Authentication factors

- [Instructor] Once you've identified yourself to a system, you must prove that claim of identity. That's where authentication comes into play. Digital systems offer many different authentication techniques that allow users to prove their identity. We'll take a look at three different authentication factors. Something you know, something you are and something you have. By far, the most common authentication factor is something you know. Typically, knowledge-based authentication comes in the form of a password that the user remembers and enters into a system during the authentication process. Users should choose strong passwords consisting of as many characters as possible and they should combine characters from multiple classes, such as upper class and lowercase letters, digits and symbols. One of the best ways to create a strong password is to actually use a passphrase instead. For example, you might choose the easily rememberable phrase, chocolate-covered strawberry are for me. And then write it like this instead. That gives you a strong complex password that's easy to remember and hard to guess. Password keys are another form of knowledge-based authentication. Passwords keys are secret encryption keys that are used to manage access to a system. The second authentication factor is something you are. Biometrics measure one of your physical characteristics, such as a fingerprint, eye pattern, face or voice. The third authentication factor, something you have, requires a user to have physical possession of a device, such as a smartphone or authentication token key fob like the one shown here. In addition to these three factors, people do use other authentication techniques. These approaches, known as authentication attributes are generally considered weaker forms of authentication than the three main authentication factors and they should only be used in combination with at least one of those main authentication factors. These attributes include somewhere you are, such as an office building, something you can do, such as your typing patterns, something you exhibit, such as a personality trait. And someone you know, such as a colleagues who vouches for your identity. One important note. The four authentication attributes that I just mentioned, somewhere you are, something you can do, something you exhibit and someone you know are not generally considered part of the cybersecurity community's body of knowledge. They are included in the CompTIA's Security+ exam objectives but you should take them with a grain of salt. Many cybersecurity professionals you speak with will only recognize the three main factors of something you know, something you have and something you are. The strength of techniques used by each of these authentication factors may be measured by the number of errors that it generates. There are two basic types of errors in authentication systems. False acceptance errors occur when the system misidentifies an individual as an authorized user and grants access that should be denied. This is a very serious error because it allows unauthorized access to the system, device, information or facility. The frequency of these errors is measured by the false acceptance rate, or FAR. False rejection errors occur when an authorized individual attempts to gain access to a system that is incorrectly denied access. This is not as serious as a false acceptance because it doesn't jeopardize confidentiality or integrity but it is still a serious error because it jeopardizes the legitimate availability of resources. The frequency of these errors is measured by the false rejection rate or FRR. The false acceptance rate and false rejection rates are not by themselves good measures of the strength of an authentication factor because they may be easily manipulated. On one extreme, administrators may configure a system to simply admit nobody at all, giving it a perfect false acceptance rate but also a very high false rejection rate. Similarly, if the system allows anyone to access it, it has a perfect false rejection rate but an unacceptably high false acceptance rate. The solution to this is to use a balanced measure of strength called the crossover error rate. This is the efficacy rate that occurs when administrators tune the system to have equal false acceptance and false rejection rates.