-
Notifications
You must be signed in to change notification settings - Fork 16
/
authentication.theory.txt
47 lines (43 loc) · 2.64 KB
/
authentication.theory.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
AUTHENTICATION
Credentials:
- types:
- can be:
- knowledge:
- password/passphrase, secret questions, etc.
- problems:
- because need to memorized:
- incentive to keep entropy low
- e.g. dictionary attacks
- might be written down
- easiest to steal
- possession:
- security token, key/lock
- can be disconnected (tells user credentials) or connected (tells computer credentials directly)
- problems: can be stolen
- inherence:
- biometrics: fingerprint, retina reader, voice recognition
- problems: hard to implement
- multifactor authentication (MFA):
- using different types together
- 2-factor authentication (2FA): when two types
- lifetime:
- long-lived: most convenient, but if not confidential anymore, must revoke
- long-lived -> one-time|temp token: middle-way
- one-time|temp tokens:
- less convenient, but if not confidential anymore, no need to revoke
- one-time|temp can be:
- time-wise:
- server-side expiration time
- timestamp hashed in token (TOTP)
- request-wise: e.g. only for this specific request/response (using nonce)
- creation issuer:
- user-picked: more convenient but less entropy
- server-picked: less convenient but more entropy
- scope:
- shared among websites:
- often goes along user-picked
- if not confidential anymore, compromise other websites
- can prevent problem by persisting only hash
- unique for specific website