Authentication

Dr.Quratulain Alam
 Authentication
• One of the first steps of access control is the
identification and authentication of users. There
are three common factors used for
authentication:
• Something you know (such as a password)
• Something you have (such as a smart card)
• Something you are (such as a fingerprint or
other biometric method)

2
 Authentication System
• An authentication system is a mechanism used to
identify a user by associating an incoming request with a
set of identifying credentials. The credentials provided
are matched against a file in a database of authorized
user information on a local operating system, or on an
authentication server.
• Examples of authentication systems include multi-factor
authentication (MFA), two-factor authentication (2FA),
biometrics, and tokens.
• Within each category, security analysts can design or
choose a feature that fits their needs in terms of
availability, cost, ease of implementation, etc.
3
An authentication factor is a special category of security
credential that is used to verify the identity and
authorization of a user attempting to gain access, send
communications, or request data from a secured network,
system or application. There are three common factors
used for authentication:
•Something you know,
•Something you have, and
•Something you are.

4
1: Passwords
The something you know factor is the most common factor used and can be a
password.
2: Personal identification numbers (PINs)
A Personal Identification Number (PIN) is the most common type of knowledge-
based authentication factor used to restrict access to a system.
3: Security questions
security questions are an alternative way to keep your data safe. It
complements the other types of authentication, as the answers can identify
users even when they’ve forgotten their credentials or tried to access an
account from an unfamiliar device or location.

5
• Another authentication category mainly used in the space is the possession
factor, which essentially is the key to the security lock. It demands
“something you have” before being granted access to the network, requiring
the use of a physical object such as a token or device.
• 1: SMS one-time passwords (OTPs). An OTP in your authentication
process helps minimize the risk of unauthorized access in your system.
These automatically generated unique passwords are meant to be used just
once at a given timeframe and sent via SMS to the number registered by
the user.
• 2: Hardware tokens. A hard token is a portable hardware device that a user
possesses, generating OTPs to authorize access to a particular network.
• 3: Security keys. Like a hardware token, a security key is a portable
device that work by plugging it into your computer’s USB port. Once
connected, it will then cryptographically sign to let you in the domain you
want to access.

6
• 1: Fingerprint scan: Unlike passwords or tokens, fingerprint authentication
issues irrefutable evidence of employee and customer transactions within
your system. They are unique per individual, can’t be stolen or guessed,
and provide highly reliable security against unauthorized access and insider
threats. They are also cheaper and easier to integrate than most solutions.
• 2: Iris recognition. This biometric method scans the patterns of an iris,
which is unique for every person, just like fingerprints. A National Institute of
Standards & Technology report shows that iris recognition technology can
produce an accuracy rate of 90–99%
• 3: Facial authentication. Another breakthrough inherence factor used in
most MFA is facial authentication. This technology uses biometrics to
identify and verify the user’s dynamic facial features from its database of
unique patterns exclusively associated with the authorized person’s face
and facial expressions.

7
• Location factors
• Network administrators can implement services
that use geolocation security checks to verify the
location of a user before granting access to an
application, network or system.
• Behavior factors
• A behavior-based authentication factor is based
on actions undertaken by the user to gain
access to the system. Have you seen mobile
phone lock screens where the user is required to
draw a specific pattern onto a grid of dots? 8
 2FA &MFA
• Single-factor authentication is based on authenticating users using only
one type of evidence. Usually the request of a password from a given
username but Individual authentication factors on their own may present
security vulnerabilities.
• Multi-factor authentication (MFA) is a multi-layered protection framework
that verifies the identity of a user attempting to log in or request information
from a secured network, system, or application. Unlike the traditional sign-in
approach, it requires more than a username and password to gain access to
a system.
• Multifactor authentication uses any two or more authentication factors. A key
part of this is that the authentication factors must be in at least two of the
categories. For example, using a smart card and a PIN is multifactor
authentication since the two factors are something you have and something
you know. However, if a user were required to enter a password and a PIN,
it would not be multifactor authentication since both methods are from the
same factor (something you know).
• Two-factor authentication (2FA) requires users to use two authentication
methods, while multi-factor authentication (MFA) requires at least two (if
9
not more) authentication methods.
• Implementing MFA makes it more difficult for a threat actor to gain access
to information systems—such as remote access technology, email, and
billing systems—even if passwords are compromised through phishing
attacks or other means.
• Popular forms of MFA include:
• Text message (SMS) or voice message
• Application-based MFA
• Phishing-resistant MFA
• Fingerprint authentication or face scan
• Where to implement MFA:
• Email accounts
• Financial services
• Social media accounts
• Online stores
• Gaming and streaming entertainment services
10
• A common approach for a malicious individual to compromise a system is to
exploit weak or non-existent authentication factors (e.g. secret
passwords/phrases). When you move to requiring strong authentication
factors, you help protect against this attack. By the way, using one factor
twice (for example, using two separate passwords) is not considered
multifactor authentication.

11
 Protection of authentication
factors
• To prevent misuse, the integrity of authentication mechanisms and the
confidentiality of authentication data need to be protected. To do this, you
should consider:
• Passwords and other data referring to something you know (type 1 –
knowledge) should be difficult to guess or resistant to brute force attacks,
and should be protected from disclosure to unauthorized parties.
• Smart cards, software certificates, and other data about something you
have (type 2 possession) should not be shared and should be protected
from replication or possession by unauthorized parties.
• Biometric and other data about something you are (type 3 – inheritance)
must be protected from unauthorized replication or use by third parties with
access to the device on which the data is present.
• Where any authentication elements rely on a multi-use consumer device,
such as smartphones, computers and tablets, controls should also be in
place to mitigate the risk of the device being compromised.

12
 The Evolution of Password Security
• Plain text is unencrypted form of data
• Unsalted Hash
• The most basic concept in password security is hashing. The raw password goes
through a one-way function that makes it impossible to get the raw password again,
so the hashed password can be stored in your database and then when a user logs
in, the function can be run again and the values can be compared.MD5, SHA-1
• Salted Hash
• To multiply the complexity of hashed passwords, salts are used. These are random
strings of data (generated and stored whenever the password is changed) which are
stored in plain-text alongside the hash
• The Future of Password Security
• Multi-Layered Authentication – This is already well underway in companies around
the globe. 1 password just isn’t enough anymore. Now, companies require a range of
passwords to access your accounts, making it harder for hackers to get where you
don’t want them.
• Biometrics – As long as you don’t have a clone trying to break into your account,
using biometrics in replacement for a text password is one growing trend that will
continue to rise. Biometrics use fingerprints, facial recognition and others to identify
you as an individual when accessing an account.
• Artificial Intelligence – Let’s say a hacker is growing increasingly close to cracking
your password. Wouldn’t it be nice if you had an automated system that would
13
recognize this trend and change your password before the hacker does? This is what
the power of artificial intelligence has for the future of passwords.
 Building a strong password
system
• Once upon the a time password security was simply typing in a 4
digit code. Today, the evolution of password security has grown into
a new landscape of future cyber security potential.
• In today’s world, everything near and dear to you is protected by a
password. From your phone, to social media accounts, and financial
statements, you need a password to protect all aspects of your life.
• Password systems must be strong. By signing up to your online
service, customers are trusting you with their passwords – betraying
that trust can have serious impacts on your business.
• It’s impossible to have flawless security, but having an
understanding of what was acceptable in the past and the best
practices today can help you keep your users protected.
• Why Password Security is Important
• When your entire life is now online, it’s no question why investing in
strong passwords is important for protecting your personal
14
information.
• Balancing Factors
• There are many factors that need to be weighed up when building a great password
system, so we’ll go into a few of the features and defences that a good system
needs.
• Database leaks
• It’s unacceptable for a database leak to result in your users’ passwords being
revealed. To be secure against database leaks, cryptographically strong hashing
functions need to be used.
• Brute-force A lot of users have passwords which are easy to guess, mainly in an
attempt to make them easier to remember. If an attacker can try to login to an
account by running through a list of common passwords (dictionary attack).
• Speed Logging into a service should be quick and easy for the end user, but strong
hashing functions are designed to be slow and resource intensive to help mitigate
brute-force attacks.
• Maintainability: Good hashing algorithms and security practices are the result of
years of research and have been tested by some of the world’s best scientists and
mathematicians.

15
 Password Cracking Evolution
• A password is a secret word (consisting of string characters) that is used to
prove identity in order to gain access to a particular resource. The word
“password” consists of two words, “pass” and “word”; it means a word that
acts as a pass (secret word) for authentication. In ancient times, soldiers
used passwords as a secret word for entering into a highly restricted area of
a kingdom. Now, in modern times, which is the digital age, usernames and
passwords make a combination that is used by people during a login
process for authentication in digital devices. Digital devices like computer
systems, mobile devices. A computer user has passwords for many
purposes: logging into a system, for accessing mail accounts, databases,
network, websites, applications, etc.

16
• we use password for security reasons and, where security stands,
breaches will also occur. Password cracking is typically a process of
recovering passwords from stored data in a computer device. The
purpose of password cracking is to recover the forgotten passwords
but, as a malicious intention, it is used for gaining unauthorized
access to a computer system. Password cracking involves two
distinct phases, in the first phase the attacker’s intention is to dump
the hashes of the passwords and in the second phase he tries to
crack those acquired hashes. Besides this method, there are
alternative ways for password cracking such as by guessing the
password, by using malicious tools like keyloggers, phishing
attacks, social engineering, dumpster diving, shoulder surfing
attacks, etc.

17
• Some of the famous tools, such as Cain and Abel and John the
Ripper were used for cracking the password hashes. These kinds of
tools used CPU core power for cracking the hashes into a plaintext
form. So if the password is complex and strong (password which
includes alphanumeric, special characters), it will take days and
years to bring out the plaintext from hash.
• Using graphical processing units (GPUs) on video cards and
loading rainbow tables onto very fast solid state drives (SSDs) are
among these. Tools like Hashcat, Rainbow Crack, Cryptohaze
Multiforcer, etc., are GPU-supported tools that utilize the GPU cores
for cracking the hashes.

18
 Authentication Types
1. Password-based authentication
2. Multi-factor authentication
3. Certificate-based authentication
4. Biometric authentication
Common biometric authentication methods include:
– Facial recognition
– Fingerprint scanners
– Speaker Recognition
– Eye scanners
5. Token-based authentication
19
 Authentication Token
• An Authentication Token (auth token) is a piece of information that verifies the
identity of a user to a website, server, or anyone requesting verification of the
user’s identity.
• Auth Tokens add an extra layer of security, along with having the additional
benefit of being easily scalable and providing better access control.
• Auth tokens come in the form of hardware or software tokens:
• Hardware Tokens will check authentication through a physical object. For
example, key, card, or other object to be properly used with the device
requesting access, then the authentication token is distributed to the device,
allowing the device access to the corresponding website or server.
• Software Tokens share the same purpose of hardware tokens, but do so
through an on-device software application rather than a physical object. Many
use two-factor-authentication (2FA) which will give a token upon confirmation
with a second device. Common methods associated with 2FA are sending a
code to a trusted phone number, authentication app, or email, which must then
be used as input to obtain the authentication token.

20
 What is Password Guessing
Attack?
• There are a number of methods to crack a user’s password, but the most prominent
one is a Password Guessing Attack. Basically, this is a process of attempting to gain
the system’s access by trying on all the possible passwords (guessing passwords).
• Classification of Password Guessing attack:
• 1. Dictionary Attack:
• 2. Brute force Attack:
• 3. Keylogger Attack:
• 4. Man-in-the-middle attack:
• 5. Credential Stuffing Attack:

21
 Six Types of Password
Attacks & How to Stop Them
• 1. Phishing
• 2. Man-in-the-Middle Attack
• 3. Brute Force Attack
• 4. Dictionary Attack
• 5. Credential Stuffing
• 6. Keyloggers

22
 Understand authentication
policies
• An authentication policy allows you to specify authentication settings for
different sets of users and configurations in your organization. It verifies that
users who access your Atlassian organization are who they claim to be.
• Authentication policies look like this:

23
24
25
26
27
28
29
30
31
Greek mythology, Cerberus, is a three-headed dog restricting people
from an area like Kerberos has three components

32
33
• I am working for a company and working on company server. I will have a URL (user
id ) and a password then all this checking protocol is done through Kerberos.
• Client, database, KDC (authentication server +ticket granting server), Application
server
• Client sends request to AS and AS checks from database user is valid or not then AS
sends response as ticket (time stamp) tell how much time client can use application
server and ticket is in encrypted with a key. When time completes then key is useless.
So client cant access application server.
• AS stores ticket reference number in database with details that client in and client out
and how much time client use application server etc.
• But still not enough so then ticket will go to TGS and tell that got timestamp then TGS
connects timestamp with application server ticket and gives encrypted key to the
client and tell to data base that everything is ok then TGS sends to client and then
client decrypts the encrypted ticket and then sends an encrypted code to AS and ask
for access then AS decrypts the client encryption key and allows it and then client can
access application server.
• Kerberos uses symmetric key cryptography, secret key cryptography, strong
authentication, supports all operating system, Cerberus 1 dog with three headed that
protects from third party, called network authentication protocol use for entering 34
How Kerberos work

35
• Kerberos is a Single Sign On (SSO) authentication protocol,
• A session that allows an authorized user to access a server using a ticketing
scheme,
• A user as a client, the resource which is the file server that a client wants to
access and a third party called KDC which has Authentication server (AS)
and ticketing granting server (TGS),
• The session begins when a client sending a server access request using its
username and password, this request is encrypted with a secret key in the
client password and directed to the AS of KDC,
• The AS receives the partially encrypted request and verifies the client
username and password hash stored in the database,
• After the client is verified, the AS uses the password hash to decrypt its
request and sends client a ticket granting ticket to TGT that is encrypted a
different secret key,
• The client receives TGT and forwards TGT with the request to ticket
granting server, TGS decrypts this ticket and provides token encrypted with
a different key,
• This third key is forwarded to file server to access the resource by the client
• The file server encrypts the token with a secret key and sends to the TGS,
based on the token the client is allowed to access the file server for a
restricted time. 36
• Client ---request (user name and password(encrypted with
k1))----AS
• AS checks it with the username and password hash in the
database
• AS decrypts the request with password hash then
• AS-------TGT+K2 (different secret key)----Client
• Client---forwards TGT+request+K2- TGS
• TGS----- token+k3---Client
• Client--- forwards token +k3--File server
• File server----token encrypted with a key to the ---TGS
• Then client can access the file server for a restricted time.
37
38
39