I. Review the definition of authentication. Explain to learners that this is the process of validating an unauthenticated entity’s purported identity.
II. Assemble and outline the three commonly used authentication factors:
• Something you know
• Something you have
• Something you are or you can produce
III. Detail the something you know authentication factor.
• Explain that a password is a private word or combination of characters that only the user should know.
• Stress that one of the biggest debates in the information security industry concerns the complexity of passwords (apply the 10-4 password recommendation that was mentioned in a previous module).
• Recall that a password should be difficult to guess but must be something the user can easily remember.
• State that a passphrase is a series of characters, typically longer than a password, from which a virtual password is derived.
• Give examples of acceptable passwords and non-acceptable passwords that should be used for professional and personal use.
IV. Discuss the something you have authentication factor.
• This addresses something the supplicant carries in his or her possession—that is, something they have.
• These include dumb cards, such as ID cards or ATM cards with magnetic stripes, that contain the digital (and often encrypted) user personal identification number (PIN), against which the number a user inputs is compared.
• An improved version of the dumb card is the smart card, which contains a computer chip that can verify and validate several pieces of information instead of just a PIN.
• Another device often used is the token, a card or key fob with a computer chip and a liquid crystal display that shows a computer-generated number used to support remote login authentication.
• Explain that tokens are synchronous or asynchronous and the differences between them.
o Once synchronous tokens are synchronized with a server, both devices (server and token) use the same time or a time-based database to generate a number that is displayed and entered during the user login phase.
o Asynchronous tokens use a challenge-response system, in which the server challenges the supplicant during login with a numerical sequence.
V. Describe the something you are or can produce authentication factor.
• The process of using body measurements is known as biometrics and includes:
o Reliance on individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina/iris scans
o Additionally, something a supplicant can produce on demand, such as voice patterns, signatures, or keyboard kinetic measurements
• Strong authentication requires at least two authentication mechanisms drawn from two different factors of authentication.
• Emphasize that authorization credentials (or known as authorization tickets) can be programmed to be honored by all systems (known as a single-sign on (SSO) and apply a shared directory structure known as Lightweight Directory Access Protocol (LDAP).