Hi and welcome to Cyber Eri. My name's Anthony and I'm your local subject matter expert for Network Plus And today we're gonna be talking about different methods for user authentication.
So what is use your authentication? Well, user authentication is simply proving who you are. You're proving you're the person that you say you are.
Computers and user log ins into our network. Don't just go on
word of mouth. You can't just logged into a computer and then say I'd like to log in as administrator, please. And then the computer says, Do you promise you're the administrator? We say, Yeah, okay, you're in.
That's not the way that use. That's not the way that computers work. That's not the way that our network should work. And if that was the way that computers and networks work, then there'd be a lot less confidential data stored on computers and stored on networks. So we need a way that we can pass authentication. We need a way that we can prove that we are who we say we are
without exposing that data to other people so that they could try to falsely impersonate us.
So many methods of authentication can be used. We're gonna talk about a lot of different ways that we can authenticate ourselves as a lot as well as how a lot of the different protocols that we can use for authentication. We're gonna talk about cryptography a little bit and how some of our how mathematically some of our cryptography works
in our authentication in order to protect our passwords
and to protect and to ensure that we are who we say we are. And
authentication is not just four confidentiality. We're not just proving that we are who we say we are for the sake of protecting the confidentiality of data. But we're also you. We also want to make sure that authentication is strong for something called non repudiation.
Repudiation is essentially when we try and say that something, we didn't do something.
logs into a network and then goes out and downloads malicious tools and then tries to use them against our servers than authentication lets us see who was logged in and who did that and we can go to that person, we can prosecute them. And if they say Oh, that wasn't me. That was someone else.
then we can point to their several Loggins and say, OK, then who did you give your log in information, too?
Or who stole your log in information
repudiation? Is someone being able to say that? Is someone being able to go? That wasn't me. I didn't do that. I don't know what you're talking about. That wasn't I wasn't I wasn't there that day. I didn't log in. Non repudiation is us making it harder for people to say That wasn't me.
More and more governments are issuing smart cards where you have to have a smart card and pin number to log into a machine, a CZ well as additional user names and passwords, which may be in play. So if some sort of fraudulence or some sort of illegal activity occurs on someone's account
and then they try to say that wasn't me,
then we say, Well, then you should. Then someone would have had to have your card and your pin. So that means either someone stole your car or someone stole the certificates off of your card and you didn't report any of that stolen. So non repudiation helps us to better be able to prosecute people
and better be able to track down who performed certain actions on our network.
So that's authentication, authentication, proving that we are who we say we are.
Now, before we get into the technical side of the house, we're gonna need to talk about some of the general concepts of authentication. And the first thing that we're gonna talk about for authentication is our factors of authentication in the world today. In the world of I t today we currently have three main categories of office
These are something we have
and something you are something you have includes things such as a badge and I D card
A. R s, a token with numbers that are being generated on them.
Something you have is an authentication method that you need to have a particular piece of, ah, physical object in order to authenticate that. Something that you have
is knowledge. It's you could technically write it down or you could record it. But it's something that you don't necessarily need to have a physical object with you. It's something that you just know, and you can pass along that knowledge of someone else. These include things such as pin numbers, passwords, user names. These are things that we know.
And then lastly, we have something that you are something that you are includes biometric means.
Then your print iris scan, retinal scan, voice recognition, facial recognition. These are things that are something that you are as we
introduced new I t. Concepts. As we introduce new ways of authenticating people, these
mostly stayed the same way. Haven't really expounded much off on off of these three authentication factors. There may be slightly different authentication factors such as somewhere you are like your geographical location based on your i p address,
but those could be spoofed. Those could be this could be falsified. So those aren't those may not be
very good authentication methods. Those may just be like additional checks that we may put in place additional things that we log. But as far as our authentication methods go were really down, we're really at the point right now where we have these main three. These are big three authentication factors.
Something you have something you know, something you are.
So when you hear someone talk about multi factor or two factor authentication. They're not talking about two passwords or two badges or a fingerprint. Scan a thumbprint scan in a pinkie print scan.
They're talking about using two of these categories of authentication. If you're using multi factor authentication, you're using more than one factor using two factor authentication. You're using at least two of these factors for authentication. This could be something such as a badge and a pin.
A badge is something you have in a pin is something you know. Even if someone were to find out what your pin is because you wrote it down, then they have what you know, but they still need your badge. They still need something you have. So unless you take a shopping and you write your pin on your badge, which is very, very
then it just by losing your bad, they still need to know your pen
fingerprint and password. So a fingerprint scan and then a password entry is also something you need to know, and then something that you are, your fingerprint is something you are. So
the more factors of authentication that we put into play, the more factors that we need to know the harder that we make it for people to impersonate us, the heart, the heart, the more we the very secure authentication methods. Because just because
someone knows our password, they may not have a fingerprint scan
they may have. They makes it harder for someone trying to impersonate us. The more factors we add onto this, maybe we have a badge, a pin and a fingerprint scan.
So this would be three factors of authentication, something we have something we know in something we are.
If someone says you need you may account of websites where they send you a text message code. That would be something You know, your password when you log in and then something. You have your phone because they're going to send that pin to your phone. You don't know that pin until it sent to your phone. The thing that you have,
So that's something. You have your phone
and something you know, your password.
If someone says, Oh, well, we need to have a two factor authentication. We're gonna implement organ implement fingerprint scans and voice recognition. That's not two factor authentication. Both of those are something that you are both of those air biometric. If you say, Oh, well, I'm gonna implement
a past a primary password,
and then we're gonna have security questions. That's only one factor. Authentication. Your password is something you know, your security questions or something, you know. So
two factor authentication is using
two of these factors. You have to have
some one of you have to have two of the three something You have something you know or something you are. So if someone says we have multi factor authentication, we use use security questions and the password That's not multi factor authentication unless you throw in Ah, fingerprint scan or a text message to your phone or security.
Ah, security pin to your email address.
Well, then, technically, actually, you still have two factor authentication, because if your email address is just a password, that's again just another password. So you would need to send a security pin to a phone in order to say, Okay, so we have security questions, password in the phone pin,
and all of those three things have to be
in play. That's your two factors of authentication. You know your password. You know your security questions and you have your phone where they're going to send that secret pin. So that's two factor authentication. So
more and more email service is are a lot more more e mail service is, and Long and service's are allowing for this two factor authentication
where they say, Do you want to set up two factor authentication? Do you want to give us your phone number and have us text to a pin every time you log into a new computer? And this greatly increases your chances for your chances for not having your account compromised? Because now, if some if you inadvertently enter your password, say on another website
or someone steals your password when you're in a coffee shop,
then they're gonna try to log into your email. But they're gonna need your They're gonna need your phone number, your actual phone so they can get that security pen. So
consider using multi factor, or at least two factor authentication. If you're using systems that are,
the more I see top secret your systems are, the more confidential your systems are, the more you wanna protect your systems, the more factors of authentication out of our three factors you're gonna use in order to protect them.