Authentication

Authentication is about determining that an entity, such as a person, has a desired property, such as knowing a password. The goal of authentication is ensuring that the system knows who or what is interacting with it and can therefore make later decisions, such as access control decisions, with confidence.

Slides

Remember

02-Authentication

Something you …
Multi-factor authentication
Authenticating identity vs a property
Continuous authentication
Password entropy

03-Authentication

Hashing and salting passwords
Online vs offline guessing of passwords
How online and offline attacks differ

Additional Resources

News

Laws, regulations, and guidance

NIST SP 800-63-4 Section 3.1.1.
NIST proposes barring some of the most nonsensical password rules by Dan Goodin (arsTechnica)
Password administration for system owners by the National Cyber Security Center of the United Kingdom - one of the first countries to officially advocate for user-friendly password rules

Research

Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of IEEE SP 2012.
Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, William Melicher. Design and Evaluation of a Data-Driven Password Meter In Proceedings of CHI 2017.
Florian Mathis, John H. Williamson, Kami Vaniea, Mohamed Khamis (2020). RubikAuth: Fast and Secure Authentication in Virtual Reality. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.
Ur, Blase, et al. “How does your password measure up? The effect of strength meters on password creation.” 21st USENIX security symposium (USENIX Security 12). 2012.

Random Fun Stuff

* The password game - Simple game that keeps giving you new harder, more crazy, password rules as you progress.