Chapter 3
Chapter 3
12/14/2024 1
Outline
▪ Authentication
▪ Authorization
▪ Authentication factors
▪ Authentication techniques
12/14/2024 2
Authentication
▪ Authentication is the process of identifying someone's identity by
assuring that the person is the same as what he is claiming for.
▪ The client uses it when he wants to know that it is the same server that
it claims to be.
12/14/2024 3
Authentication…
▪ The authentication by the server is done mostly by using the username
and password.
▪ Authentication does not ensure what tasks under a process one person
can do, what files he can view, read, or update.
12/14/2024 4
Authentication…
Authentication Factors:
▪ As per the security levels and the type of application, there are
▪ Single-Factor Authentication
▪ Two-Factor Authentication
▪ Multi-Factor Authentication
12/14/2024 5
Authentication…
1. Single-Factor Authentication
12/14/2024 6
Authentication…
2.Two-factor Authentication
▪ It does not require only a username and password but also needs the
unique information that only the particular user knows, such as first
school name, a favorite destination.
▪ Apart from this, it can also verify the user by sending the OTP or a
unique link on the user's registered number or email address.
12/14/2024 7
Authentication…
3. Multi-factor Authentication
▪ It requires two or more than two levels of security from different and
independent categories.
▪ This ensures to eliminate any data exposer from the third party or
hackers.
12/14/2024 8
Authentication…
Famous Authentication techniques
1. Password-based authentication
▪ If the password matches with the username and both details match the
system's database, the user will be successfully authenticated.
12/14/2024 9
Authentication…
Famous Authentication techniques…
2. Passwordless authentication
▪ In this technique, the user doesn't need any password; instead, he gets
an OTP (One-time password) or link on his registered mobile number
or phone number.
12/14/2024 10
Authentication…
Famous Authentication techniques…
3. 2FA/MFA
12/14/2024 11
Authentication…
Famous Authentication techniques…
4. Single Sign-on
12/14/2024 12
Authentication…
Famous Authentication techniques…
5. Social Authentication
▪ Also known as social login – allows login using social media accounts
12/14/2024 13
Authentication…
• Something the individual possesses, e.g. key cards, smart cards, physical keys
Workstation hijacking Using unattended logged-in workstation Automatic logout when inactive , IDS
Exploiting user mistakes Storing preconfigured pwd, social eng. Training, IDS, additional authent.
Exploiting multiple password Different devices sharing similar password Policies
use
12/14/2024 18
Token-based authentication
▪ Tokens – objects that a user possesses for the purpose of user authentication
▪ Types of cards used as tokens:
12/14/2024 19
Remote authentication
▪ More complex than local authentication; takes place over the Internet, a
network, or a communications link.
▪ Raises additional security threats, such as an eavesdropper being able to capture
a password, or an adversary replaying an authentication sequence that has been
observed.
▪ Counter threats – challenge-response protocols (e.g Kerberos)
▪ This scheme defends against several forms of attack (e.g. intrusion). The host
stores not the pass word but a hash code of the password.
▪ Example protocols: password protocol, token protocol, biometric protocol
12/14/2024 20
Security issues on user authentication
Principal attacks on
user authentication,
broken down by type
of authenticator.
12/14/2024 21
Authorization
▪ Authorization is the process of granting someone to do something.
▪ It means it a way to check if the user has permission to use a resource or not.
▪ The authorization usually works with authentication so that the system could
know who is accessing the information.
12/14/2024 22
Authentication vs Authorization
Authentication Authorization
Authentication is the process of identifying a user Authorization is the process of giving permission to access
to provide access to a system. the resources.
In this, the user or client and server are verified. In this, it is verified that if the user is allowed through the
defined policies and rules.
It is usually performed before the authorization. It is usually done once the user is successfully
authenticated.
It requires the login details of the user, such as It requires the user's privilege or security level.
user name & password, etc.
Data is provided through the Token Ids. Data is provided through the access tokens.
Example: Entering Login details is necessary for Example: After employees successfully authenticate
the employees to authenticate themselves to access themselves, they can access and work on certain functions
the organizational emails or software. only as per their roles and profiles.
Authentication credentials can be partially changed Authorization permissions cannot be changed by the user.
by the user as per the requirement. The permissions are given to a user by the
owner/manager of the system, and he can only change it.
Access Control
▪ Access Control is the prevention of unauthorized use of a resource
(including the prevention of use of a resource in an unauthorized
manner).
12/14/2024 25
Access Control Categories
12/14/2024 26
Access Control…
▪ To secure a facility, organizations use electronic access control systems
that rely on user credentials, access card readers, auditing and reports
to track employee access to restricted business locations and
proprietary areas, such as data centers.
12/14/2024 27
Why is Access Control Important
12/14/2024 28
Why is Access Control Important…
cloud services.
12/14/2024 29
How Access Control Works
12/14/2024 30
Access Control Models
12/14/2024 31
Access Control Models…
1. Mandatory Access Control
▪ The operating system in MAC will provide access to the user based on
their identities and data.
▪ For gaining access, the user has to submit their personal information.
▪ It is very secure because the rules and restrictions are imposed by the
admin and will be strictly followed.
12/14/2024 32
Access Control Models…
Attributes of MAC
▪ It has tighter security because only the administrator can access or alter
controls. And also it can help to reduce system errors.
▪ MAC has an enforced operating system that can label and delineate
incoming application data.
▪ Ex: Access level of windows for ordinary users, admins, and guests are
some of the examples of MAC.
12/14/2024 33
Access Control Models…
2. Discretionary Access Control (DAC)
12/14/2024 34
Access Control Models…
Attributes of DAC
▪ Authorization failure can restrict the user access after several failed
attempts.
12/14/2024 35
Access Control Models…
3. Role-based access control (RBAC)
▪ Ex: executive level, engineer level 1, etc. -- rather than the identities of
individual users.
12/14/2024 37
Access Control Models…
5. Attribute-based access control
12/14/2024 38
Implementing Access Control
▪ Access control is integrated into an organization's IT environment.
12/14/2024 40
Challenges of Access Control…
▪ Many of the challenges of access control rise from the highly
distributed nature of modern IT.
12/14/2024 41
Challenges of Access Control…
▪ Specific examples of challenges include the following:
▪ Dynamically managing distributed IT environments;
12/14/2024 42
Access Control Software
12/14/2024 43
Access Control Software…
▪ Types of access management software tools include the following:
▪ Reporting and monitoring applications /e.g. Nagios/
▪ Password management tools /e.g. NordPress/
12/14/2024 44
Thank You
12/14/2024 45