Page 42 - StudyBook.pdf
P. 42

26     Chapter 1 • General Security Concepts: Access Control, Authentication, and Auditing

             which is compared to the required value. If correct, the user may log on and access
             the resource.Vendors such as RSA Security offer products and solutions such as
             SecurID to utilize these functions. Others implemented processes that involved the
             use of One Time Password Technology, which often uses a pre-generated list of
             secured password combinations that may be used for authentication, with a one-
             time use of each.This provides for a level of randomization, but in its basic imple-
             mentation is not as random as other token methods.

             Multi-factor

             Multi-factor authentication is the process in which we expand on the traditional
             requirements that exist in a single factor authentication like a password.To accom-
             plish this, multi-factor authentication will use another item for authentication in
             addition to or in place of the traditional password.
                 Following are four possible types of factors that can be used for multi-factor
             authentication.

                  ■   A password or a PIN can be defined as a something you know factor.

                  ■   A token or Smart Card can be defined as a something you have factor.
                  ■   A thumbprint, retina, hand, or other biometrically identifiable item can be
                      defined as a something you are factor.
                  ■   Voice or handwriting analysis can be used as a something you do factor.

                 For example, most password-based single authentication methods use a pass-
             word. In multi-factor authentication methods, you might enhance the “something
             you know” factor by adding a “something you have” factor or a “something you
             are” factor.
                 A Smart Card or token device can be a “something you have” factor. Multi-
             factor authentication can be extended, if desired, to include such things as hand-
             writing recognition or voice recognition.The benefit of multi-factor authentication
             is that it requires more steps for the process to occur, thus adding another check-
             point to the process, and therefore stronger security. For instance, when with-
             drawing money from the bank with a debit card (“something you have”) you also
             have to have the PIN number (“something you know”).This can be a disadvantage
             if the number of steps required to achieve authentication becomes onerous to the
             users and they no longer use the process or they attempt to bypass the necessary
             steps for authentication.





          www.syngress.com
   37   38   39   40   41   42   43   44   45   46   47