You are evaluating authentication solutions. Which of the following is the best mechanism that supports single-factor authentication? (Wentz QOTD)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A.Password.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
“Secrets” are the most crucial element used to authenticate a subject’s identity. An authenticator is a carrier of secrets, e.g., passwords memorized in your brain (something you know), private keys stored in a token device (something you have), or biometric embedded in your body (something you are).
- A biometric along (something you are) is not sufficient to constitute a secret because it can be subject to exposure to the public. For example, your selfies might be leaving you vulnerable to hackers. The NIST SP 800-63 series guidelines “only allow the use of biometrics for authentication when strongly bound to a physical authenticator.”
- Cognitive passwords for knowledge-based authentication are one form of something you know, but they are not secrets either. As the name suggests, they are knowledge.
- Location-based authentication (somewhere you are) is not an authentication factor.
The following is an excerpt from NIST SP 800-63-3:
The classic paradigm for authentication systems identifies three factors as the cornerstones of authentication:
• Something you know (e.g., a password).
• Something you have (e.g., an ID badge or a cryptographic key).
• Something you are (e.g., a fingerprint or other biometric data).
MFA refers to the use of more than one of the above factors.
The strength of authentication systems is largely determined by the number of factors incorporated by the system — the more factors employed, the more robust the authentication system. For the purposes of these guidelines, using two factors is adequate to meet the highest security requirements.
As discussed in Section 5.1, other types of information, such as location data or device identity, may be used by an RP or verifier to evaluate the risk in a claimed identity, but they are not considered authentication factors.
In digital authentication the claimant possesses and controls one or more authenticators that have been registered with the CSP and are used to prove the claimant’s identity. The authenticator(s) contains secrets the claimant can use to prove that he or she is a valid subscriber, the claimant authenticates to a system or application over a network by proving that he or she has possession and control of one or more authenticators.
In this volume, authenticators always contain a secret. Some of the classic authentication factors do not apply directly to digital authentication. For example, a physical driver’s license is something you have, and may be useful when authenticating to a human (e.g., a security guard), but is not in itself an authenticator for digital authentication.
Authentication factors classified as something you know are not necessarily secrets, either. Knowledge-based authentication, where the claimant is prompted to answer questions that are presumably known only by the claimant, also does not constitute an acceptable secret for digital authentication. A biometric also does not constitute a secret. Accordingly, these guidelines only allow the use of biometrics for authentication when strongly bound to a physical authenticator.
Source: NIST SP 800-63-3
- NIST SP 800-63-3
- Your selfies might be leaving you vulnerable to hackers
- Make-up and fake fingers – staying ahead of the online spoofers
- The hidden fingerprint inside your photos
您正在評估身份驗證解決方案。 以下哪個是支持單因子身份驗證的最佳機制？ (Wentz QOTD)