Join Mike Chapple for an in-depth discussion in this video Authentication factors, part of CompTIA Security+ Exam Prep (SY0-401): Access Control and Identity Management.
- View Offline
- Once you've identified yourself to a system, you must prove that claim of identity. That's where authentication comes into play. Computer systems offer many different authentication techniques, or factors, that allow users to prove their identity. We'll take a look at five different authentication factors. Something you know, something you are, something you have, somewhere you are, and something you do. By far, the most common authentication factor is something you know.
Typically, this comes in the form of a password that the user remembers and enters into a system during the authentication process. Users should choose strong passwords consisting of as many characters as possible, and combining characters from multiple classes, such as upper-case and lower-case letters, digits, and symbols. One of the best ways to create a strong password is to use a passphrase instead. For example, you might choose the easily memorable phrase "chocolate covered strawberries are for me," and write it like this instead.
That gives you a strong, complex password that is easy to remember and hard to guess. The second authentication factor is something you are. Biometrics measure one of your physical characteristics, such as your fingerprint, eye patterns, facial recognition, or voice print. The third authentication factor, something you have, requires the user have physical possession of a device, such as a smart phone, or an authentication token key fob, like the one shown here.
The fourth authentication factor, somewhere you are, requires the user to be in a specific physical location that is only accessible by authorized individuals. For example, connecting to a very sensitive system might require having an internal IP address obtained from a wired network inside a secured building. Finally, the fifth authentication factor is something you do. This might include completing a pattern, or typing with a recognizable speed and rhythm.
This authentication factor is prone to error, and not frequently used. As you read security resources and prepare for the Security Plus exam, you should note that most security professionals recognize only three factors of authentication: something you know, something you have, and something you are. CompTIA adds somewhere you are and something you do to the mix, and you should remember those when taking the exam, even if you don't use them in real world security practice.
Author Mike Chapple, an IT leader with over 15 years experience, introduces identification methods such as usernames and biometrics, as well as authentication methods to verify users, including multifactor authentication, password authentication, and single sign-on. He also discusses authorization concepts such as mandatory and discretionary access controls, which can help you restrict access to sensitive parts of your network. The course also covers best practices for ongoing account management, such as establishing a good password policy, managing user roles, and monitoring accounts, and what to do when you need to suspend or terminate access.
NOTE: We are now a CompTIA Content Publishing Partner. Our training prepares members to pass CompTIA certification exams and become qualified IT professionals. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Setting policies for usernames and access cards
- Implementing biometrics
- Combining authentication factors for multifactor authentication
- Using a Kerberos access control system
- Using access control lists such as Windows NTFS file permissions
- Role-based authorization
- Implementing account and password policies