Authentication proves an identity with some type of credentials, such as a username and password. If you’re planning to take the SY0-501 version of the Security+ exam, you should understand identity and access management concepts. This includes various authentication concepts and methods, along with some basic security principles used to manage accounts.
For example, can you answer this question?
Q. Your organization recently updated an online application that employees use to log on when working from home. Employees enter their username and password into the application from their smartphone and the application logs their location using GPS. Which type of authentication is being used?
A. One-factor
B. Dual-factor
C. Something you are
D. Somewhere you are
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Something You Know
The something you know authentication factor typically refers to a shared secret, such as a password or even a PIN. This factor is the least secure form of authentication. However, you can increase the security of a password by following some simple guidelines.
Using a Password Policy
A common group of settings that administrators configure in Group Policy is the Password Policy settings. Password policies typically start as a written document that identifies the organization’s security goals related to passwords. For example, it might specify that passwords must be at least 14 characters long, complex, and users should change them every 45 days. Administrators then implement these requirements with a technical control such as a technical Password Policy within a GPO.
The figure shows the Local Group Policy Editor with the Password Policy selected in the left pane. The right pane shows the password policy for a Windows system and the following text explains these settings:
Password Policy in Windows
• Enforce password history. Some users will go back and forth between two passwords that they constantly use and reuse. However, password history remembers past passwords and prevents the user from reusing previously used passwords. For example, setting this to 24 prevents users from reusing passwords until they’ve used 24 new passwords.
• Maximum password age. This setting defines when users must change their password. For example, setting this to 45 days causes the password to expire after 45 days. This forces users to reset their password to a new password on the 46th day.
• Minimum password age. The minimum password age defines how long users must wait before changing their password again. If you set this to 1 day, it prevents users from changing their passwords until 1 day has passed. This is useful with a password history to prevent users from changing their password multiple times until they get back to the original password. If the password history is set to 24 and the minimum password age is set to 1 day, it will take a user 25 days to get back to the original password. This is enough to discourage most users.
• Minimum password length. This setting enforces the character length of the password. It’s common to require users to have passwords at least 14 characters long, but some organizations require administrators to have longer passwords.
• Password must meet complexity requirements. This setting requires users to have complex passwords that include at least three of the four character types (uppercase letters, lowercase letters, numbers, and special characters).
• Store passwords using reversible encryption. Reversible encryption stores the password in such a way that the original password can be discovered. This is rarely enabled.
Somewhere You Are
The somewhere you are authentication factor identifies a user’s location. Geolocation is a group of technologies used to identify a user’s location and is the most common method used in this factor. Many authentication systems use the Internet Protocol (IP) address for geolocation. The IP address provides information on the country, region, state, city, and sometimes even the zip code.
As an example, I once hired a virtual assistant in India to do some data entry for me. I created an account for the assistant in an online application called Hootsuite and sent him the logon information. However, when he attempted to log on, Hootsuite recognized that his IP was in India but I always logged on from an IP in the United States. Hootsuite blocked his access and then sent me an email saying that someone from India was trying to log on. They also provided me directions on how to grant him access if he was a legitimate user, but it was comforting to know they detected and blocked this access automatically.
It’s worth noting that using an IP address for geolocation isn’t foolproof. There are many virtual private network (VPN) IP address changers available online. For example, a user in Russia can use one of these services in the United States to access a web site. The web site will recognize the IP address of the VPN service, but won’t see the IP address of the user in Russia.
Within an organization, it’s possible to use the computer name or the media access control (MAC) address of a system for the somewhere you are factor. For example, in a Microsoft Active Directory domain, you can configure accounts so that users can only log on to the network through one specific computer. If they aren’t at that computer, the system blocks them from logging on at all.
Q. Your organization recently updated an online application that employees use to log on when working from home. Employees enter their username and password into the application from their smartphone and the application logs their location using GPS. Which type of authentication is being used?
A. One-factor
B. Dual-factor
C. Something you are
D. Somewhere you are
Answer is A. This is using one-factor authentication—something you know. The application uses the username for identification and the password for authentication. Note that even though the application is logging the location using Global Positioning System (GPS), there isn’t any indication that it is using this information for Dual-factor authentication requires another factor of authentication. If the application verified you were logging on from a specific GPS location as part of the authentication, it would be dual-factor authentication (something you know and somewhere you are).
Something you are refers to biometric authentication methods.
The somewhere you are authentication method verifies you are somewhere, such as in a specific GPS location, but this isn’t being used for authentication in this scenario.
See Chapter 2 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on authentication concepts.