In Mike Myer’s CompTIA Security+ Certification Passport, Third Edition for Exam SYO-301, author T. J. Samuelle provides information, definitions and expert advice for passing the CompTIA Security+ certification exam. The book includes questions and answers to be used as a CompTIA security practice exam.
The following excerpt comes from Chapter 7: Authentication and Identity Management (pdf). The excerpt describes three authentication components for authenticating a user’s identity.
Single-factor authentication refers to requiring only one factor (such as a password) to authenticate a user. The system compares the password for the account with a database of known usernames and passwords and then authenticates the user if they match. This is the simplest but weakest form of authentication, because users’ passwords tend to be weak.
Single-factor authentication can also involve a magnetic swipe card or token used to open a locked door. This is also a weak form of authentication, as the card or token can be easily lost or stolen and an unauthorized user can simply use the card or token to access the door without needing to provide any other credentials.
the biometric factor is the third and deciding factor
used in combination with an access card and password.
Two-factor authentication typically combines two single-factor authentication types, such as something the user knows and something the user possesses. For example, most ATM banking transactions require two-factor authentication: The user inserts a physical banking card into the machine and then types a PIN, which is matched with the electronic information contained on the card’s magnetic strip. One authentication factor should be physical, such as a smart card or access token (something the user possesses) and the second factor should be a password or PIN (something the user knows). Without these two items, no access can be granted.
Three-factor authentication is the strongest form of user authentication and involves a combination of physical items, such as a smart card, token or biometric factor, and nonphysical items, such as passwords, passphrases and PINs. Typically, the biometric factor is the third and deciding factor used in combination with an access card and password. For example, before he can enter a high-security facility, a user might have to insert a smart card into a door, enter a PIN on a keypad, and then insert his finger into a scanner.
In early computer systems, when networking wasn’t as available as it is today, each computer contained a set of resources the user could access. To access the resources of a computer system, the user would use a specific login and password. Each specific computer needed a separate login and password. This was tedious for computer users and administrators alike, because of the frequency with which login accounts and passwords needed to be reset for each computer if a user forgot them.
Nowadays, modern networks provide resources that are spread throughout the computer network and that can be accessed by any user from any location. The user can be onsite on her own computer, or she can be logged in from home or on the road using dial-up methods or via the Internet. With the vast amount of resources that can be contained on a large computer network, the concept of different logins and passwords for each resources has been eliminated in favor of a single sign-on to the network; the user has to be authenticated only once on the network to access the network’s resources. This type of centralized administration is a much more efficient way for a network administrator to control access to the network. User account policy templates can be created and used network wide to remove the need to configure each user’s account settings individually, except for a unique login and password.
An example of single sign-on is a Microsoft Active Directory username and password required for accessing directories, files and printers on a network, along with Microsoft Exchange mail servers and SQL database servers. LDAP is also a popular authentication database used for single sign-on purposes.
The chapter concludes with some review questions that the reader can use as a security certification practice test when preparing for the Security+ exam.
Review question: You are creating an authentication mechanism for physical access to a high-security government building. The high-security nature of the facility requires at least a three-factor authentication model. Which of the authentication types do you use?
A. Biometric eye scan
B. Smart card and PIN
C. Smart card, PIN, and fingerprint scan
D. ID badge and password
Correct answer: C. For a three-factor authentication model, you need at least three different types of authentication. A biometric eye scan, while extremely secure, is still only a one-factor system, while the other methods are only two-factor, such as a smart card and a PIN.
Excerpted from Mike Meyers’ CompTIA Security+ Certification Passport, Third Edition (Exam SY0-301), (McGraw-Hill; 2011) by T. J. Samuelle with permission from McGraw-Hill.