Three Factors of Authentication and Multifactor Authentication

Posted by in CISSP, CompTIA, Security+, SSCP | 1 comment

Factors of Authentication

If you’re studying for one of the security certifications like CISSP, SSCP, or Security+ it’s important to understand the different factors of authentication, and how they can be intertwined as multifactor authentication. These are commonly known as something you know (such as a password), something you have (such as a smart card), and something you are (using biometrics). A basic understanding of these topics can help you correctly answer many different questions on authentication on any of these certification exams.

A previous post covered identification, authentication, and authorization. As a reminder, identification occurs when a user (or any subject) claims an identity. Authentication occurs when the user provides proof of the identity, such as with a password. Authorization grants access to resources based on the user’s proven identity.


Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide


Something You Know

The something you know factor includes passwords and personal identification numbers (PINs). This is considered the weakest form of authentication because users often use weak passwords, give them out, or write their passwords down.

A strong password is complex and includes at least eight characters. Complex means that the password uses a mixture of upper case, lower case, numbers, and special characters. Some documentation indicates using three of the four character types is enough, while other documentation states that a complex password has four character types. The key is that more character types results in a more complex password that is harder to crack. However, the bigger point is that many users create passwords with only a single character type.

Troy Hunt did a great analysis of passwords that were stolen from Sony’s web sites and published on the Internet. He found that half used only a single character type and only 1 percent used any non-alphanumeric characters. Some of the top passwords were very simple: seinfeld, password, winner, 123456, purple, sweeps, contest, princess, maggie, and abc123. More than 64 percent of the passwords were found in common password-cracking dictionaries. Additionally, when users had accounts on two separate Sony sites, over 92 percent of them used the same password.

Password policies are often used to ensure that users create strong passwords and change them often. Some common password policy settings are:

  • Maximum password age. Requires users to change their password.
  • Minimum length. Ensures passwords have a minimum number of characters.
  • History. Remembers specific number of past passwords (such as last 5, or last 24 passwords). Prevents users from reusing the same passwords.
  • Minimum password page. Prevents users from changing their password right away. Used with the password history to prevent users from changing their password multiple times to circumvent the password history.

Security+ Practice Test Questions

SYO-401 Practice Test Questions Now Available

Over 440 realistic Security+ practice test questions

All questions include explanations so you'll know why the correct answers are correct,

and why the incorrect answers are incorrect.

Pass the Security+ Exam

the First Time You Take It

Multiple quiz formats to let you use these questions based on the way you learn.
  • Learn mode - randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you'll see the explanation. Click here to see how learn mode works.
  • Learn mode - not randomized. View each of the questions in the same order. Use this if you want to make sure that you see all of the questions. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you'll see the explanation. Click here to see how learn mode works.
  • Test mode - randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode - not randomized. View each of the questions in the same order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode - 100 random questions. View 100 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 100 multiple choice questions. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.

Get the full bank of Security+ Practice Test Questions Here

 SYO-401 Practice Test Questions Now Available


INCLUDES QUESTIONS TO HELP YOU PREPARE

FOR THE NEW PERFORMANCE BASED QUESTIONS 

Bonus - Performance Based Questions

Additional Security+ questions to help you prepare for the new performance based questions. These are included with the full bank of Security+ practice test questions and are divided into different sections. For example, you'll have access to the following links:

- Performance Based Question - Set 1

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of security to mobile devices and servers in a data center. You'll then have two questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 2

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of attacks with the name of the attack type. You'll then have five questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 3

You'll see a graphic showing a network with computers and servers separated by a firewall. The firewall is used to control traffic between the computers and users using rules within an access control list (ACL).  You'll have three questions that test your knowledge and ability to correctly identify the relevant components of the rule. The incorrect answers and explanation provide you with insight into how to correctly answer this type of question on the actual exam.

- Performance Based Question - Set 4

You'll see a graphic explaining what you might be required to do on the actual exam related to what a forensic analyst would do during an investigation. You'll then have two questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 5

You'll see a graphic explaining what you might be required to do on the actual exam to match protocols and ports. You'll then have seven questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 6

You'll see a list of security controls along with a graphic showing devices and locations within an organization, along with instructions on what you might be required to do on the actual exam to match the controls with the devices and locations. You'll then have four questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 7

You'll see a list of authentication methods and authentication factors along with instructions on what you might be required to do on the actual exam to match the authentication methods with the authentication factors. You'll then have six questions that test your knowledge and ability to correctly answer the questions. This set also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 8

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of attacks with the name of the attack type. You'll then have five questions that test your knowledge and ability to correctly answer the questions. This is similar to Set 2 but expands on the possibilities. The set also includes a link to a page showing the end solution for the overall performance based question simulation.

New - Performance Based Question - Set 9

New questions recently added using a different testing engine. See a demo here. This set includes drag and drop and matching questions on ports.

New - Performance Based Question - Set 10

A random set of 20 performance-based questions using drag and drop, matching, sorting, and fill in-the blank. This set includes performance-based questions on RAID.

Get the full bank of Security+ Practice Test Questions Here

Get the full bank of Security+ Practice Test Questions

Simulated Performance-based Questions

Bonus - Performance Based Questions

Simulated performance-based questions included with all

packages that include practice test questions.

Additional Security+ questions to help you prepare for the new performance based questions. These are included with the full bank of Security+ practice test questions and are divided into different sections. For example, you'll have access to the following links:

- Performance Based Question - Set 1

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of security to mobile devices and servers in a data center. You'll then have two questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 2

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of attacks with the name of the attack type. You'll then have five questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 3

You'll see a graphic showing a network with computers and servers separated by a firewall. The firewall is used to control traffic between the computers and users using rules within an access control list (ACL).  You'll have three questions that test your knowledge and ability to correctly identify the relevant components of the rule. The incorrect answers and explanation provide you with insight into how to correctly answer this type of question on the actual exam.

- Performance Based Question - Set 4

You'll see a graphic explaining what you might be required to do on the actual exam related to what a forensic analyst would do during an investigation. You'll then have two questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 5

You'll see a graphic explaining what you might be required to do on the actual exam to match protocols and ports. You'll then have seven questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 6

You'll see a list of security controls along with a graphic showing devices and locations within an organization, along with instructions on what you might be required to do on the actual exam to match the controls with the devices and locations. You'll then have four questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 7

You'll see a list of authentication methods and authentication factors along with instructions on what you might be required to do on the actual exam to match the authentication methods with the authentication factors. You'll then have six questions that test your knowledge and ability to correctly answer the questions. This set also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 8

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of attacks with the name of the attack type. You'll then have five questions that test your knowledge and ability to correctly answer the questions. This is similar to Set 2 but expands on the possibilities. The set also includes a link to a page showing the end solution for the overall performance based question simulation.

New - Performance Based Question - Set 9

New questions recently added using a different testing engine. See a demo here. This set includes drag and drop and matching questions on ports.

New - Performance Based Question - Set 10

A random set of 20 performance-based questions using drag and drop, matching, sorting, and fill in-the blank. This set includes performance-based questions on RAID.

Get the full bank of Security+ Practice Test Questions Here

Simulated performance-based questions included with

all packages that include practice test questions.


Looking for quality Practice Test Questions for the SY0-401 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-401 Practice Test Questions


Something You Have

Smart cards and token, or fobs are common examples within the something you have factor of authentication. A smart card is a credit card sized card that holds key information about the user. Smart cards have certificates embedded in them using TLS and provide very strong authentication. This blog covers the differences between smart cards, a common access card (CAC), and a personal identity verification (PIV) card.

A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server. When users log into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.


Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


Something You Are

The something you are factor uses biometrics to prove a user’s identity. Fingerprints are very commonly used for authentication, but there are many other examples. Biometrics are often divided into two categories: physical biometrics and behavioral biometrics.

  • Physical biometrics are based on physical traits of an individual. It includes fingerprints, thumbprints, handprints, palms retina scanners, and iris scanners.
  • Behavioral biometrics is based on behavioral traits of an individual. It includes voice recognition, signature geometry, and key strokes on a keyboard.

Biometrics systems are susceptible to false readings. These are commonly known as:

  • Type 1 error. False Reject Rate (FRR). This occurs when a biometric system incorrectly rejects an authorized user.
  • Type 2 error. False Accept Rate (FAR). This occurs when a biometric system incorrectly identifies an unauthorized user as an authorized user.

Most biometric systems allow you to adjust the sensitivity of the system. For example, you can adjust it to minimize false rejections (FRR errors) but this will result in an increase in the false acceptances (FAR errors). The overall accuracy of a biometric system is identified with the crossover error rate (CER), where the FAR and FRR are equal. A biometric system with a lower CER is more accurate than one with a higher CER.


Get Certified Get Ahead


Multifactor Authentication

Multifactor authentication combines two or three of the factors. Two common examples are:

  • A user has a smart card and also uses a personal identification number (PIN)
  • A user has a token and also enters a username and password

It’s important to realize that multiple authentication and multifactor authentication are not the same thing. For example, if a user enters a pin (in the something you know factor), and a password (also in the something you know factor), this is not multifactor authentication.

Security+ Full Access Package

Get Certified Get Ahead Security+

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access For Only $55.98

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. They can also be used to help ensure you're ready no matter what study guide you're using.

This exam is expensive.

Make sure you're ready before exam day. 

Here's what you'll get:
  • All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. See a demo here. All questions have full explanations so you'll know why the correct answers are correct and why the incorrect answers are incorrect.
  • Over 35 new multiple-choice questions we've added after publishing the study guide.
  • Over 70 performance-based questions. See a demo here.
  • All of the flashcards from the study guide. View them in any Web browser.
  • All of the audio from the study guide. Listen to a sample here.
  • A subnetting mini-tutorial to help you answer key question types in the Security+ exam.
  • Access to a free discount code for 10% off your Security+ voucher. Save $31.10 off the US retail cost for this voucher.

Buy The Full Access Study Package Today

60 Days Access For Only $55.98

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here


CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

1 Comment

  1. Thanks for the alternate explanation above (TypeI vs TypeII Errors). I’m not sure if the introduction of FRR vs FAR is new CompTIA ‘speak’ or an alternative to ‘False Positive’ vs ‘False Negative.’

    And, I don’t want to revisit the manipulation of language as an instrument of control;
    I’m here to strictly enjoy the ride with a smile of confidence!..

    Always thankful! jake

Leave a Comment

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!

Get Certified Get Ahead is a participant in the Amazon Services LLC Associates Program,
an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Copyright © 2015 Get Certified Get Ahead. All Rights Reserved.