Authentication Question

Which of the following is an example of two factor authentication?

A. Username and Password.
B. Username and Token
C. Username, password and biometric retina scan
D. ID badge and passcode

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

seuss_ssues

Seeing as how 2 factor authentication has to have two of the following (something you are, something you have, and something you know). It would have to be D. The Id badge would be something you have and the passcode would be something you know.

JDMurray

B, C, and D.

username = you know
token = you have (assuming a hardware token)

username/password = you know
biometric retina scan = you are

ID badge = you have
passcode = you know

determinedgerman

I agree with jdmurray

keatron

Ok,

Usernames and Identification mechanisms (such as ID badges) are NOT authenticators, they are identifiers. The answer is C. Password is the something you know. The retina scan (biometric) is the something you are.

A is incorrect simply because it is clearly single factor. It only has "something you know" which is a password. Again, don't mistakenly count identification mechanism as authenticators.

B is incorrect because again it is simply single factor authentication.

D is incorrect because it is single factor (just the passcode is used for authentication).

I think this is one of the things people are confused the most on. When a police officer asks for your ID/drivers license that is not an authentication process, it is strictly Identification. If you look like the guy who shot six people the night before, he will take you in and have your prints ran. At this point, authentication takes place. Remember, authentication is there to verify or authenticate that we are who we say we are, or in most cases, who our identification says we are.

JDMurray

keatron wrote:

Remember, authentication is there to verify or authenticate that we are who we say we are, or in most cases, who our identification says we are.

If "authentication" is verifying that we are who we say we are, how can a username/password be authentication? Simply knowing a username/password gives no assurance of the identity of the provider.

keatron

jdmurray wrote:

If "authentication" is verifying that we are who we say we are, how can a username/password be authentication? Simply knowing a username/password gives no assurance of the identity of the provider.

Again you seem to have missed the point that we are speaking in terms of authenticating to a "SYSTEM" when we refer to password or passcode authentication. As I have already pointed out, when you enter a username (identification) and password (authentication) you are authenticated and then usually "authorized" to do or not do certain things.

It's because you're still making the mistake of lumping username and password into one. The username is Identification, and the password is authentication. Yes, it is actually authenticating that you are who the username says you are. It is a "weak" form of authentication (because strong authentication would require two factors), but regardless, it is what it is. We could go on for many days and give our "opinions" as to what we think authentication really is, but unfortunately, the industry and the certification bodies such as ISC2 and SANS has already come up with pretty good definitions that most of us in infosec go along with. For that matter, passwords, biometrics and pretty much every other form of authentication can potentially be faked or compromised, but the likelihood of that happening and the difficulty involved in making that happen is why some forms of authentication is considered "stronger" than others. So YES, knowing a username and password does provide assurance, it provides assurance to the entity that is performing the job of authenticating you. In most cases, this would be some technological control mechanism. For example, Microsofts implementation of Kerberos in Windows 2000 received an Evaluation Assurance Level (EAL) 4. And the last I heard, Windows 2003's implementation was about to receive Level 6 (which can only be attested by the government). And in actuality, assurance is another topic all together.

JDMurray

keatron wrote:

So YES, knowing a username and password does provide assurance, it provides assurance to the entity that is performing the job of authenticating you.

I just contend that there is a difference between being validated as "authentic" and being validated as "identified."

keatron

jdmurray wrote:

keatron wrote:

So YES, knowing a username and password does provide assurance, it provides assurance to the entity that is performing the job of authenticating you.

I just contend that there is a difference between being validated as "authentic" and being validated as "identified."

I agree to some degrees, however it should be pointed out that for the CISSP, and others, there's no distinction. It is simply authentication.