Join Ed Liberman for an in-depth discussion in this video Multifactor authentication, part of CompTIA Server+ (SK0-004) Cert Prep: 4 Security.
- [Narrator] When it comes to physical security, the first thing that we need to talk about is the idea of authentication, which is validating who specifically is trying to gain access to the system or to a room or whatever it may be. Now when it comes to authentication, there's three different ways that we can validate who you are. The first is what you know, okay, so it's the idea that you know something and you share that something to gain access.
Another form of authentication could be what you have, so something you physically have on you, that validates your entry and the third is literally who you are, okay, some form of biometrics, that show who you are as a specific human being. So let's talk about these in a little more detail. First, what do we mean when we say, well, what do you know? Well, if you think about gaining access to a computer system, the most common way that people will log in and be authenticated is by entering a username and then a password, that goes with that specific username.
Now, I want you to think of this as going beyond just logging into a server or even into a computer system, this could be as simple as gaining access to a specific room, especially if it's like a server room in an organization, you may need to present your name and maybe a password to gain access to the room and besides username and password, we also have some systems that are set up with a PIN, a Personal Identification Number, or we have a whole variety of other authentication methods, that all have to do with just what you know, especially in the world of cellphones, so we could have something like a pattern, right, where you have to actually drag your finger on your phone to draw a certain pattern, I know certain Windows machines, they'll bring up pictures and you have to click on the pictures in a certain order, but whatever it is that you have to do, in this case, it's just a matter of knowing what it is that you have to do, knowing the information to get in.
So let's talk about another type of authentication and that is what you have, so this is where you physically have something in your possession, that helps you to gain access, so one example might be a picture ID, right, there's, again, if we forget about logging into a system, maybe you're trying to gain access to a building or to a room, maybe there's a security guard there and you have to show a picture ID to validate who you are or there are key fobs, right, key fobs that can be used to go ahead and gain access, based upon the key fob technology, which also leads us to the idea of having an RFID chip in either some form of fob or card and if we want to really go back to the idea of logging into a system or a server, you can set it up with a smartcard, okay, where you actually have to have a card, that you insert into a smartcard reader.
Now, the third type of authentication, which is a literal who you are is based off biometrics, things that can identify you as a human being. So we have fingerprint scanners, where you go ahead and scan your fingerprint to validate who you are, there's retinal scanners, where it'll look into your eye, there's overall facial recognition, this is becoming real big on cellphones, I know, I stopped using it, but I had a cellphone, where all I had to do was basically look at the phone and the camera of the phone would look at my face, recognize who I was and I was logged in and while you don't see it very often, this is thought to be maybe more of a future technology, but there is the possibility of DNA scanners, okay, where it'll actually somehow look at your DNA to validate specifically who you are.
Now, these are three different forms of authentication. If you've ever heard the term, multifactor authentication, what that means is it means that you are using more than one of those specific authentication factors, okay, so again, just to remind you, what are the three authentication factors? There's what you know, what you have and who you are. So a very common example of multifactor authentication is if I go back to the smartcard idea, where you insert the smartcard into the smartcard reader and then it prompts you for a PIN or a password, so now you have to have the physical card on you, that's one factor and then you have to know the PIN or password, so now you have what you have and what you know working together.
Another real common example would be with biometrics, with either a fingerprint or a retinal scan and again, once it validates who you are that way, it then prompts you to say, hey, now what's your password? So this is just a way of going beyond the very basic, just what you know, 'cause that's what we used to always do it was just username and password, that's how we logged in, alright, so multifactor authentication is the process of using two or more of these authentication factors and I will tell you, some people will refer to this as being two-factor authentication, if you're using exactly two and they will insist that multifactor means you're using all three, where you might actually, physically you know, insert a smartcard, have to scan your fingerprint and know the password, but either way, no matter how you look at it, it's the idea of getting a little bit more secure, than just what you know.
- Server security
- Multifactor authentication
- Network security
- Data security and disposal
- Safety and HVAC