CYBER SECURITY

Authentication methods
• Authentication:
-verifying the identity of a user, system, or entity attempting to access a computer system, network,
application, or data.
-Authentication is typically achieved through the use of authentication factors, which are pieces of
information or characteristics used to verify identity.
There are three main types of authentication factors:

1. Something You Know: This involves using knowledge-based information, such as a password, PIN, or security
question answers. Users are required to provide the correct piece of information that only they should know.

2. Something You Have: This involves using a physical object that the user possesses, such as a smart card,
security token, or mobile device. These objects generate one-time passwords or codes that change with each use.

3. Something You Are: This relies on biometric characteristics unique to the individual, such as fingerprints, retina
scans, facial recognition, or voice recognition. Biometrics provide a high level of security because they are
difficult to fake or replicate.
 Types of User Authentication
Password based Authentication:
✓Most common form of authentication.
✓Password may be string of alphabets, numbers and special character.
Contd…..

1. Registration:
1. Users create an account by providing a username or email address, along with a password of their choice.
2. Passwords should be strong and complex, combining uppercase and lowercase letters, numbers, and special characters to
enhance security.
2. Storage:
1. When a user creates an account, the system typically does not store the actual password in plain text. Instead, it uses a process
called "hashing."
2. Hashing is a one-way cryptographic function that converts the password into a fixed-length string of characters. A good
hashing algorithm ensures that even a small change in the input results in a drastically different output.
3. Hashing:
1. When the user sets their password during registration or when changing it, the system applies a hash function to the
password. The resulting hash is then stored in the system's database.
2. Hashing is irreversible, meaning that it's computationally difficult to reverse-engineer the original password from the hash.
4. Authentication:
1. When the user attempts to log in, they provide their username/email and password.
2. The system retrieves the stored hash of the user's password from the database based on the provided username/email.
5. Comparison:
1. The system applies the same hash function to the provided password and compares the resulting hash to the stored hash.
2. If the hashes match, it means the provided password is correct.
6. Access Granted or Denied:
1. If the hashes match, the system grants access to the user.
2. If the hashes do not match, access is denied, and the user is prompted to try again or initiate a password recovery process.
 Vulnerabilities in Password-based Authentication
▪ Password Breaches and Data Leaks: High-profile data breaches have exposed millions of user passwords,
leading to unauthorized access to accounts on various platforms. Many users reuse passwords across multiple
services, which amplifies the impact of such breaches.

▪ Weak Passwords: Users often choose weak passwords that are easy to guess or crack using brute-force attacks.
Common passwords, dictionary words, and easily guessable patterns make accounts vulnerable.

▪ Password Reuse: Many users reuse the same passwords across multiple websites and services. If one account is
compromised, attackers can potentially access other accounts as well.

▪ Brute-Force Attacks: Attackers use automated tools to systematically try all possible password combinations
until they find the correct one. Weak passwords can be easily guessed using this method.

▪ Phishing Attacks: Phishing emails and fake websites trick users into revealing their passwords. Even cautious
users can fall victim to sophisticated phishing schemes.

▪ Password Recovery Vulnerabilities: Security questions and email-based password recovery mechanisms can
be exploited by attackers who have access to personal information or compromised email accounts.
▪ Social Engineering: Attackers can manipulate users into revealing their passwords through social engineering
techniques, such as impersonation, manipulation, or exploiting emotions.

▪ Lack of Two-Factor Authentication (2FA): Many systems still rely solely on passwords without implementing
additional layers of security, such as 2FA, which can significantly enhance protection.

▪ User Experience: Complex password requirements and frequent password changes can frustrate users and lead
to insecure practices, like writing down passwords or choosing easily guessable ones.

▪ Account Locking: Some systems implement strict account locking mechanisms after a few failed login
attempts, which can be exploited by attackers to lock users out of their accounts.

▪ Password Management: Users struggle to remember multiple strong passwords, leading them to use insecure
methods like storing passwords in plaintext files or using the same password everywhere.

▪ Password Reset Challenges: Password reset processes are often insecure, relying on easily guessed security
questions or information that can be obtained through online research.
Assignment…
What is Dictionary attack?
What is an OTP and TOTP?
Two factor Authentication
• Two-factor authentication typically involves a combination of factors from two different categories. Here's how
the process generally works:

1. Username and Password: The user enters their username and password as the first factor.

2. Second Factor: After successfully entering the password, the system prompts the user for the second factor. This
can be:
1. A One-Time Code from a Mobile App: Many services use apps like Google Authenticator, Authy, or
Microsoft Authenticator to generate time-sensitive codes. The user must enter the code displayed in the app.
2. SMS or Email Code: A one-time code is sent to the user's registered phone number or email address. The
user enters this code to complete the authentication.
3. Biometric Scan: Some devices or systems use biometric scans (fingerprint, facial recognition) as the
second factor.

3. Access Granted or Denied: If the user provides the correct combination of factors, access is granted. If not, the
user is denied access and may need to try again or follow a recovery process.
 Advantages of 2FA
• Two-factor authentication significantly enhances security because even if an
attacker manages to steal or guess a user's password, they would still need the
second factor to gain access. This reduces the risk of unauthorized access due
to compromised passwords or phishing attacks.

• Vulnerabilities in 2FA?
 Biometric Authentication System

✓ uses unique physical and behavioral characteristics of individuals to

verify their identity.
✓ It relies on the "Something You Are" authentication factor.
✓ Biometric authentication systems analyze and match biological traits
to grant access to devices, systems, or applications
 Biometric Authentication Process

1.Enrollment: During enrollment, the user's biometric

data is captured and stored in a secure database. This is
the baseline data used for future comparisons.

2.Authentication: When the user attempts to access a

system or application, they provide a biometric sample,
such as a fingerprint scan or facial image.

3.Comparison: The provided biometric sample is

compared against the stored baseline data to determine a
match.

4.Access Granted or Denied: If the sample matches the

stored data within an acceptable threshold, access is
granted. If not, access is denied.
 Potential Drawbacks…
• Privacy Concerns: Collecting and storing biometric data raises privacy concerns, especially if
the data is compromised.

• Accuracy: Biometric systems might not be 100% accurate, leading to false positives or
negatives.
✓ False Positives: The number of negative instances that are incorrectly classified as positive.
✓ True Negatives: The number of negative instances that are correctly classified as negative.

False Positive Rate (FPR) = (False Positives) / (False Positives + True Negatives)

• Physical Changes: Certain biometric traits can change over time due to factors like injury,
aging, or medical conditions.

• Spoofing: Sophisticated attackers might attempt to spoof biometric systems using

photographs, voice recordings, or other methods.