CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [254]
Type 2 (something you have) factors start to offer a greater level of variety even within this single-factor concept. A smart card is different from a token device. At the least, they are different enough that two different attack tools and methodologies must be used to successfully break them.
Type 3 (something you are) factors, commonly known as biometrics, are even more varied than Type 2 factors. A fingerprint scanner is different from a palm scanner, which is different from a retina scanner, which is different from a voice recognition system, and so on. Just about every biometric characteristic (each using a different body part) is practically a factor type in and of itself. Thus, multiple Type 3 factors of different body parts are much stronger than dozens or hundreds of passwords. Each and every biometric reader works differently and thus requires a unique attack tool and methodology.
The higher the number and the more varied the form of authentication factors, the stronger the resulting authentication becomes. The ultimate purpose of authentication is to prevent unauthorized people from logging on to another person’s user account. This prevention must be so strong that it will hold up in court. A single password is not supportable because of its numerous weaknesses. Using just a password as your authentication mechanism is as secure as locking a screen door on a submarine. However, a long complex password combined with a smart card and a fingerprint scan may be supportable in court.
If you are not already using at least two-factor authentication, then seek it out. For your company as a whole, migrating up to two or more factors will be a significant expense. But you might be allowed to add multifactor authentication to your user account at your desktop or notebook without forcing it company wide. The simplest two-factor system is to use a long and complex password as one factor and a fingerprint scanner as the second factor. USB fingerprint scanners can be obtained for less than $100. Your administrator can add them to any system with an open USB port. USB smart card readers are another option if you employ public certificate authority (CA) certificates rather than attempting to deploy your own private internal CA trust structure.
If you are not allowed to include additional factors, then take full advantage of the password length and complexity supported by your environment. We provide some stronger password recommendations in the section “Making Stronger Passwords” later in this appendix.
Mutual Authentication
Even with strong multifactor authentication, it is important to know just who is authenticating to whom. Most logons are client authentications. This means that the client (or, more specifically, the user) proves their identity to the system or environment they want to gain entry or access to. Unfortunately, this one-sided authentication process leaves open significant opportunities for spoofing and misdirection.
Logon spoofing has become a serious problem, especially over the Internet. If you are unable to verify the system you are connecting to, then it is possible that it is not who it claims to be. Numerous spoofing attacks have taken place in the last few years in which attackers create real-looking but fake websites of banks, auction sites, e-commerce sites, and even charity sites. These fake sites then fool visitors into “logging on” when all that is really happening is the user’s logon credentials are