1 00:00:07,860 --> 00:00:09,710 - [Tutor] Identification is the process 2 00:00:09,710 --> 00:00:13,640 of providing the identity of a subject or user. 3 00:00:13,640 --> 00:00:17,190 This is the first step in authentication authorization 4 00:00:17,190 --> 00:00:19,890 and accounting processes. 5 00:00:19,890 --> 00:00:24,390 Providing a username, a passport, an IP address, 6 00:00:24,390 --> 00:00:28,820 or even pronouncing your name is a form of identification. 7 00:00:28,820 --> 00:00:31,680 A secure identity should be unique 8 00:00:31,680 --> 00:00:34,440 in the sense that two users should be able 9 00:00:34,440 --> 00:00:37,130 to identify themselves unambiguously. 10 00:00:37,130 --> 00:00:39,810 This is particularly important 11 00:00:39,810 --> 00:00:42,373 in the context of account monitoring. 12 00:00:43,300 --> 00:00:45,660 Duplication of identity is possible 13 00:00:45,660 --> 00:00:49,250 if the authentication systems are not connected. 14 00:00:49,250 --> 00:00:53,730 For example, a user can use the same user ID 15 00:00:53,730 --> 00:00:55,520 for his corporate account, 16 00:00:55,520 --> 00:00:57,870 and for his personal email account. 17 00:00:57,870 --> 00:01:01,070 A secure identity should also be non-descriptive, 18 00:01:01,070 --> 00:01:03,820 so that information about the user's identity 19 00:01:03,820 --> 00:01:05,270 cannot be inferred. 20 00:01:05,270 --> 00:01:09,370 For example, using administrator as the user ID 21 00:01:09,370 --> 00:01:11,720 is generally not recommended. 22 00:01:11,720 --> 00:01:15,360 An identity should also be issued in a secure way. 23 00:01:15,360 --> 00:01:18,270 This includes all processes and steps 24 00:01:18,270 --> 00:01:22,150 in requesting and approving an identity request. 25 00:01:22,150 --> 00:01:27,030 This property is usually referred to as secure issuance. 26 00:01:27,030 --> 00:01:30,020 There are three categories of factors 27 00:01:30,020 --> 00:01:32,870 used in authentication; 28 00:01:32,870 --> 00:01:36,890 knowledge, which is something the user knows, 29 00:01:36,890 --> 00:01:40,653 possession, which is something a user has, 30 00:01:41,580 --> 00:01:44,680 and inheritance or characteristics, 31 00:01:44,680 --> 00:01:47,363 which is something the user is. 32 00:01:48,270 --> 00:01:50,320 Authentication by knowledge 33 00:01:50,320 --> 00:01:53,340 is where the user provides a secret 34 00:01:53,340 --> 00:01:56,590 that is only known by him or her. 35 00:01:56,590 --> 00:01:59,320 An example of authentication by knowledge 36 00:01:59,320 --> 00:02:01,910 would be a user providing a password 37 00:02:01,910 --> 00:02:04,383 or a personal identification number, 38 00:02:05,410 --> 00:02:08,070 or answering security questions. 39 00:02:08,070 --> 00:02:10,710 The disadvantage of using this method 40 00:02:10,710 --> 00:02:14,580 is that once the information is lost or stolen, 41 00:02:14,580 --> 00:02:18,260 for example, if a user's password is stolen, 42 00:02:18,260 --> 00:02:22,010 an attacker would be able to successfully authenticate. 43 00:02:22,010 --> 00:02:24,610 Nowadays, a day does not pass 44 00:02:24,610 --> 00:02:28,300 without hearing about a new breach in retailers, 45 00:02:28,300 --> 00:02:30,760 service providers, cloud services, 46 00:02:30,760 --> 00:02:33,340 and other social media companies. 47 00:02:33,340 --> 00:02:36,510 Take a look at the various community database. 48 00:02:36,510 --> 00:02:39,250 There you'll see hundreds of breach cases 49 00:02:39,250 --> 00:02:43,030 where users' passwords were exposed. 50 00:02:43,030 --> 00:02:46,330 Websites like "Have I Been Pwned" 51 00:02:46,330 --> 00:02:50,800 include a database of billions of usernames and passwords 52 00:02:50,800 --> 00:02:54,110 from past breaches, and even allow you to search 53 00:02:54,110 --> 00:02:56,880 for your email address to see if your account 54 00:02:56,880 --> 00:03:00,890 or information has been potentially been exposed. 55 00:03:00,890 --> 00:03:05,470 Something you know is knowledge-based authentication. 56 00:03:05,470 --> 00:03:07,500 It could be a string of characters 57 00:03:07,500 --> 00:03:10,660 referred to as a password or pin, 58 00:03:10,660 --> 00:03:13,410 or it could be an answer to a question. 59 00:03:13,410 --> 00:03:15,620 Passwords are the most commonly used 60 00:03:15,620 --> 00:03:19,090 single factor network authentication method. 61 00:03:19,090 --> 00:03:21,890 The authentication strength of a password 62 00:03:21,890 --> 00:03:23,940 is a function of its length, 63 00:03:23,940 --> 00:03:27,580 complexity, and unpredictability. 64 00:03:27,580 --> 00:03:30,660 If it is easy to guess or deconstruct, 65 00:03:30,660 --> 00:03:32,890 it is vulnerable to attack. 66 00:03:32,890 --> 00:03:37,500 Once known, it is no longer useful as a verification tool. 67 00:03:37,500 --> 00:03:41,680 The challenge is to get users to create, keep secret, 68 00:03:41,680 --> 00:03:43,840 and remember secure passwords. 69 00:03:43,840 --> 00:03:47,400 Weak passwords can be discovered within minutes 70 00:03:47,400 --> 00:03:49,730 or even seconds using any number 71 00:03:49,730 --> 00:03:53,590 of publicly available passwords crackers, 72 00:03:53,590 --> 00:03:56,090 or social engineering techniques. 73 00:03:56,090 --> 00:03:57,800 Best practices dictate 74 00:03:57,800 --> 00:04:01,870 that passwords be a minimum of eight characters in length, 75 00:04:01,870 --> 00:04:04,650 include a combination of at least three 76 00:04:04,650 --> 00:04:06,310 of the following characters; 77 00:04:06,310 --> 00:04:08,600 uppercase and lowercase letters, 78 00:04:08,600 --> 00:04:11,450 punctuation, symbols, and numerals, 79 00:04:11,450 --> 00:04:14,680 as well as changing frequently and being unique. 80 00:04:14,680 --> 00:04:15,870 Using the same password 81 00:04:15,870 --> 00:04:19,100 to log into multiple applications and sites 82 00:04:19,100 --> 00:04:22,290 significantly increases the risk of exposure. 83 00:04:22,290 --> 00:04:26,950 In NIST special publication, 800-63B, 84 00:04:26,950 --> 00:04:29,320 digital identity guidelines, 85 00:04:29,320 --> 00:04:33,610 authentication and lifecycle management provides guidelines 86 00:04:33,610 --> 00:04:36,750 for authentication and password strength. 87 00:04:36,750 --> 00:04:39,680 NIST confirms that the length of a password 88 00:04:39,680 --> 00:04:42,340 has been found to be a primary factor 89 00:04:42,340 --> 00:04:44,830 in characterizing password strength. 90 00:04:44,830 --> 00:04:47,420 The longer the password, the better. 91 00:04:47,420 --> 00:04:50,720 Passwords that are too short are very susceptible 92 00:04:50,720 --> 00:04:53,770 to brute force and dictionary attacks, 93 00:04:53,770 --> 00:04:56,853 using words and commonly chosen passwords. 94 00:04:57,690 --> 00:05:01,730 NIST suggests that the minimum password length 95 00:05:01,730 --> 00:05:06,170 that should be required depends to a large extent 96 00:05:06,170 --> 00:05:09,160 on the threat model being addressed. 97 00:05:09,160 --> 00:05:12,290 Online attacks where the attacker attempts to log in 98 00:05:12,290 --> 00:05:15,400 by guessing the password can be mitigated 99 00:05:15,400 --> 00:05:19,200 by limiting the rate of login attempts per minute. 100 00:05:19,200 --> 00:05:21,040 When talking about authentication 101 00:05:21,040 --> 00:05:25,510 by ownership or possession, this type of authentication 102 00:05:25,510 --> 00:05:29,200 is where the user is asked to provide proof 103 00:05:29,200 --> 00:05:31,030 that he owns something. 104 00:05:31,030 --> 00:05:35,100 For example, a system might require an employee 105 00:05:35,100 --> 00:05:38,090 to use a badge to access a facility. 106 00:05:38,090 --> 00:05:41,250 Another example of an authentication by ownership 107 00:05:41,250 --> 00:05:44,040 is the use of a token or smart card. 108 00:05:44,040 --> 00:05:45,930 Similar to the previous method, 109 00:05:45,930 --> 00:05:49,130 if an attacker is able to steal the object 110 00:05:49,130 --> 00:05:50,990 used for authentication, 111 00:05:50,990 --> 00:05:55,280 he will be able to successfully access the system. 112 00:05:55,280 --> 00:05:59,200 Examples of authentication by ownership or possession 113 00:05:59,200 --> 00:06:02,430 include the following; one time password, 114 00:06:02,430 --> 00:06:07,430 memory cards, smart card, and out of band communication. 115 00:06:07,580 --> 00:06:10,720 The most common of the four is the one time password 116 00:06:10,720 --> 00:06:13,490 sent to a device in the user's possession. 117 00:06:13,490 --> 00:06:17,720 A one time password or OTP is a set of characteristics 118 00:06:17,720 --> 00:06:22,220 that can be used to prove a subject's identity one time, 119 00:06:22,220 --> 00:06:23,790 and only one time. 120 00:06:23,790 --> 00:06:28,100 Because the OTP is valid for only one access, if captured, 121 00:06:28,100 --> 00:06:31,450 additional access would be automatically denied. 122 00:06:31,450 --> 00:06:34,070 OTPs are generally delivered 123 00:06:34,070 --> 00:06:36,900 through hardware or software token. 124 00:06:36,900 --> 00:06:39,200 The token displays the code 125 00:06:39,200 --> 00:06:43,740 which must then be typed in at the authentication screen. 126 00:06:43,740 --> 00:06:47,770 Alternatively, the OTP may be delivered via email, 127 00:06:47,770 --> 00:06:49,690 text message, or phone call 128 00:06:49,690 --> 00:06:52,740 to a predetermined address or phone number. 129 00:06:52,740 --> 00:06:55,220 A memory card is an authentication method 130 00:06:55,220 --> 00:06:59,170 that holds user information within a magnetic strip, 131 00:06:59,170 --> 00:07:02,700 and relies on a reader to process the information. 132 00:07:02,700 --> 00:07:05,000 The user inserts the card into the reader 133 00:07:05,000 --> 00:07:09,610 and enters a specific personal identification number. 134 00:07:09,610 --> 00:07:12,360 Generally, the pin is hashed and stored 135 00:07:12,360 --> 00:07:14,030 on the magnetic strip. 136 00:07:14,030 --> 00:07:17,040 The reader hashes the inputted pin 137 00:07:17,040 --> 00:07:20,780 and compares it to the value on the card itself. 138 00:07:20,780 --> 00:07:25,130 A familiar example of this is a bank ATM card. 139 00:07:25,130 --> 00:07:27,890 A smart card works in a similar fashion. 140 00:07:27,890 --> 00:07:29,820 Instead of a magnetic strip, 141 00:07:29,820 --> 00:07:33,100 it has a microprocessor and integrated circuits. 142 00:07:33,100 --> 00:07:36,010 The user inserts the card into a reader, 143 00:07:36,010 --> 00:07:40,390 which has electrical contacts that interface with the card 144 00:07:40,390 --> 00:07:42,040 and power the processor. 145 00:07:42,040 --> 00:07:46,210 The user enters a pin that unlocks the information. 146 00:07:46,210 --> 00:07:51,074 The card can hold the user's private key, generate an OTP, 147 00:07:51,074 --> 00:07:54,500 or respond to a channel's response. 148 00:07:54,500 --> 00:07:57,330 Out of band authentication requires communication 149 00:07:57,330 --> 00:08:02,170 over a channel that is distinct from the first factor. 150 00:08:02,170 --> 00:08:04,250 A cellular network is commonly used 151 00:08:04,250 --> 00:08:06,380 for out of band authentication. 152 00:08:06,380 --> 00:08:11,380 For example, the user enters her name and password 153 00:08:12,080 --> 00:08:16,670 at an application login prompt, which is factor one. 154 00:08:16,670 --> 00:08:21,150 The user then receives a call on her mobile phone. 155 00:08:21,150 --> 00:08:24,680 The user answers and provides the predetermined code, 156 00:08:24,680 --> 00:08:26,815 which is factor two. 157 00:08:26,815 --> 00:08:29,160 For the authentication to be compromised, 158 00:08:29,160 --> 00:08:31,360 the attacker would have to have access 159 00:08:31,360 --> 00:08:34,330 to both the computer and the phone. 160 00:08:34,330 --> 00:08:37,990 A system that uses authentication by characteristic 161 00:08:37,990 --> 00:08:39,350 authenticates the user 162 00:08:39,350 --> 00:08:42,960 based on some physical or behavioral characteristic, 163 00:08:42,960 --> 00:08:46,270 sometimes referred to as biometric attributes. 164 00:08:46,270 --> 00:08:50,610 The most used physical or physiological characteristics 165 00:08:50,610 --> 00:08:55,520 are as follows; fingerprints, face recognition, 166 00:08:55,520 --> 00:09:00,520 retina or iris, palm and hand geometry, 167 00:09:02,150 --> 00:09:04,340 blood and vascular information, 168 00:09:04,340 --> 00:09:06,410 as well as voice recognition. 169 00:09:06,410 --> 00:09:09,870 Other examples of behavioral characteristics 170 00:09:09,870 --> 00:09:14,870 are signature dynamic, key stroke dynamic/pattern. 171 00:09:15,140 --> 00:09:16,440 The drawback of a system 172 00:09:16,440 --> 00:09:18,590 based on this type of authentication 173 00:09:18,590 --> 00:09:21,020 is that it is prone to accuracy errors. 174 00:09:21,020 --> 00:09:24,350 For example, a signature dynamic based system 175 00:09:24,350 --> 00:09:26,670 would authenticate a user by requesting 176 00:09:26,670 --> 00:09:30,120 that the user write his signature, 177 00:09:30,120 --> 00:09:32,680 and then compare the signature pattern 178 00:09:32,680 --> 00:09:34,680 to a record in the system. 179 00:09:34,680 --> 00:09:37,490 Given that the way a person signs his name 180 00:09:37,490 --> 00:09:42,090 differs slightly every time, the system should be designed 181 00:09:42,090 --> 00:09:45,040 so that the user can still authenticate 182 00:09:45,040 --> 00:09:47,250 even if the signature and pattern 183 00:09:47,250 --> 00:09:50,060 is not exactly the one in the system. 184 00:09:50,060 --> 00:09:54,040 However, it should also not be too loose 185 00:09:54,040 --> 00:09:58,590 and unintentionally authenticate an unauthorized user 186 00:09:58,590 --> 00:10:00,760 attempting to mimic the pattern. 187 00:10:00,760 --> 00:10:03,300 Two types of errors are associated 188 00:10:03,300 --> 00:10:06,490 with the accuracy of biometric systems. 189 00:10:06,490 --> 00:10:10,210 A type one error, also called false rejection, 190 00:10:10,210 --> 00:10:13,200 happens when the system rejects a valid user 191 00:10:13,200 --> 00:10:15,180 who should have been authenticated. 192 00:10:15,180 --> 00:10:18,650 A type two error, also called false acceptance, 193 00:10:18,650 --> 00:10:22,090 happens when the system accepts a user 194 00:10:22,090 --> 00:10:24,110 who should have been rejected. 195 00:10:24,110 --> 00:10:28,560 For example, an attacker trying to impersonate a valid user. 196 00:10:28,560 --> 00:10:31,410 The crossover error rate, or CER, 197 00:10:31,410 --> 00:10:36,140 also called the equal error rate, or EER, 198 00:10:36,140 --> 00:10:41,140 is the point where the rate of false rejection errors or FRR 199 00:10:42,550 --> 00:10:47,550 and the rate of false acceptance error, FAR, are equal. 200 00:10:47,700 --> 00:10:51,020 This is generally accepted as an indicator 201 00:10:51,020 --> 00:10:54,780 of the accuracy of biometric systems. 202 00:10:54,780 --> 00:10:59,140 In multifactor authentication, the process of authentication 203 00:10:59,140 --> 00:11:03,210 requires the subject to supply verifiable credentials. 204 00:11:03,210 --> 00:11:06,640 The credentials are often referred to as factors. 205 00:11:06,640 --> 00:11:08,740 Single factor authentication 206 00:11:08,740 --> 00:11:12,070 is when one factor is presented. 207 00:11:12,070 --> 00:11:14,950 The most common method of single factor authentication 208 00:11:14,950 --> 00:11:16,750 is the use of passwords. 209 00:11:16,750 --> 00:11:18,380 Multifactor authentication 210 00:11:18,380 --> 00:11:21,190 is when two or more factors are presented. 211 00:11:21,190 --> 00:11:24,300 Multilayer authentication is when two or more 212 00:11:24,300 --> 00:11:26,970 of the same type of factors are presented. 213 00:11:26,970 --> 00:11:30,200 Data classification, regulatory requirements, 214 00:11:30,200 --> 00:11:33,710 the impact of unauthorized access, 215 00:11:33,710 --> 00:11:37,060 and the likelihood of a threat being exercised 216 00:11:37,060 --> 00:11:39,210 should all be considered when you're deciding 217 00:11:39,210 --> 00:11:43,050 on the level of authentication required. 218 00:11:43,050 --> 00:11:44,070 The more factors, 219 00:11:44,070 --> 00:11:47,170 the more robust the authentication process. 220 00:11:47,170 --> 00:11:49,310 Identification and authentication 221 00:11:49,310 --> 00:11:51,270 are often performed together. 222 00:11:51,270 --> 00:11:53,300 However, it is important to understand 223 00:11:53,300 --> 00:11:56,710 that they are two different operations. 224 00:11:56,710 --> 00:12:00,220 Identification is about establishing who you are, 225 00:12:00,220 --> 00:12:03,750 whereas authentication is about proving 226 00:12:03,750 --> 00:12:06,720 you are the entity you claim to be. 227 00:12:06,720 --> 00:12:09,760 In response to password insecurity, many organizations 228 00:12:09,760 --> 00:12:12,898 have deployed multifactor authentication options 229 00:12:12,898 --> 00:12:14,550 to their users. 230 00:12:14,550 --> 00:12:16,550 With multifactor authentication, 231 00:12:16,550 --> 00:12:20,570 accounts are protected by something you know, 232 00:12:20,570 --> 00:12:22,320 something you have. 233 00:12:22,320 --> 00:12:24,740 Even gamers have been protecting their accounts 234 00:12:24,740 --> 00:12:26,513 using MFA for years.