ten years, and it wasn’t common to log in. Smartphones have just made them incredibly common. But nowadays you have biometrics, like my Lenovo laptop sitting right in front of me here, which has a thumbprint reader.

So they are becoming more common as we log into systems. So in this video, I’m going to explain to you how it works. A lot of people have no idea how it works. I’ll give you a story. The other day, my wife got a new phone—she got a new iPhone—and she set it up. And I told her, “You make sure you put in the facial recognition.” And she says, “Well, my iPhone is better than yours.” And I said, “How so?” And she said, “Well, mine does facial recognition.” It doesn’t store my fingerprint like yours does.

I said, “Well, I sat her down and I gave her a lesson that I’m about to give you.” People actually don’t realize that one of the things with biometrics is that people are scared that you can actually take the fingerprint out of the system. That’s not the way biometrics work. So before we get into the different forms of it, I’m assuming we all know what thumbprint and fingerprint biometrics are. So you know what? I’ll just show it to you before we get into it. So, fingerprint biometrics, and remember, biometrics is a type of authentication of who you are. not where you are, not something you do, not what you know, or what you have. It’s what you are, right? So, in terms of biometrics, this device is an imprint biometrics device, similar to this one. Here’s one on Amazon.

So this is a fingerprint biometric device, as we see here. Of course, you have these on your laptops that basically use unique fingerprints. But in this video, what I want to do is show you guys how it works. The biometrics template is basically what I want to show you. So I found a great picture here that shows that. So we’re going to take a look at it. Where is it? There’s an easy one to follow. So I want you guys to look at this. Now, basically, by the way, if you want to find out what I was looking at, I just googled biometric templates. So the way biometrics work is that you put your thumbprint on the system, and then it scans it and creates a certain set of unique features.

It detects a certain set of unique features. And what it does is that it then creates a map of your particular fingerprint. and this is what it stores. So it stores this map as ones and zeros in the system. It does not actually save your fingerprint. There’s another picture of that. You can see that here is your fingerprint, but then it creates points, creates that map, and stores the map. So, in essence, biometrics does not save your fingerprint. It is, in theory, impossible to take the map and turn it back into a fingerprint. It’s just not enough data there. So I showed this to my wife, and she still said to me, “Well, it’s still better.” I said, “Okay, then we can go with that.” But let’s take a look at what we need to know. For example, now we know. So remember, it’s based on a template, right?

Biometrics are based on templates. So when you put your thumbprint down, you have to be able to meet that map or meet the points on the map. And when it redraws and is close enough, it will log you in. Okay, so let’s go back here to our presentation. Where is my text now? Okay, so we talked about a fingerprint reader. So, fingerprint reader This area is going to look at the fingerprints on your hands. Then you have two of these things. Retina and iris scanners are used as eye readers. Retina scanners will look for blood vessels in the back of your eyes. I think I have one of these pictures that I pulled up here. Here you go. To device. And one of the retina scanners will look for the blood vessels in the back of your eyes. You can see one of these devices here. And the Irish scanners will look for colour patterns in your eyes.

These are known to be highly accurate, although they’re not so acceptable. Not many people would like to have their eyes scanned. Although they’re very accurate, they may not be acceptable. Facial recognition is very familiar to iPhone users. I tried it on my Samsung phone. It doesn’t work very well. Most of the time, it just doesn’t seem to work. But facial recognition is another way to use the structure of your face. Now, voice recognition is based on voice patterns. This could be a little dangerous. Voice patterns could be replayed again. So what that means is that they can actually record your voice and try to replay it. It may or may not work, but it is a way to defeat that. Vein patterns. The vein patterns are generally found on palm gaps. So these are your hands’ detective vein patterns. And I have a picture of that here.

There’s a vein pattern. And this is from a Fujitsu palm-scan sensor. So this is a palm vein authenticator. This looks at the vein patterns in your palm. Another one that’s similar to this is hand geometry. That looks at the physical structure of your hand. The other thing here I have is gait analysis. This is the way you walk. And the last thing here we want to mention is something known as the efficiency rate. So the efficiency rate, false acceptance, false rejection, and the crossover error rate This is also known as the “equal error rate.” All right? So that’s what I have here: an equal error rate. Let’s talk about this.

So when you configure a biometrics machine, you buy a biometrics machine and you configure it. There are settings for accuracy. You have to know how to slide that correctly. And I say slide it correctly because I set up a hand geometry machine at one of our locations, and there was a setting in it that allowed you to slide the accuracy to how accurate you wanted it. Now, here’s the thing: If you make it too accurate, it starts rejecting all the good people. If you don’t slide it correctly, you risk accepting the wrong person. So there are two terms there. So if you set the machine to be inaccurate at all, it may authenticate Mary as Jane. That’s a false acceptance. That’s not good. Now Mary’s logging in for Jane. When you set the machine too high, it begins to be false. really reject me because the machine is set so high? This has been observed in the biometrics of hand geometry. So, for example, I’ve seen this where the machine is set too high. And let’s say they create the template. Remember what the template is?

So to create the template, you set the machine very high, and then the person wearing rings on every finger slightly changes the physical dimensions at hand. And then you put the fingers on the accepted machine, and that’s too high. But if you lower it too much, then again, Mary can log in to chain. So what you want is a machine, and this is going to be the biometric system, right?

This is the system in action. You want a system that has low false acceptance and low false rejection, right? So how would you do that? Well, you’ve got to get a machine that’s really accurate. Because if you think about it, when you set a machine to be too accurate, when you get too much false acceptance, it has a direct impact on false rejection. Why? Because if you say one too high, you’re getting more of this.

If you said one too low, you’re getting more of this. So what you want is a machine that has an equal number. Where the percentage is, you have an equal number. False acceptance and false rejection rates This is known as a crossover error rate.

The lower the crossover error rate, the more secure the machine, and the higher the cost of the machine, the more accurate the machine. Okay? So make sure to know these terms for your exam. These are specifically mentioned: fingerprint retinas can at the iris, facial voice vein gate analysis, which is a relatively uncommon gate analysis. And then, of course, the efficiency rates. All right, you want to make sure your machine is as efficient as possible.

3. MFA

In this video, we’re going to be talking about multifactor authentication. So let’s get started. Now. Let’s get right into it. There are several factors that can be used to authenticate, as well as several ways to authenticate to a system. They are something you know, something you have, and something you are. So this is pretty simple, right? Something you know is generally a password, a PIN, or a passphrase of some kind. Now, if you guys remember, your password needs to be complex.

I don’t think I need to review that after you saw how easy it was to crack passwords at the beginning of this video series. So something you know is generally just a password or a PIN. The next thing is something you have. This is going to be some kind of token, maybe an RSA token. It could be a hard token. We looked at this in the previous video, where it could be a hard token or a soft token. It could be correct, such as an RSA soft token or one of these devices that you have. It can also be a bank card or a smart card, which is something you have in the previous video or maybe the one after this. I’m not sure we’re going to place it. But the other thing is something you are, which is biometrics.

So biometrics would be like fingerprint or retina scanners, hand geometry scanners, or vein palm scanners for vein patterns. Now, these are basically the three factors. So when someone says “multifactor authentication,” what they’re talking about is any two or all three of these. So multifactor authentication, or MFA, may consist of a password and a PIN. I said that wrong. A password and a smart card password and a pin would be the same. You could put a thumbprint on it, a password on it, or a thumbprint with a smart card and a password on it. That’s all three. The more, the better. All right?

So I’m going to give you a practise question on your exam. A lot of times on the exam, what they do is they say, “So what’s more secure, a ten-digit password, a 15-digit password, a retina scanner, or a bank card and a four-digit PIN?” Did you get it? Did you get it? Because there are two factors, the answer is the bank card in the four-digit PIN. The retina scanner is one factor. The 10- and 15-digit passwords are single-factor. The more factors, the more secure. Remember that for your exam. And, of course, in real life. Now, the other thing I want to mention here is that we went to the factors you know you have and are. But let’s talk about attributes. There are some additional attributes that we can use. These attributes are generally combined with some of the other factors.

So there would be location-based authentication somewhere you are. So if you’re in a particular physical location, they wouldn’t be able to log in, or they would. Something you can do, such as how quickly you can sign something Something you exhibit would be a personality trait, and something someone you know would be someone else vouching for who you are, which would be different attributes you can use. Now, I do want to mention that these attributes, although not as popular as the different factors, could be used with the factors to just give it more security. The other thing I want to mention is cloud versus on-premises requirements. Now, generally, on-premises authentication happens with just a password, right?

When you go into your corporate networks, you usually only need to enter a password and you’re good to go. A lot of the time, you log right in to do cloud security. I’ve seen this with the Amazon cloud. Is it true that I must use multifactor authentication on both my Google and my Google? So I have my Google account set up where I have to enter the pin and know the password from the authenticator app right now. So remember that it could have different requirements. Most of the time, the club is going to require two-factor authentication. Why? Because, remember, things in the cloud are accessible everywhere on the planet, right? Things in the cloud are accessible everywhere.

So it would make more sense to have more security for cloud-based authentication. Generally, on premises, you can only access it right here. I said maybe, just maybe, just a little bit of security. Although it would be a good idea to have on-premises two-factor authentication, That way, people can steal other people’s IDs and passwords. Okay, in this video, we talk about a lot. We went through the different factors. Something you know is a password; something you own is a smart card; and something you like is biometrics. Then there are the attributes: somewhere you are someone; something you do, such as signatures; something you exhibit, such as personnel; and, don’t forget, someone you know. Cloud-based authentication may be more secure and require a factor, whereas on-premises authentication may not. All right, these are different authentications. Let’s keep going.

4. Authentication, authorization, and accounting

In this video, we’re going to be talking about authentication, authorization, and accounting. Now these are three terms that you have to be familiar with as a security professional, not to mention the ones you’re going to read about all throughout your security career. It doesn’t matter which book you pick up. Let’s take a look at the three terms, and then we’ll talk about them in depth. So the first term is authentication. Authentication is proving who you are to a particular system. The next one is authorization.

That is what you have access to on the system. An accountant is keeping track of what you’re accessing. The other one that’s missing is ID, or identification. Basically, these things go together. This is known as the AAA. Some people even call it the IAA because it includes identification. So let’s remember identification, authentication, authorization, and accounting. So what are these terms? Well, first of all, when you come to a computer system or any system, you have to tell them, “Hey, I’m Andrew, I’m Bob, or I’m Mary, or I’m Jay.” That’s identification. Identification identifies who you are to a computer system. We generally do this with a username.

The next part of this is that you have to authenticate yourself. You have to prove that you are Mary, or you’re Jane, or you’re Bob. Now, how do you do that? Most of us know this by typing in a password that a computer doesn’t know. You’re married. Well, I know you’re married because I’ve seen you before, Mary. But a computer doesn’t know that.

So the computer will say, “Hey, Mary, can you prove yourself?” Authentication is the way we go about proving who we are to a computer. Now there’s many ways to prove it. In the other videos, we’ll talk about it, such as using a username. Or maybe you can use some kind of token, like a hardware token, or you can even use biometrics. Again, we’ll cover that later in this set of videos. Another thing we need to do is when you log in. So, once you’ve proven your identity, Mary enters her password and logs in, or you log in. The next thing is, what do you have access to? Perhaps your authorization allows you to access that folder but not that folder. You can access that database, but not that database. You can check emails on the server, but not that one.

Authorization deals with what you can access on the network. So you may not have authorization for everything, but if you’re an administrator, you may, or maybe you’re the CEO, the owner of the business, and you have access to everything in the network. However, because a receptionist or an accountant’s clerk may not have access to everything, they would not have access to all of the data in the network.

Finally, accounting is essentially auditing the system and keeping track of what you do within it. What files and folders were you accessing, and how long were you logged in? We do these with log files like Windows Event Viewer in the security log. Okay, so as we get more into this, don’t get the terms confused. Identification is just telling them who you are. “Authentication” is how you prove who you are. Authorization is going to involve gaining access to specific files and folders. What is it you’re authorized to access? An accountant will keep track of what you’re doing on the network and how long you’re there.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!