❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

➢ 2.1 Password Selection Strategies and Criteria

Definition:

• A strong password is essential for protecting user accounts, confidential data, and
system security from unauthorized access.
• Weak passwords can be easily guessed or hacked using brute-force attacks.
• Following password selection strategies and criteria helps in creating secure and
hard-to-crack passwords.

1 Password Selection Strategies

• A password should be long, unique, and difficult to guess.
• It should not contain easily available personal information like birthdate or phone
number.
• Different passwords should be used for different accounts.
Common Strategies for Strong Passwords:

1. Use a Passphrase Instead of a Password

o Create a sentence-like password that is easy to remember but hard to guess.
o Example: "I@Love#Mangoes2024!"

2. Use a Combination of Characters

o Include uppercase & lowercase letters, numbers, and special characters.
o Example: "P@ssW0rd!23"

3. Avoid Common or Guessable Passwords

o Do not use simple passwords like "123456", "password", or "admin".

4. Use a Unique Password for Every Account

o If one password gets hacked, other accounts remain safe.

5. Enable Two-Factor Authentication (2FA)

o Even if a hacker gets the password, 2FA adds an extra security layer.

6. Change Passwords Regularly

o Update passwords every 3 to 6 months to improve security.

7. Use a Password Manager

o Store complex passwords securely without needing to remember them.

Marathi Tip: "मजबूत पासवर्ड म्हणजे बिनतोड कुलूप!—नेहमी संममश्र अक्षरे , संख्या, आमण
मवशेष मिन्हे वापरा!"

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

2 Password Selection Criteria

A strong password must follow specific criteria to ensure maximum security.

Marathi Tip: "पासवर्ड मोठा, जमिल आमण वेगळा असावा—'password123' सारखे सोपे पासवर्ड
वापरू नका!"

➢ Password Attacks and Their Types (Most Imp ha question fix yeto)

Definition:

• A password attack is a method used by hackers to steal, guess, or crack passwords

to gain unauthorized access to a system. Attackers use different techniques to obtain
passwords, such as spying, tricking users, or searching for discarded information.

Why Are Password Attacks Dangerous?

• Can lead to identity theft and data breaches.

• Attackers can access sensitive files, emails, and banking accounts.
• Weak passwords are easy targets for hackers.

Password Attacks
Shoulder Surfing
Piggybacking
Dumpster Diving

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

1 Shoulder Surfing Attack

Definition:
• Shoulder surfing is a social engineering attack where an attacker watches someone
enter their password, PIN, or other confidential data.
• Attackers observe from behind, through cameras, or using binoculars.

Example:
• A hacker watches a person enter their ATM PIN at a bank.
• A student sees a classmate type their password in the college lab.

Prevention:
• Use privacy screens on laptops and mobiles.
• Cover the keypad while entering a PIN.
• Be aware of surroundings in public places.
• Use biometric authentication instead of typing passwords.

Marathi Tip: "Shoulder Surfing म्हणजे कोणीतरी तुमच्या खाांद्यावरून डोकावतांय आबण
पासवडड पाहतोय!"

2 Piggybacking (Tailgating Attack)

Definition:
• Piggybacking happens when an unauthorized person follows an authorized user into
a restricted area to gain access.
• It is commonly seen in offices, banks, and government buildings.

Example:
• A hacker follows an employee through a secure office door without swiping an
access card.
• Someone enters a password-protected Wi-Fi network by secretly using another
person’s credentials.

Prevention:
• Never hold the door open for strangers in a secure area.
• Use ID badges and biometric access for entry.
• Monitor security cameras at entry points.
• Enable multi-factor authentication (MFA) for digital access.

Marathi Tip: "Piggybacking म्हणजे अनबिकृत व्यक्ती तुमच्यािरोिर प्रवेश बमळवते, तुम्हाला
न कळत!"

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

3 Dumpster Diving
Definition:
• Dumpster diving is an attack where hackers search trash bins or discarded materials
to find sensitive information like passwords, bank details, and confidential
documents.
• Many people throw away paper notes, expired access cards, and old hard drives
without destroying them properly.

Example:
• A hacker finds a bank statement in the trash and uses the account details.
• An attacker recovers login credentials from an old hard drive thrown away by a
company.

Prevention:
• Shred paper documents before disposing of them.
• Destroy old hard drives and USBs before discarding them.
• Never write passwords on sticky notes or paper.
• Use password managers to store credentials securely.

Marathi Tip: "Dumpster Diving म्हणजे ट्र ॅ शमध्ये पासवडड शोिणारा हॅकर—कधीही गोपनीय
कागद सरळ किऱ्यात िाकू नका!"

4 Password Attacks and Prevention

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

➢ 2.2 Biometric
Definition:
• Biometric authentication is a security method that uses unique physical or behavioral
characteristics to verify an individual's identity.
• It is commonly used in smartphones, offices, banks, and high-security environments to
replace traditional passwords.

How Biometric Authentication Works?

Biometric systems work in four steps:

Data Capture

Feature Extraction

Data Comparison

Authentication Decision

Diagram Explanation

• Data Capture → The biometric sensor scans and records physical/behavioral traits.
• Feature Extraction → Identifies unique features in the collected data.
• Data Comparison → Compares new data with stored biometric templates.
• Authentication Decision → Grants or denies access based on the match percentage.

Advantages of Biometric
1 High Security & Accuracy – Unique for every individual, reducing fraud.
2 Fast & Convenient – No need for passwords; quick authentication.
3 Prevents Identity Theft – Hard to duplicate or fake.
4️ Long-term Cost Savings – Reduces expenses on ID cards and password resets.

Dis-advantages of Biometric
1 Privacy Concerns & Data Misuse – Biometric data cannot be changed if stolen.
2 Expensive Implementation – High costs for scanners and maintenance.
3 Environmental & Physical Limitations – Dirt, injuries, or noise affect accuracy.
4️ False Acceptance & Rejection Errors – System may fail to recognize authorized users.

Marathi Tip: "Biometric म्हणजे सुरबिततेसाठी तुमच्या शरीराची ओळख पट्वणे—जसे की,
म ं गरमरंि वापरून मोबाईल अनलॉक करणे!"

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

➢ Types of Biometrics
1. Fingerprint Recognition
How It Works?
1. The fingerprint scanner captures unique ridges and valleys of a finger.
2. It converts the fingerprint into a digital template using algorithms.
3. The system compares the scanned print with stored templates.
4️. If a match is found, access is granted; otherwise, it is denied.

Advantages:
• Fast and reliable authentication (takes less than a second).
• Easy to integrate with mobile devices and attendance systems.
• Requires minimal storage space compared to other biometrics.
• Difficult to guess or duplicate manually.

Limitations:
• Can be bypassed using fake fingerprints (e.g., gummy fingers).
• If fingers are dirty, wet, or injured, scanning fails.
• Not suitable for shared devices (multiple users).
• Not effective for elderly people (finger ridges fade with age).

Examples:
• Smartphones (Fingerprint Unlock)
• Banking (ATM Biometric Authentication)
• Attendance Systems (Offices, Schools)

Marathi Tip: "म ं गरमरंि म्हणजे ओळख पट्वण्याचा जलद आबण सोपा मार्ड—पण बोिं खराब असतील
तर तो सतो!"

2. Handprint Recognition
How It Works?
1. The scanner captures the entire hand shape, vein pattern, and thickness.
2. A 3D digital model of the hand is created.
3. The system compares the handprint with stored biometric data.
4️. If a match is found, authentication is successful.

Advantages:
• More secure than fingerprints (analyzes veins inside the hand).
• Works even if fingerprints are damaged.
• Difficult to duplicate compared to fingerprints.
• Useful in high-security access systems.

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

Limitations:
• Requires larger storage space due to 3D modeling.
• Hand size changes over time (not suitable for children).
• Scanners are costly and bulky.
• Takes longer to process compared to fingerprints.

Examples:
• High-security offices & laboratories
• Factories for worker attendance

Marathi Tip: "Handprint म्हणजे ब ां र्रबप्रांट्पेिा मोठा डे ट्ा, पण अबिक सुरबित पद्धत!"

3. Retina Scan
How It Works?
1. The user looks into an infrared scanner.
2. The scanner detects unique blood vessel patterns in the retina.
3. It compares this pattern with stored templates.
4️. If a match is found, access is granted.

Advantages:
• Most accurate biometric method (retina patterns never change).
• Impossible to fake or duplicate.
• Works even in low light conditions.
• Highly useful for military and high-security areas.

Limitations:
• Expensive hardware required.
• Requires close proximity scanning, causing user discomfort.
• Can fail due to eye diseases (e.g., cataracts).
• Not suitable for mass authentication (slow process).

Examples:
• Military defense access
• Bank vaults, secret research labs

Marathi Tip: "Retina Scan म्हणजे **र्ोळ्याच्या रक्तवामहन्या स्कॅन करून ओळख पिवणे—सवाड त अिूक,
पण महागर्े !"

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

4. Pattern Recognition (Facial & Vein Recognition) (Fakt read kara , never asked yet)
How It Works?
1. AI-based software captures facial features, vein structures, or body posture.
2. The system creates a digital facial map or vein pattern.
3. It matches this pattern with stored biometric data.
4️. If the face or vein pattern matches, authentication is successful.

Advantages:
• Contactless authentication (no need to touch devices).
• Can work in low-light conditions using infrared cameras.
• Fast and convenient for user authentication.
• Used in public security and surveillance.

Limitations:
• Facial changes (beard, makeup, aging) may reduce accuracy.
• Can be fooled by high-resolution photos or deepfake AI.
• Less secure than fingerprint or retina scans.
• Privacy concerns (face data stored in databases).

Examples:
• Smartphone Face Unlock (iPhone Face ID, Android Face Recognition)
• AI-based surveillance in malls, stadiums, and airports

Marathi Tip: "Pattern Recognition म्हणजे चेहऱ्याच्या बकांवा शरीराच्या वैबशष्ट्ाांवर आिाररत
ओळख!"

5. Voice Pattern Recognition

How It Works?
1. The system records the user’s voice and analyzes pitch, tone, and pronunciation.
2. The system extracts unique voice patterns and stores them.
3. When the user speaks again, it compares the stored voice sample.
4️. If matched, authentication is granted.

Advantages:
• Hands-free authentication (remote access possible).
• No extra hardware needed (microphone is enough).
• Useful for visually impaired users.
• Works in telephonic banking systems.

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

Limitations:
• Background noise can reduce accuracy.
• Cannot recognize voices during throat infections.
• Easily recorded and replayed by hackers.
• Not suitable for noisy environments.

Examples:
• Phone banking authentication
• Voice assistants like Siri, Alexa, Google Assistant

Marathi Tip: "Voice Pattern म्हणजे िोलण्याच्या लकिी ओळखून प्रवेश दे णे!"

6. Signature & Writing Pattern Recognition (Fakt read kara , never asked yet)

How It Works?
1. The system captures the user’s handwriting movements.
2. It analyzes writing speed, pressure, and angles.
3. The system compares the signature with stored biometric data.
4️. If a match is found, authentication is granted.

Advantages:
• Can be used for legal verification.
• More secure than a simple signature match.
• Difficult to replicate by human forgers.
• Useful for digital contracts.

Limitations:
• Handwriting changes over time.
• Less accurate than fingerprint or retina scans.
• Can be forged with practice.
• Not suitable for fast authentication.

Examples:
• Bank cheque verification
• Legal document signing (e-signatures)

Marathi Tip: "Signature pattern म्हणजे हस्तािराची बवबशष्ट लकि ओळखून ओळख पट्वणे—जसे
की, बँकेत िेकवर तुमिी सही खरी आहे का हे तपासणे!"

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

7. Keystroke Recognition
How It Works?
1. Records the user’s typing rhythm, key pressure, and typing speed.
2. Stores the unique pattern as a biometric template.
3. During login, it compares the typing pattern with stored data.
4️. If the pattern matches, authentication is successful.

Advantages:
• Continuous authentication (can detect unauthorized users over time).
• No additional hardware required.
• Can detect fraudulent activities.
• Useful for online banking security.

Limitations:
• Typing styles change over time.
• Slower compared to fingerprints.
• Difficult to implement on shared computers.

Examples:
• Fraud detection in online banking
• Cybersecurity systems

Marathi Tip: "Keystroke म्हणजे ट्ाइबपांर्च्या वेर्ावर आबण पद्धतीवर आिाररत ओळख—जसे की,

एखाद्या व्यक्तीिा खास िाइमपंग स्टाइल ओळखून त्यािी खात्री करणे!"

Summary Table: Biometrics Types, Advantages, and Limitations

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

➢ 2.3 Access Control, Authentication, and

Authorization with respect to Security
▪ Access Control → Defines who can access what.
▪ Authentication → Confirms who you are.
▪ Authorization → Determines what you can do.

1. Access Control (Who Can Access What?)

Definition:
• Access Control is a security mechanism that regulates who is allowed to access
data, resources, or systems based on predefined policies.
• It ensures only authorized users can perform specific actions.

Example:
• A student cannot access the university's admin dashboard.
• A cashier can access sales data but not employee salaries.

Types of Access Control:

1. Discretionary Access Control (DAC) → Owner defines access permissions.
2. Mandatory Access Control (MAC) → Access is controlled by strict security rules
(e.g., military systems).
3. Role-Based Access Control (RBAC) → Access is granted based on job roles (e.g.,
admin, employee, guest).

Marathi Tip: "Access Control म्हणजे कोणाला कोणता प्रवेश द्यायचा हे ठरवणे—जसे की,
मवद्यार्थ्ाडला मरन्सिपलच्या ऑम समध्ये रवेश नाही!"

2. Authentication (Who Are You?)

Definition:
• Authentication is the process of verifying the identity of a user or system before
granting access.
• It ensures that only legitimate users can log in.

Example:
• Entering a password before accessing an email account.
• Fingerprint scanning before unlocking a smartphone.

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

Types of Authentication:
• Something You Know → Passwords, PIN codes.
• Something You Have → Smart card, OTP (One-Time Password).
• Something You Are → Biometrics (fingerprint, retina scan).

Marathi Tip: "Authentication म्हणजे तुमची ओळख पट्वणे—जसे की, ATM वापरताना
पासवर्ड िाकणे!"

3. Authorization (What Can You Do?)

Definition:
• Authorization is the process of determining what actions a user is allowed to
perform after authentication.
• It controls permissions for users and systems.

Example:
• A student can view exam results but cannot modify them.
• An HR manager can access employee salary records, but a regular employee cannot.

Difference Between Authentication and Authorization:

Marathi Tip: "Authorization म्हणजे परवानर्ी दे णे—जसे की, मसक्युररिी गार्ड ला मबन्सडंगमध्ये
रवेश आहे पण बॉसच्या केमबनमध्ये नाही!"

4. Audit in Security (Fakt read kara , never asked yet)

Definition:
• Audit is the process of systematically reviewing and examining security logs, user
activities, and system operations to ensure compliance with security policies and
detect unauthorized access or threats.
• It helps in identifying vulnerabilities, tracking suspicious activities, and ensuring
data integrity.

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

Purpose of an Audit:
• Ensures system security and compliance with policies.
• Detects unauthorized access and security breaches.
• Identifies weaknesses in the system that need improvement.
• Prevents fraud and cyberattacks by monitoring user behavior.

Example:
• A bank audits its customer transactions to detect unauthorized money transfers.
• A company reviews employee login records to identify unusual login attempts.

Types of Security Audits:

• Internal Audit → Conducted within the organization to check security policies.
• External Audit → Performed by third-party experts to ensure compliance with laws.
• Compliance Audit → Ensures the organization follows regulations (e.g., GDPR, ISO
27001).

Marathi Tip: "Audit म्हणजे सुरिा व्यवस्थेची चौकशी आबण तपासणी—जसे की, बँकेतील
व्यवहार तपासून सवणूक शोधणे!"

➢ Policies in Security
• In security, access control defines who can access data, systems, and resources. The
three major access control models are:

1 DAC (Discretionary Access Control) → User-controlled access

2 MAC (Mandatory Access Control) → Strict system-enforced access
3 RBAC (Role-Based Access Control) → Access based on job roles

These models help organizations secure sensitive data and prevent unauthorized access.

1 Discretionary Access Control (DAC)

Definition:
• DAC is a flexible access control model where the owner of the resource (file, folder,
or database) decides who can access it and what permissions they have.
• It allows users to modify permissions, making it easy to use but less secure.

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

Features:
• User-based access control → The owner grants or revokes access.
• Access Control Lists (ACLs) → Defines who can read, write, or execute files.
• Flexible permissions → Users can easily change access rights.
• Low security → Users can mistakenly grant access to unauthorized persons.
• Common in operating systems → Used in Windows and Linux file permissions.
• Prone to malware risks → If a user account is hacked, attackers can modify
permissions.

Example:
• In Windows, the file owner can allow or deny access to other users.
• In Linux, the chmod command is used to set file permissions.

Marathi Tip: "DAC म्हणजे मालकाच्या मजीवर प्रवेश अबिकार—जसे की, तुमच्या
मोबाईलमधील ोडर कोणाला द्यायिा हा मनणडय तुम्ही घेता!"

2 Mandatory Access Control (MAC)

Definition:
• MAC is a strict security model where access is controlled by the system, not the
user.
• Access is based on security labels (e.g., Top Secret, Confidential, Public).
• Users cannot change access rights—only system administrators define them.

Features:
• System-enforced security → Users cannot modify permissions.
• Used in classified environments → Government, military, and banking systems.
• Security labels are assigned → Example: "Top Secret," "Confidential," "Public."
• Highly secure → Prevents unauthorized access and reduces hacking risks.
• Prevents data leakage → Only specific users can access sensitive data.
• Complex to manage → Requires administrators to define policies.

Example:
• Military security systems → Only high-clearance officers can access confidential
files.
• Bank databases → Customers can see their account details but cannot access other
accounts.

Marathi Tip: "MAC म्हणजे सांर्णकाच्या बनयमाांवर आिाररत प्रवेश बनयांत्रण—जसे की,
बँकेच्या मसस्टममध्ये ग्राहक क्त स्वतः िे खाते पाहू शकतो!"

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

3 Role-Based Access Control (RBAC) (Fakt read kara , never asked yet)

Definition:
• RBAC assigns access permissions based on user roles instead of individual users.
• Users are assigned roles like Admin, Manager, Employee, Guest, etc., and they get
permissions based on their role.
• It is widely used in large organizations to simplify security management.

Features:
• Role-based security model → Users cannot modify their own permissions.
• Easier to manage in large organizations → No need to assign permissions to each
user.
• More secure than DAC → Users only get access relevant to their job.
• Prevents privilege misuse → Employees cannot access unnecessary data.
• Reduces administrative workload → Administrators only manage roles, not
individual users.
• Supports least privilege principle → Users get only necessary access to perform
tasks.

Example:
• In a company:
o HR Managers can access employee records.
o Finance Team can access salary details.
o Employees can access their own profiles but not others' data.
• In a hospital:
o Doctors can access patient records.
o Receptionists can only check appointment details.

Marathi Tip: "RBAC म्हणजे भूबमकेवर आिाररत प्रवेश बनयांत्रण—जसे की, हॉन्सििलमध्ये
र्ॉक्टरांना ररपोिटड स पाहता येतात, पण ररसेप्शमनस्टला नाही!"

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

➢ DAC vs. MAC vs. RBAC

❖ Summer 2022
1. Explain the terms : (2marks)
(i) Shoulder surfing
(ii) Piggybacking
2. Explain the mechanism of fingerprint & voice pattern in Biometrics. (4marks)
3. Describe the features of DAC access control policy. (4marks)
4. Define access control & explain authentication mechanism for access control. (4marks)

❖ Winter 2022
1. Explain shoulder surfing attack. (2marks)
2. Explain working of biometric access control with any type of example. (4marks)
3. Explain the term Authorization and Authentication with respect to security. (4marks)
4. Write short note on DAC & MAC. (4marks)

❖ Summer 2023
1. Identify any four individual user responsibilities in computer security. (2marks)
2. Define following with suitable example : (4marks)
(i) DAC
(ii) MAC
3. Describe piggy backing and shoulder surfing. (4marks)
4. Describe any four password selection criteria. (4marks)

Diploma Helper. Feel free to DM us at. 8698079745

 ❖ UNIT 02. USER AUTHENTICATION AND ACCESS CONTROL.

❖ Winter 2023
1. List any four biometric mechanisms. (2marks)
2. Explain any two password attacks. (4marks)
3. Describe : (4marks)
(i) Piggybacking
(ii) Dumpster diving.
4. State the features of (4marks)
(i) DAC
(ii) MAC.

❖ Summer 2024
1. State any four advantages of Biometrics. (2marks)
2. Enlist types of Biometrics & explain any one Biometrics type in detail. (4marks)
3. Define the following terms : (4marks)
(i) Authentication
(ii) Authorization
4. Explain working of fingerprint mechanism and its limitations. (4marks)

❖ Winter 2024
1. Describe the dumster diving with its prevention mechanism. (4marks)
2. Define password selection strategies. (4marks)
3. Describe the following term w.r.t. biometric. (6marks)
i Finger Print Analysis
ii Retina Scan
iii Keystroke

Diploma Helper. Feel free to DM us at. 8698079745