Authentication and Credentials

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:02
>> Authentication and credentials in the Cloud.
00:02
We're going to look at Impacts of Cloud Authentication.
00:02
We'll go over some of
00:02
the multi-factor authentication options,
00:02
and we'll touch on FIDO,
00:02
the universal two-factor authentication standard.
00:02
As we've discussed previously,
00:02
authentication is the process of
00:02
providing or confirming an identity.
00:02
It's the responsibility of
00:02
the identity provider to ensure quality authentication.
00:02
In the Cloud world, things are a little different.
00:02
We have broad network access,
00:02
so the authentication occurs
00:02
over the general Internet and there's
00:02
less trust and it has to be much stronger.
00:02
Single sign-on is great.
00:02
It makes it easier for the users to
00:02
have the same account and the administrators
00:02
to manage fewer accounts for
00:02
many different services but at the same time,
00:02
you have the problem of compromising
00:02
a single account can open
00:02
the door to accessing many different providers.
00:02
It's very much like the old advice
00:02
not to use the same username and
00:02
password on the many different websites
00:02
that you may be personally signed up for.
00:02
The concern about this is
00:02
the username and password gets hacked in one place,
00:02
then the hacker can take
00:02
that username and password and apply it in
00:02
different service providers and potentially
00:02
compromise multiple of your accounts.
00:02
With single sign-on, there really is
00:02
only one username and password and it's
00:02
all controlled in a centralized authoritative source
00:02
but when you compromise one,
00:02
you can get into many different
00:02
providers but fortunately,
00:02
multi-factor authentication can dramatically
00:02
reduce the effectiveness of account takeovers
00:02
and what somebody can do but let's dive into some
00:02
of the multi-factor authentication options here.
00:02
Keeping in mind that multi-factor authentication
00:02
involves authenticating,
00:02
providing something you know,
00:02
such as the password,
00:02
as well as something that you
00:02
have such as a physical device.
00:02
You could have a hard token and that's an actual device.
00:02
You may have seen it hanging on
00:02
people's key chains where they have
00:02
one-time passwords continually rotate on the device,
00:02
and this is the best option when
00:02
high-security levels are required.
00:02
Similarly, there's a soft token.
00:02
In this circumstance, you're not going to have
00:02
a physical device that
00:02
you're getting the one-time passwords from,
00:02
rather you will install software
00:02
on something like your phone or a computer,
00:02
and then that software application
00:02
itself is going to be giving you code.
00:02
This includes Microsoft Authenticator,
00:02
Google Authenticator, and
00:02
a variety of other apps out there.
00:02
The key thing being that they
00:02
are installed on something you have,
00:02
whether it's a computer or a phone,
00:02
and you have limited access to that.
00:02
If somebody gets your password,
00:02
they also need to have your phone to get
00:02
these codes off of it or the hard tokens scenario,
00:02
they know your password, well they also need to
00:02
have that physical security device.
00:02
As another option, there are out-of-band passwords.
00:02
These are where the passwords gets sent to you via
00:02
text message more often than not SMS.
00:02
When you're using this, make sure
00:02
you consider that messages
00:02
may be intercepted, especially SMS messages.
00:02
Sometimes people use SIM card swapping scams.
00:02
There's a variety of different mechanisms,
00:02
so it's not quite as
00:02
secure as the other things we've talked about.
00:02
Last but definitely not least is biometrics.
00:02
When I started talking about MFA being
00:02
something you have being that second factor,
00:02
in this paradigm, we're looking at
00:02
that second factor of
00:02
authentication being something you are.
00:02
This is where you're providing your fingerprint or
00:02
a retinal scan or something of that nature.
00:02
Last but not least, we have biometrics.
00:02
This is a little different than
00:02
the second-factor authentication
00:02
being something you have.
00:02
Rather it's where you're proving somebody you are,
00:02
something you are based on fingerprints,
00:02
retinal scans, voice IDs.
00:02
In this paradigm, there will be
00:02
a device involved, a physical device.
00:02
That device will have to have an ability of
00:02
integrating with the Cloud service itself.
00:02
Because the Cloud services themselves need
00:02
some way mechanism to
00:02
get physical access to your biometric data,
00:02
and that's where the intermediary device comes into play.
00:02
We'll touch on the FIDO
00:02
universal two-factor authentication Standard.
00:02
It's growing in usage.
00:02
It was put together by the FIDO Alliance.
00:02
It is an open authentication standard
00:02
that's gaining an adoption
00:02
and it's been deployed to
00:02
too many large-scale services such as Facebook,
00:02
Gmail, DropBox, GitHub, salesforce.com,
00:02
and I'm sure the list is going on and on.
00:02
If you look over at the right,
00:02
there are some nice little pictures that just
00:02
describe how it works and
00:02
they summarize a lot about
00:02
the two-factor authentication process.
00:02
You can see in the first scenario we have you
00:02
unlock the phone when using
00:02
biometrics, which is what we're talking about.
00:02
The phone is that biometric device,
00:02
and then it confirms the UTF login.
00:02
What's going to happen is the phone is going to send
00:02
information to your identity provider.
00:02
There's some app on your phone and it says, "Yes,
00:02
this is the person I received the fingerprint.
00:02
It's matching what I expect."
00:02
They'll pass along a little attribute
00:02
with that individual's profile saying,
00:02
"Not only have they been authenticated,
00:02
but they've been authenticated using
00:02
the biometric method of authentication."
00:02
Then you have the UTF for mobile,
00:02
which is where you enter a username and password.
00:02
You have a little physical device.
00:02
We're looking at that hard token approach,
00:02
which will communicate with your phone or
00:02
your iPad or what have
00:02
you using either Bluetooth or other protocols.
00:02
That's the method for demonstrating something I have,
00:02
which is that hard token approach.
00:02
There's also the USB approach,
00:02
which is an alternative way of using hard tokens.
00:02
This is a pretty strong method
00:02
of universal two-factor authentication.
00:02
It's still growing in its presence and use.
00:02
Let's have another quiz question when
00:02
closing out this rather short video,
00:02
which MFA method is the most vulnerable to interception?
00:02
Hard tokens, soft tokens,
00:02
out-of-band passwords, or biometrics?
00:02
Well, we covered this not that long ago and hopefully,
00:02
you still remember the out-of-band passwords
00:02
often going to be intercepted,
00:02
especially the SMS was the example that I gave.
00:02
In closing out this video what do we talk about,
00:02
we looked at the impacts of cloud on authentication.
00:02
We examined some of the different
00:02
multi-factor authentication options,
00:02
and we touched on the Fido
00:02
universal two-factor authentication Standard.
Up Next