Authentication Study Guide

📖 Core Concepts Authentication – proving a claimed identity is genuine (e.g., “I am Alice”). Identification – merely stating an identity without proof. Authorization – after authentication, deciding what actions the verified user may perform. Factors – three independent categories used to verify identity: Knowledge (something you know) – passwords, PINs, security questions. Ownership (something you have) – tokens, smart cards, phones. Inherence (something you are) – biometrics (fingerprint, face, voice). Single‑Factor vs Multi‑Factor – one factor only vs two‑or‑more independent factors. Strong Authentication – ≥2 independent authenticators, with at least one non‑reusable / non‑replicable (e.g., a one‑time token). Centralized Trust – a single authority (CA, OpenID provider) vouches for identity. Decentralized (Web‑of‑Trust) – individuals sign each other’s keys, building trust through personal verification. --- 📌 Must Remember Authentication ≠ Authorization. MFA = ≥2 factors; 2FA is a special case of MFA with exactly two factors. Strong authentication requires mutual independence of factors and at least one non‑replicable element. QR code alone = weak; QR + digital watermark = robust (smartphone‑readable). Private keys are safe only while secret; quantum computing threatens current PKI. Continuous authentication = ongoing behavioral checks after login. MITM attacks exploit lack of mutual authentication; add extra factors for each party. --- 🔄 Key Processes Digital Authentication Workflow Enrollment – subscriber proves identity to a Credential Service Provider (CSP). Authentication – subscriber presents authenticator (token) + credentials (e.g., username) to prove possession. Life‑cycle Maintenance – CSP updates/revokes credentials; subscriber maintains the authenticator. Hybrid Authentication (e.g., USB token with fingerprint) Encrypt private key with fingerprint data → user must have the device and present a matching biometric. Continuous Authentication Loop Capture behavioral data → compare to baseline → accept, flag, or re‑authenticate. --- 🔍 Key Comparisons Knowledge vs. Ownership vs. Inherence Knowledge: easy to share or forget; vulnerable to brute‑force. Ownership: lost or stolen; can be protected with PINs. Inherence: hard to share; can be spoofed (e.g., fake fingerprints). Centralized Trust vs. Decentralized Web‑of‑Trust Centralized: single CA, easier revocation, scalable for web services. Decentralized: no single point of failure, relies on personal verification, slower to propagate trust. QR Code Only vs. QR + Digital Watermark QR Only: static, copyable → easy counterfeiting. QR + Watermark: hidden pattern validates authenticity, resistant to duplication. --- ⚠️ Common Misunderstandings “Authentication = Login” – authentication continues beyond the initial login (e.g., continuous authentication). “Biometrics are always secure” – fingerprints can be spoofed; biometric templates may be stolen. “Two‑factor = always strong” – only if the two factors are independent and at least one is non‑replicable (e.g., OTP vs. static password). “Public‑key crypto is unbreakable” – security fails if private keys are compromised or future quantum attacks succeed. --- 🧠 Mental Models / Intuition “Lock‑and‑Key” – each factor is a different lock; the more independent locks you have, the harder it is for an attacker to pick them all. “Layered Cake” – strong authentication is a multi‑layered cake; removing any layer (factor) weakens the whole dessert. “Friend‑Introduced Trust” – web‑of‑trust works like a friend introducing you to another friend; you trust the new person because someone you trust vouches for them. --- 🚩 Exceptions & Edge Cases QR code authentication can be acceptable for low‑risk consumer verification (e.g., event ticket) but not for financial transactions. Single‑factor may be permitted for non‑sensitive services (e.g., public forum login) where convenience outweighs risk. Biometric-only systems (e.g., face unlock) often pair with a hidden hardware token to meet strong‑auth definitions. --- 📍 When to Use Which Low‑risk, high‑convenience → single‑factor knowledge (password) or QR‑only. Financial or health data → MFA with at least one non‑replicable factor (hardware token or OTP). Enterprise VPN / admin consoles → strong authentication: hardware token + biometric + password. Supply‑chain anti‑counterfeiting → QR + digital watermark verified by a smartphone app. Systems needing continuous assurance (e.g., high‑value trading platforms) → add continuous behavioral monitoring after initial MFA. --- 👀 Patterns to Recognize “Factor‑mix” in answer choices → look for at least two distinct categories (knowledge + ownership, etc.). “Non‑replicable” wording → indicates a requirement for a one‑time or hardware‑bound element. “Centralized CA” vs. “Web‑of‑Trust” → clues about whether the scenario involves browsers/HTTPS (centralized) or PGP‑style email (decentralized). “Continuous” paired with behavioral biometrics → points to ongoing authentication, not just login. --- 🗂️ Exam Traps Choosing “password only” for a banking app – tempting but wrong; banks require MFA. Selecting “fingerprint = strongest factor” – distractor; fingerprints are spoofable and may need a second factor. Picking “QR code alone is sufficient for anti‑counterfeiting” – QR can be copied; need watermark or additional check. Confusing “authentication” with “authorization” – answer may list permissions; that belongs to authorization. Assuming “centralized trust” always more secure – not true if CA is compromised; web‑of‑trust can be safer in certain niches. ---