In NIST-800-63 there are sixty three.
It provides a model for the identification architecture.
It identifies the registration,
the credential insurance and the maintenance level of
an authentication system and how we authenticate from one party to another.
So it identifies the verifier.
It looks at the registration authority.
And you can see this from your screen now.
But in further reading,
you can read about the authentication model.
This is the de facto standard for any
U.S. Federal Information systems that need authentication.
It's based off of this model and what we really see.
You may think it's actually simple to provide
authentication but you have to think all the way from
how it registers a user or an object all the way to how
we authenticate that user and how do we destroy the user as well.
How do we authenticate through the entire process?
Factors of identification.
There are four different factors of identification: something that you know,
something that you have,
something that you are,
and something that you do.
So something that you know is going to be a password.
It's going to be a pin or security questions.
These are all knowledge based something that you know and nobody else knows.
Now the identification system or the authentication system is going to have some kind of
representation of that value of something that you know.
It may just be the password or it may just be
the pin but it needs to secure that credential in some way.
Something that you have includes things like smart cards and physical tokens.
Something that you are might be a fingerprint reader or iris scanner.
So that's that's something that you cannot get rid of.
Maybe you can file your finger fingerprints off but why in the world would you do that.
That presents a representation of who you are.
Iris scanner it's very expensive to put in an iris scanner but it is the most accurate.
Something that you do includes voice pattern recognition and handwriting.
Also facial recognition as well is included in this.
So some threats to something that you know: password up authentication.
This comes in the form of somebody phishing your password or poor password management.
Key logging for example or other eavesdropping techniques that are
designed to steal your password password based attacks
are also an attack against user authentication where we can see password
cracking rainbow tables and password storage based attacks as well.
Secret questions are easy to obtain answers if you just
look at social media and look at somebody who's posts you
can figure out who their favorite pet is or
where they went to high school and what their favorite mascot is or
their mother's maiden name by looking at
public records something that you know is very easy to attack.
Threats to something that you have include very very few things.
So usually they're protected by hardware and they're not easy to clone.
For example, past U.S. passports.
They do have RFID chips in them,
you can copy them,
magnetic stripe swipe cards as well.
Those are easy to copy like credit cards or
the number is easy to copy that's way we actually have chips now inside of them.
But it is hard to duplicate;
it's not hard to steal somebody's password but it is
hard to have actually compromise something that you have physically.
Threats to something that you are.
Well, the industry really isn't there yet.
Many facial recognition systems are fooled actually with a print out of your face.
The latest Samsung S8 for example,
their facial recognition system if you put the camera up to your up to
your face and authenticate your facial features,
it's fooled with a picture of your face.
So, false positives or false negatives,
which are even worse are issues with something that you are.
The industry has not caught up to this yet.
Except in the case of some fingerprint scanners and iris scanners,
those are much much more expensive but they do provide another level of security.
We also see overall security issues: eavesdropping,
replay malware, denial service attacks,
host and client based attacks.
And it really depends on how clever you are how we get around authentication.
But the easiest one again to compromise is password and pin based attacks. It's funny.
I actually saw a funny post of somebody.
The title of the email was
all bank pins listed on this paste.
And what was it? Well, there are four digit combinations.
So it was 0 through 9999 just in a file.
It was it was pretty funny but the reality is,
there's only 10,000 combinations of your bank card PIN or your ATM pin.