1
Authentication Mechanisms
University of FairFax
Modupeola Sasore
June 10, 2023
2
Define Authentication
The process of validating the identity or validity of a person, device, or other entity inside
a system in order to give access to resources, data, or services is referred to as authentication. It is
a vital part of security systems and is used to guarantee that only authorized persons or
organizations are able to get access to a system or network and carry out certain operations while
they are there. In order to demonstrate one's identity, authentication often requires the presentation
of credentials such as a login and password ((Chenchev et al., 2021). Nevertheless, the context and
the amount of security that is necessary might call for a variety of different authentication
techniques. The following are some examples of frequent authentication factors:
1. A password, a personal identification number (PIN), or the answers to security questions
are examples of things that fall under the category of “knowledge factors.”
2. Possession factors are those that entail something that the user really has, like an access
card, a key fob, or a handheld device.
3. Inherence factors are those that include anything that is intrinsic to the user, such as their
fingerprints, iris scans, or face recognition, or their behavioral patterns, including as their
typing speed or voice recognition.
Authentication systems may also make use of multi-factor authentication (commonly known as
MFA), which requires the verification of two or more of these elements simultaneously in order
to increase safety. The following procedures are often included in authenticating an individual or
entity:
I. An access request is kicked off by the user by the provision of identity information (such
as a username or email address).
3
II. The system checks the information that was supplied to ensure that it matches the
credentials that were previously recorded in an identity database.
III. In the event that the information aligns, the system will either provide a challenge (such as
asking the user for a passcode) or sending a code for verification to the individual's
specified device or contact information.
IV. The user must either answer the challenge presented to them or input the verification code.
V. If the authentication is effective, the system will check the answer or the code, and then it
will decide whether or not to give access.
List Authentication Mechanisms
1. The most common kind of authentication requires users to submit both a username and a
passcode in order to authenticate their identity. This form of authentication is known as
password-based authentication. To determine whether or not access should be granted, the
system will check the submitted password against the stored password.
2. Two-factor authentication, or 2FA, is a mechanism that combines two or more separate
authentication elements with the purpose of increasing security. This technique is referred
to as multi-factor authentication, or MFA. To illustrate, a user may start the authentication
process by entering a password (which corresponds to the knowledge element) and then
finish it by receiving a verification number on their mobile device (which corresponds to
the possession component).
3. A user's unique physiological or behavioral features may be used to authenticate their
identity via a process known as biometric authentication. Fingerprint scanning, iris
recognition, face recognition, voice recognition, and even signature dynamics are some
examples of biometric authentication methods.
4
4. Token-based authentication is a way that may be used to authenticate one's identification.
This approach requires the use of a digital or physical token. Digital tokens may be created
via mobile applications or software-based authenticators, whereas physical tokens might
take the form of smart cards, key fobs or USB security keys,
5. Certificate-based authentication is a kind of authentication that uses digital certificates that
have been issued by a reliable certificate authority (CA). A digital certificate is presented
by the user as evidence of their identity, while the system checks the certificate's legitimacy
by making use of the CA's public key r (Aggarwal et al., 2018).
6. Users are provided with a temporary password or code that can only be used for an
individual login session or transaction when the one-time password (OTP) authentication
method is used. Hardware tokens, smartphone applications, short message service (SMS),
or email may all be used to create one-time passwords (OTPs).
7. Authentication through smart card Smart cards is equipped with integrated microchips that
may store user credentials as well as cryptographic keys. Users confirm the information
that is contained on the smart card by inserting it into a reader and letting the system do the
rest.
8. Single sign-on (SSO) is a security protocol that allows users to authenticate themselves just
once and then receive access to a number of different systems or apps without having to
re-enter their credentials. In order to streamline the access control process, this is often
used in business settings r (Aggarwal et al., 2018).
9. Users are able to log in to apps or sign up for new ones by using their current social media
accounts, including Facebook, Google, or Twitter. This kind of authentication is known as
5
social media authentication. The authentication process that is carried out by the social
networking site is used by the application.
10. Risk-based authentication is a mechanism that evaluates the risk that arises from an
authentication attempt dependent on several criteria, such as user behavior, location, the
device that is being used, or the features of the transaction. Depending on the severity of
the danger, it's possible that further authentication steps will be necessary.
Discuss The Methodology Of An Attacker Using A Password Cracker
In order to recover a lost or forgotten password for a computer or network, “password
cracking” software is often used. In order to access restricted areas of a system and steal sensitive
information, hackers use password-cracking software. By using the Brutus password cracker, an
attacker may try to guess the password with relative ease. If the attacker possesses sufficient details
about the victim, they will be successful with this strategy. In particular, a dictionary attack tactic,
where the hacker utilizes a try-and-error technique whilst targeting the most probable passwords
against the intended victim's username, goes in tandem with the Brutus password cracker.
Password cracking is a simple but effective technique used by attackers against systems, accounts,
and networks in businesses (Ahamed & Fernando, 2020). A dictionary attack is when a hacker
tries every word in the dictionary until they find the one that corresponds to the password. Both
the dictionary and Brutus, the password breaker, provide a wide variety of subject areas. Dictionary
attacks, as the name implies, are the result of an attack method that substitutes digits and special
characters such as @ for the words in dictionaries in an effort to guess a password. Nevertheless,
this technique of attack or password cracking is tedious and seldom successful.
Classify Different Attacks
6
There are two primary types of assaults, known as active and passive. Attackers make overt
efforts to compromise a system by corrupting or erasing data or otherwise disrupting its normal
functioning. They extend to the manipulation of data streams and the construction of false claims.
Denial of service attacks are an excellent illustration of active attacks since they disrupt regular
system communication and thus prevents the facility from operating as usual. All communications
sent to a certain user of the system might be intercepted by the attacker. An intruder may exploit
the compromised message to overload or disable the whole system network. Passive attacks, on
the other hand, don't actively attempt to compromise the target system but instead strive to learn
and exploit the information it provides. Passive attachment is based on observing data transmission
for the purpose of retrieving and using such data later (Aggarwal et al., 2018). An instance of a
passive attack is a hacker who uses a packet analyzer like Wireshark to collect and save the data
from a targeted network's traffic. Passive attacks are launched after the attacker has already
identified the target and is gathering information about the host system's communication, such as
the message's length and transmission rate. The attacker may use the collected data to infer the
type of communication.
Define A Password Cracker
A password cracker is a program that may be used to get passwords using means such as
brute force assaults. Methods that use word comparisons or algorithms to repeatedly guess the
same password are possibilities. The Brutus password cracker is an instance of a tool used in
conjunction with a dictionary attack for cracking passwords (Aggarwal et al., 2018).
7
References
Aggarwal, S., Houshmand, S., & Weir, M. (2018). New technologies in password cracking
techniques. In Cyber Security: Power and Technology (pp. 179-198). Springer, Cham.
Ahamed, U., & Fernando, S. (2020). Identifying the impacts of active and passive attacks on
network layer in a mobile ad-hoc network: a simulation perspective. International Journal
of Advanced Computer Science and Applications (IJACSA), 11(11).
Chenchev, I., Aleksieva-Petrova, A., & Petrov, M. (2021). Authentication Mechanisms and
Classification: A Literature Survey. Intelligent Computing, 1051-1070.
Kaiafas, G., Varisteas, G., Lagraa, S., State, R., Nguyen, C. D., Ries, T., & Ourdane, M. (2018,
April). Detecting malicious authentication events trustfully. In NOMS 2018-2018
IEEE/IFIP Network Operations and Management Symposium (pp. 1-6). IEEE.
