Once you've identified yourself to a system, you must prove that claim of identity. That's where authentication comes into play. Computer systems offer many different authentication techniques that allow users to prove their identity. In this video, learn about three authentication factors—something you are, something you have, and something you know.
- [Instructor] Once you've identified yourself to a system, you must prove that claim of identity. That's where authentication comes into play. Computer systems offer many different authentication techniques that allow users to prove their identity. Let's take a look at three different authentication factors. Something you know, something you are, and something you have. By far the most common authentication factor is something you know. Typically this comes in the form of a password that the user remembers, and enters into a system during the authentication process.
Users should choose strong passwords consisting of as many characters as possible and combine characters from multiple classes, such as uppercase and lowercase letters, digits, and symbols. One of the best ways to create a strong password is to use a passphrase instead. For example, you might choose the easily memorable phrase, chocolate-covered strawberries are for me, and write it like this instead. That gives you a strong complex password that is easy to remember and hard to guess.
The second authentication factor is something you are. Biometrics measure one of your physical characteristics such as a fingerprint, eye pattern, voiceprint, or facial geometry. The third authentication factor, something you have, requires the user to have physical possession of a device, such as a smartphone or authentication token key fob like the one shown here. The strength of techniques used by each of these authentication factors may be measured by the number of errors that it generates.
There are two basic types of errors in authentication systems. False acceptance errors occur when the system misidentifies an individual as an authorized user and grants access that should be denied. This is a very serious error because it allows unauthorized access to the system, device, information, or facility. The frequency of these errors is measured by the false acceptance rate, or FAR. False rejection errors occur when an authorized individual attempts to gain access to a system but is incorrectly denied access by that system.
This is not as serious as a false acceptance, because it does not jeopardize confidentiality or integrity, but it is still a serious error because it jeopardizes the availability of those resources to authorized users. The frequency of these errors is measured by the false rejection rate, or FRR. The FAR and FRR are not by themselves good measures of the strength of an authentication factor, because they may easily be manipulated. On one extreme, administrators may configure the system to simply admit nobody at all, giving it a perfect false acceptance rate, but also a very high false rejection rate.
Similarly, if the system allows anyone access, it has a perfect false rejection rate, but an unacceptably high false acceptance rate. Here's a look at how those two measures interact with each other as the sensitivity of the authentication system is adjusted. The solution to this measurement problem is to use a balanced measure of authentication strength called the Crossover Error Rate, or CER. The Crossover Error Rate is the error frequency that occurs when administrators tune the system to have equal false acceptance and false rejection rates.
To join one of Mike's free study groups for access to bonus tips and practice questions, visit certmike.com.
- Identity and access management
- Using access cards and biometrics
- Multifactor authentication
- Password authentication protocols
- Device authentication
- Identity management life cycle
- Access control lists
Skill Level Intermediate
Q: This course was updated on 05/18/2018. What changed?
A: New videos were added that cover subject/object model. In addition, the following topics were updated: registration and identity proofing, SSO and federation, and advanced authorization concepts.