Authentication by Something Known and Something Possessed – Part 2

Leave a Comment / Computer Systems Security / By /

Introduction

In the second part of this lecture, we continue our exploration of authentication by something known and something possessed. This session delves into advanced password systems, common attacks, and mitigation strategies, along with the use of physical tokens and their evolving role in secure authentication.

Authentication by Something Known: Advanced Password Mechanisms

Cognitive Passwords

  • Definition: A form of authentication where users respond to prompts or perform actions only they should know.
  • Examples:
    • Lock patterns on mobile devices.
    • Security questions (e.g., “What was your first pet’s name?”).
  • Challenges:
    • Vulnerable to shoulder surfing or fingerprint traces.
    • Attackers may exploit personal information readily available on social media or other sources.

Common Password Attacks

  1. Social Engineering:
    • Attackers manipulate users into revealing their passwords (e.g., phishing emails).
  2. Authentication Mechanism Exploitation:
    • Brute Force Attacks: Systematically guessing all possible password combinations.
    • Dictionary Attacks: Using a precompiled list of common passwords or phrases.
    • Lookup Table Attacks: Matching common password hashes to known hash values.
    • Rainbow Table Attacks: Using precomputed hash chains to reverse stored password hashes.
    • Regex Attacks: Exploiting common patterns in passwords (e.g., replacing “a” with “4”).

Password Precautions

  • Use high-entropy passwords with a mix of uppercase, lowercase, numbers, and symbols.
  • Regularly update passwords and avoid reuse across different systems.
  • Implement account lockouts after a fixed number of failed attempts.
  • Employ password managers for secure storage and generation.
  • Consider passphrases (e.g., “GreenTurtleCrossesBridge”), which are easier to remember yet secure.

Authentication by Something Possessed: Tokens

Overview of Tokens

Tokens serve as physical or digital items used to verify a user’s identity. Examples include:

  • Keys: For physical access.
  • Magnetic Stripe Cards: Used in financial transactions.
  • Smart Cards: Equipped with a microprocessor for added security.
  • Time-Based One-Time Passwords (TOTP): Generated by apps like Google Authenticator.

Common Attacks on Tokens

  1. Theft: Physical tokens can be stolen.
  2. Forgery: Attackers may copy magnetic stripe cards or replicate token data.
  3. Man-in-the-Middle Attacks: Intercepting token communications during authentication.
  4. Proximity Attacks: Exploiting wireless interfaces on contactless smart cards.

Token Variants

  1. Magnetic Stripe Cards:
    • Commonly used but vulnerable to copying and skimming.
    • Governed by ISO/IEC 7810 standards for dimensions and format.
  2. Smart Cards:
    • Enhanced with a microprocessor, RAM, ROM, and physical protection mechanisms.
    • Advantages: Harder to copy and supports chip-and-PIN systems.
    • Contactless Smart Cards: Allow for wireless interactions, increasing convenience but introducing new threats like proximity attacks.
  3. Time-Based Token Systems:
    • Combine a secret key and an accurate clock to generate one-time passwords (OTPs) at regular intervals.
    • Applications:
      • Common in smartphone apps (e.g., Google Authenticator, Microsoft Authenticator).
      • Used for securing online accounts.
    • Challenges:
      • Clock Drift: Tokens may desynchronize over time, requiring systems to allow OTPs within an offset range to maintain usability.

Dual-Factor Authentication (2FA)

Tokens are often paired with passwords (something known) to enhance security.

  • Example: Chip-and-PIN systems in banking.
  • Benefits:
    • Adds an extra layer of security by requiring physical possession of the token.
    • Even if one factor (e.g., password) is compromised, the other factor ensures protection.

Practical Applications of Token-Based Authentication

  1. Banking:
    • Chip-and-PIN systems rely on both a physical card and a PIN for secure transactions.
  2. Corporate Access Control:
    • Smart cards and RFID cards are used to restrict access to office premises or sensitive areas.
  3. Remote Access:
    • Time-based OTPs allow employees to securely log into corporate networks remotely.
  4. Contactless Transactions:
    • Contactless smart cards enable secure payments without physically inserting a card.

Conclusion

Authentication by something known and something possessed forms the backbone of secure access systems. While passwords are versatile and widely used, their vulnerabilities necessitate careful management and enhancements like high entropy and cognitive approaches. Tokens, on the other hand, provide physical or digital authentication, often in dual-factor setups, for added security. Combining these methods helps to mitigate risks and strengthen overall system security.

Related Posts:

Leave a Comment

Your email address will not be published. Required fields are marked *