Skip to main content

4.2 Authentication

Topic 4.2: Authentication

Authentication is the process of verifying the identity of a user or device to ensure that only authorized entities can access a system. A cornerstone of modern authentication is the secure handling of passwords. Storing passwords in plaintext (as readable text) is extremely insecure. If an adversary gains access to a password database, they would instantly have all users' credentials.

To prevent this, systems store passwords as hashes. A cryptographic hash function is a one-way mathematical algorithm that takes an input of any length (the password) and produces a fixed-length string of characters called a hash or digest. Key properties of these functions include:

  • Pre-image resistance: It is computationally infeasible to reverse the function and determine the original password from its hash.
  • Collision resistance: It is extremely difficult to find two different passwords that produce the same hash.
  • Repeatability: The same password will always produce the same hash.

When a user logs in, the password they enter is hashed, and this new hash is compared to the one stored in the database. If they match, the user is authenticated. To further enhance security, systems use a technique called salting. A salt is a unique, random string of characters that is added to each user's password before it is hashed. This ensures that even if two users have the same password, their stored hashes will be different, which helps defend against certain types of password attacks like rainbow table attacks.

Adversaries use various password attacks to defeat these protections. Online attacks involve an adversary trying to log in to a live system, which can be detected by monitoring for multiple failed attempts. Offline attacks occur when an adversary has already stolen a hashed password file and can attempt to crack the hashes on their own machine. Common offline attacks include:

  • Brute force attacks: Attempting every possible combination of characters to find the correct password.
  • Dictionary attacks: Trying a list of common words and passwords.
  • Rainbow table attacks: Using a precomputed table of hashes to find a matching password.

Authentication is based on one or more factors of identification:

  • Something you know (knowledge factor): A password, PIN, or answer to a security question.
  • Something you have (possession factor): A physical object like a smartphone (to receive a code), an access card, or a security token.
  • Something you are (biometric factor): A unique physical trait like a fingerprint, facial scan, or iris pattern.
  • Somewhere you are (location factor): Your geographic location, often determined by GPS or IP address.

Multifactor Authentication (MFA) significantly increases security by requiring a user to provide two or more of these factors. Even if an adversary steals a user's password, they would still need the second factor to gain access.

To strengthen password security, administrators can configure several login settings on a device or system. These include enforcing password complexity (requiring uppercase, lowercase, numbers, and special characters), setting a minimum password length, and establishing a maximum password age to force users to change their passwords periodically. Systems can also be configured to remember a user's password history to prevent reuse and to implement an account lockout policy, which temporarily disables an account after a certain number of failed login attempts.