Authentication Question

keatronkeatron Security TinkererMember Posts: 1,213 ■■■■■■□□□□
Which of the following is an example of two factor authentication?

A. Username and Password.
B. Username and Token
C. Username, password and biometric retina scan
D. ID badge and passcode

Comments

  • seuss_ssuesseuss_ssues Member Posts: 629
    Seeing as how 2 factor authentication has to have two of the following (something you are, something you have, and something you know). It would have to be D. The Id badge would be something you have and the passcode would be something you know.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,430 Admin
    B, C, and D.

    username = you know
    token = you have (assuming a hardware token)

    username/password = you know
    biometric retina scan = you are

    ID badge = you have
    passcode = you know
  • determinedgermandeterminedgerman Member Posts: 168
    I agree with jdmurray
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    Ok,

    Usernames and Identification mechanisms (such as ID badges) are NOT authenticators, they are identifiers. The answer is C. Password is the something you know. The retina scan (biometric) is the something you are.

    A is incorrect simply because it is clearly single factor. It only has "something you know" which is a password. Again, don't mistakenly count identification mechanism as authenticators.

    B is incorrect because again it is simply single factor authentication.

    D is incorrect because it is single factor (just the passcode is used for authentication).

    I think this is one of the things people are confused the most on. When a police officer asks for your ID/drivers license that is not an authentication process, it is strictly Identification. If you look like the guy who shot six people the night before, he will take you in and have your prints ran. At this point, authentication takes place. Remember, authentication is there to verify or authenticate that we are who we say we are, or in most cases, who our identification says we are. icon_wink.gif
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,430 Admin
    keatron wrote:
    Remember, authentication is there to verify or authenticate that we are who we say we are, or in most cases, who our identification says we are. icon_wink.gif
    If "authentication" is verifying that we are who we say we are, how can a username/password be authentication? Simply knowing a username/password gives no assurance of the identity of the provider.
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    jdmurray wrote:
    If "authentication" is verifying that we are who we say we are, how can a username/password be authentication? Simply knowing a username/password gives no assurance of the identity of the provider.

    Again you seem to have missed the point that we are speaking in terms of authenticating to a "SYSTEM" when we refer to password or passcode authentication. As I have already pointed out, when you enter a username (identification) and password (authentication) you are authenticated and then usually "authorized" to do or not do certain things.

    It's because you're still making the mistake of lumping username and password into one. The username is Identification, and the password is authentication. Yes, it is actually authenticating that you are who the username says you are. It is a "weak" form of authentication (because strong authentication would require two factors), but regardless, it is what it is. We could go on for many days and give our "opinions" as to what we think authentication really is, but unfortunately, the industry and the certification bodies such as ISC2 and SANS has already come up with pretty good definitions that most of us in infosec go along with. For that matter, passwords, biometrics and pretty much every other form of authentication can potentially be faked or compromised, but the likelihood of that happening and the difficulty involved in making that happen is why some forms of authentication is considered "stronger" than others. So YES, knowing a username and password does provide assurance, it provides assurance to the entity that is performing the job of authenticating you. In most cases, this would be some technological control mechanism. For example, Microsofts implementation of Kerberos in Windows 2000 received an Evaluation Assurance Level (EAL) 4. And the last I heard, Windows 2003's implementation was about to receive Level 6 (which can only be attested by the government). And in actuality, assurance is another topic all together.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,430 Admin
    keatron wrote:
    So YES, knowing a username and password does provide assurance, it provides assurance to the entity that is performing the job of authenticating you.
    I just contend that there is a difference between being validated as "authentic" and being validated as "identified."
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    jdmurray wrote:
    keatron wrote:
    So YES, knowing a username and password does provide assurance, it provides assurance to the entity that is performing the job of authenticating you.
    I just contend that there is a difference between being validated as "authentic" and being validated as "identified."

    I agree to some degrees, however it should be pointed out that for the CISSP, and others, there's no distinction. It is simply authentication.
Sign In or Register to comment.