Authentication is often simplified as types, or factors, of authentication. If you’re planning to take the SY0-501 exam, you should have a basic understanding of authentication factors. This includes the something you have authentication factor.
For example, can you answer this practice test question?
Q. Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?
A. HOTP
B. TOTP
C. CAC
D. Kerberos
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
The something you have authentication factor refers to something you can physically hold such as smart cards, tokens, Common Access Card, Personal Identity Verification card, HMAC-based One-Time Password and Time-based One-Time Password. This blog post discusses on CACs and PIVs, and HOTP and TOTP.
CACs and PIVs
A Common Access Card (CAC) is a specialized type of smart card used by the U.S. Department of Defense. In addition to including the capabilities of a smart card, it also includes a picture of the user and other readable information. Users can use the CAC as a form of photo identification to gain access into a secure location. For example, they can show their CAC to guards who are protecting access to secure areas. Once inside the secure area, users can use the CAC as a smart card to log on to computers.
Similarly, a Personal Identity Verification (PIV) card is a specialized type of smart card used by U.S. federal agencies. It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does.
CACs and PIVs both support dual-factor authentication (sometimes called two-factor authentication) because users generally log on with the smart card and by entering information they know such as a password. Additionally, just as with smart cards, these cards include embedded certificates used for digital signatures and encryption.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
HOTP and TOTP
Hash-based Message Authentication Code (HMAC) uses a hash function and cryptographic key for many different cryptographic functions. A hash is simply a number created with a hashing algorithm. HMAC-based One-Time Password (HOTP) is an open standard used for creating one-time passwords, similar to those used in tokens or key fobs. The algorithm combines a secret key and an incrementing counter, and uses HMAC to create a hash of the result. It then converts the result into an HOTP value of six to eight digits.
Imagine Bart needs to use HOTP for authentication. He requests a new HOTP number using a token or a software application. He can then use this number for authentication along with some other authentication method, such as a username and password. As soon as he uses it, the number expires. No one else is able to use it, and Bart cannot use it again either.
Here’s an interesting twist, though. A password created with HOTP remains valid until it’s used. Suppose Bart requested the HOTP number but then got distracted and never used it. What happens now? Theoretically, it remains usable forever. This presents a risk related to HOTP because other people can use the password if they discover it.
A Time-based One-Time Password (TOTP) is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds.
One significant benefit of HOTP and TOTP is price. Hardware tokens that use these open source standards are significantly less expensive than tokens that use proprietary algorithms. Additionally, many software applications use these algorithms to create software tokens used within the application.
For example, the figure shows the free VIP Access app created by Symantec and running on an iPad. It’s also available for many other tablets and smartphones. Once you configure it to work with a compatible authentication server, it creates a steady stream of one-time use passwords. The six-digit security code is the password, and the counter lets you know how much more time you have before it changes again.
VIP Access app
Similar to a hardware token, the user enters a username and password as the something you know factor, and then enters the security code from the app as the something you have factor. This provides dual-factor authentication. Many public web sites like eBay and PayPal support it, allowing many end users to implement dual-factor authentication as long as they have a smartphone or tablet device.
Remember this
HOTP and TOTP are both open source standards used to create one-time use passwords. HOTP creates a one-time use password that does not expire until it is used. TOTP creates a one-time password that expires after 30 seconds. Both can be used as software tokens for authentication.
Q. Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?
A. HOTP
B. TOTP
C. CAC
D. Kerberos
Answer is B. A Time-based One-Time Password (TOTP) meets this requirement. Passwords created with TOTP expire after 30 seconds.
An HMAC-based One-Time Password (HOTP) creates passwords that do not expire.
A Common Access Card (CAC) is a type of smart card, but it does not create passwords.
Kerberos uses tickets instead of passwords.
See Chapter 2 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on authentication factors.
