InfoSec Notes
Complete guide to authentication mechanisms including passwords, multi-factor authentication, biometrics, tokens, and modern passwordless approaches for verifying user identity.
What is Authentication?
Authentication is the process of verifying the identity of a user, device, or system. It answers the fundamental question: "Are you who you claim to be?" Authentication is distinct from identification (claiming an identity) and authorization (determining what an authenticated entity can do).
| Something You | Something You | Something You |
|---|---|---|
| KNOW | HAVE | ARE |
| Password | Smart card | Fingerprint |
| PIN | Security token | Iris scan |
| Security question | Mobile phone | Face recognition |
| Pattern | Hardware key | Voice print |
Authentication Flow
Three Authentication Factors
Authentication Factor Types
Factor 1: Knowledge (Something You Know)
The most common but weakest authentication factor:
| Method | Strength | Vulnerability |
|---|---|---|
| Passwords | Varies | Phishing, brute force, credential stuffing |
| PINs | Low | Shoulder surfing, limited keyspace |
| Security Questions | Low | Social media research, data breaches |
| Passphrases | High | Still vulnerable to keyloggers |
Factor 2: Possession (Something You Have)
| Method | Strength | Vulnerability |
|---|---|---|
| SMS OTP | Medium | SIM swapping, SS7 attacks |
| TOTP App | High | Phone theft (if no PIN) |
| Hardware Token (YubiKey) | Very High | Physical theft (rare) |
| Smart Card | Very High | Physical theft + PIN needed |
| Push Notification | High | MFA fatigue attacks |
Factor 3: Inherence (Something You Are)
| Method | FAR* | FRR** | Spoofability |
|---|---|---|---|
| Fingerprint | 0.001% | 0.1% | Moderate (gummy fingers) |
| Iris Scan | 0.0001% | 0.2% | Low |
| Face Recognition | 0.01% | 0.5% | Moderate (photos, masks) |
| Voice Print | 0.1% | 1% | High (deepfakes) |
| Behavioral (typing) | 1% | 2% | Low |
*FAR = False Acceptance Rate, **FRR = False Rejection Rate
Multi-Factor Authentication (MFA)
MFA combines two or more factors from different categories:
Password Security Best Practices
Authentication Protocols
Kerberos Authentication
Kerberos Authentication Flow
================================
Client KDC (AS + TGS) Service
| | |
| 1. AS_REQ | |
| (username) | |
|------------------>| |
| | |
| 2. AS_REP | |
| (TGT encrypted | |
| with client key)| |
|<------------------| |
| | |
| 3. TGS_REQ | |
| (TGT + service | |
| requested) | |
|------------------>| |
| | |
| 4. TGS_REP | |
| (Service Ticket) | |
|<------------------| |
| | |
| 5. AP_REQ (Service Ticket) |
|--------------------------------------->|
| | |
| 6. AP_REP (optional mutual auth) |
|<---------------------------------------|
Key concepts
- TGT: Ticket Granting Ticket (proves identity to KDC)
- Service Ticket: Proves identity to specific service
- No password sent over network after initial auth
- Tickets have expiration times (typically 8-10 hours)
OAuth 2.0 / OpenID Connect
Common Authentication Attacks
| Attack | Description | Defense |
|---|---|---|
| Brute Force | Try all possible combinations | Account lockout, rate limiting |
| Credential Stuffing | Use leaked credentials from other breaches | MFA, breach monitoring |
| Phishing | Trick user into revealing credentials | Security awareness, FIDO2 |
| Pass-the-Hash | Use stolen hash directly | Credential guard, network segmentation |
| MFA Fatigue | Spam push notifications until user accepts | Number matching, time limits |
| SIM Swapping | Take over phone number for SMS OTP | Use app-based TOTP or hardware keys |
Interview Questions
- What is the difference between authentication and authorization?
- Authentication verifies identity ("who are you?") while authorization determines permissions ("what can you do?"). Authentication must happen before authorization.
- Why is SMS-based MFA considered weaker than app-based TOTP?
- SMS is vulnerable to SIM swapping attacks (social engineering the carrier), SS7 protocol vulnerabilities (intercepting messages), and the message travels in cleartext. TOTP apps generate codes locally using a shared secret.
- Explain how Kerberos prevents replay attacks.
- Kerberos uses timestamps (authenticators) and ticket expiration. Each request includes a timestamp encrypted with the session key. The server maintains a cache of recent authenticators and rejects duplicates. Tickets expire after a configured period.
- What is credential stuffing and how do you prevent it?
- Credential stuffing uses username/password pairs leaked from one service to try logging into other services. Prevention: MFA, rate limiting, CAPTCHA, monitoring for impossible travel, breach notification services, password managers promoting unique passwords.
- Compare FIDO2/WebAuthn with traditional password-based authentication.
- FIDO2 uses public-key cryptography with the private key stored in hardware (phone/security key). It is phishing-resistant (bound to origin), eliminates shared secrets, provides strong authentication without passwords, and supports passwordless flows.
Summary
Authentication is the gateway to security — if an attacker can bypass authentication, all other controls become irrelevant. Modern authentication moves beyond passwords toward multi-factor, risk-adaptive, and passwordless approaches. Understanding the strengths and weaknesses of each method is essential for building secure systems.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Authentication in Information Security.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, fundamentals, authentication, authentication in information security
Related Information Security Topics