Access Control: Passwords, Biometrics, and Two-Factor Authentication, Lecture notes of Computer Science

Various access control methods, focusing on passwords, biometrics, and two-factor authentication. It covers static and one-time passwords, good and bad password practices, password cracking attacks, and password complexity requirements. Additionally, it discusses biometric recognition systems, identification vs authentication, and biometric errors.

Typology: Lecture notes

2017/2018

Uploaded on 09/03/2018

Mehwishkanwal
Mehwishkanwal 🇵🇰

1 document

1 / 65

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Part 2 Access Control
1
Part II: Authentication
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41

Partial preview of the text

Download Access Control: Passwords, Biometrics, and Two-Factor Authentication and more Lecture notes Computer Science in PDF only on Docsity!

Part 2  Access Control

Part II: Authentication

Part 2  Access Control

Access Control

 Two parts to access control…  Authentication: Are you who you say you are? o (^) Determine whether access is allowed or not o (^) Authenticate human to machine o (^) Or, possibly, machine to machine

Part 2  Access Control

Something You Know

 Passwords  Lots of things act as passwords! o (^) PIN o (^) Social security number o (^) Mother’s maiden name o (^) Date of birth o (^) Name of your pet, etc.

 Two types of password credentials can be used by today’s authentication  solutions: (1) static and (2) one- time passwords Part 2  Access Control

One-Time Passwords

 One-time passwords are secrets that can be used for authentication only  once, or a few times. Technically, this means that the user must have a  new password every time he needs to authenticate. One-time passwords  Part 2  Access Control 7

 A problem with such passwords is that they are often not secret.  If left to their own devices, users tend to select bad passwords, which  makes password cracking surprisingly easy. In fact, we'll provide some basic  Part 2mathematical arguments to show  Access Control

Part 2  Access Control

Why Passwords?

 Why is “something you know” more popular than “something you have” and “something you are”?  Cost : passwords are free  Convenience : easier for sysadmin to reset pwd than to issue a new card

Part 2  Access Control

Good and Bad Passwords

 Bad passwords o (^) frank o (^) Fido o (^) Password o (^) incorrect o (^) Pikachu o (^102560) o (^) AustinStamp  Good Passwords? o (^) jfIej,43j- EmmL+y o (^0986437653726) 3 o (^) P0kem0N o (^) FSa7Yago o (^) 0nceuP0nAt1m o (^) PokeGCTall

 Again, if users are allowed to choose passwords, then the best advice is to  choose passwords based on passphrases.  In addition, system administrators  should use a password-cracking tool to test for weak passwords Part 2  Access Control

Attacks on Passwords

 One of the oldest types of attacks is password guessing  If a system requires the user to authenticate with a username and  password, an attacker can try to guess the username and the password, and then authenticate as the actual user. Information about usernames can be easily obtained by an attacker

 To mitigate the risk of brute force attacks,  administrators should require users to change their passwords more often, and may also impose other countermeasures such as complexity requirements for user passwords. Part 2  Access Control

 Another popular and very successful approach to password guessing is the dictionary attack. It is based on the fact that users (unlike computers)  select memorable words for their passwords Part 2  Access Control

 To mitigate the risk  from such attacks, password complexity requirements and regular password changes can be implemented  Password File Access Control Part 2  Access Control

Part 2  Access Control

Other Password Issues

 Too many passwords to remember o (^) Results in password reuse  Failure to change default passwords  Social engineering  Error logs may contain “almost” passwords  Bugs, keystroke logging, spyware, etc.