Pass your certification exam. Faster. Guaranteed.

Type 2 Authentication Transcription

Welcome to our Authentication Factors, something a user Has module. In this module we will discuss one type of authentication factor, something a user has. Such as a physical device that they carry with them. There are a few different types of devices that can work with something that a user has authentication.

The first is a token PIN device and there's two types of these devices. One is synchronous, and the other is asynchronous. And the synchronous token devices are based on the time based one time password protocol, or TOTP. The user could also use a digital certificate, a smart card, or a memory card.

The primary advantage with something the user has authentication when they lose one of these devices it can very easily be revoked, and a new credential created. This is not the case with a user's fingerprint, or other biometric data where if there's an intrusion and that data is captured, there's no way to issue a user a new fingerprint.

One time passwords are generated for a single use, and cannot be reused. There are many ways to create one time passwords, but one of the most common ways is for the user to have a token device which is able to create these passwords. One type of token device is a synchronise toke device.

these devices use the time based one time password algorithm. Or TOTP to create a one time password using a secret key, and the time that the user uses the token. This creates a pin that is only good for one use, and it's often used as a second authentication factor.

Two-factor authentication increases security, because even if someone is able to obtain a user's password. They will not be able to log in to the system unless they also have the user's token device. These one-time passwords have been historically created on a token device like a key fob that the user possesses.

Usually these are handheld devices with an LCD screen, and they provide a pin number that the user can enter. These devices are synchronized by time. So the server the user is logging into knows the values that will be on the user's token at any given moment. There are also software applications now for mobile devices that allow users to generate one-time passwords on their phone or tablet, rather than carrying around the device with them.

There are also a synchronous toke devices. These devices are not based on time, but are rather based on a challenge response scheme. Here the user still carries a token device. However, when they attempt to logon to the system, the system will provide them with a challenge value. The user then takes that challenge value and enters that along with their pin number into their token device. The token device then provides the user with another value which they enter into the system. That value is then sent to the authentication server which verifies that the value entered is the expected value. Proving that the user is holding the token. The user is then authenticated and allowed to access the work station.

On the CISSP exam you may see questions that ask the difference between synchronous, and asynchronous tokens. The one important thing to remember here is that synchronous tokens are based on time, and asynchronous tokens are based on a challenge response scheme. One easy way to remember this is the phrase let's synchronize our watches.

So sychcronus tokens are based on time. Another technology that can be used for something a user has authentication is a digital certificate. You can authenticate a user using a public key infrastructure digital certificate. This is commonly use with Carrboro which is use in Microsoft Windows domain environments. We can also use this with remote users to allow them to connect by VPN, or allows individuals to access our wifi network using either radius or p.

It's very commonly used with web traffic to verify the identity of web servers that we communicate with, such as when performing online banking or online shopping. This is part of transport layer security, or TLS, and it allows us to have a mutual authentication where the client is able to authenticate themself to the server.

But the server also authenticates itself to the client. This mutual authentication allows both parties to confirm that they are communicating with their intended recipient of the communications. We can also use digital signatures to sign software programs, or drivers. And it's also used with DNSSEC to ensure that we're receiving DNS look-up responses from our trusted server.

These digital signatures can be easily verified using the public key to ensure that the software, or driver or the DNS entries have not been tampered with. Another device that can be used is a memory card. Here, we have a card that holds the user's authentication information. The user can swipe their card or put it into a reader and then they can enter a pin number, or a user name to prove that they are the authorized holder of that device.

Memory card are only holding information. They are not able to process information. Here we also have the added cost of the reader, creating the devices and maintaining it. A common example of a memory card is your ATM card, which you can put into an ATM machine and then enter your PIN number, and then you're able to withdraw some funds from your bank account.

Another type of authentication mechanism we can use is a smart card. The difference between a smart card and a memory card is that the smart card has a microprocessor, or chip embedded in the device to allow it to do some processing of data. These are tamper-proof devices that are typically designed for high levels of security.

They can be used with public key infrastructure, for mutual authentication. And these devices are actually able to destroy themselves if a number of incorrect logins occurs. This concludes our Authentication Factors, something a user has module. Thank you for watching.