Lesson 7

Implementing Authentication Controls

Topic 7A
Summarize Authentication Design Concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered

• 2.4 Summarize authentication and authorization design concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Identity and Access Management

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Authentication Factors

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Authentication Design

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Multifactor Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Authentication Attributes

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
 Activities

1. What is the difference between authorization and authentication?

2. What steps should be taken to enroll a new employee on a domain network?

3. True or false? An account requiring a password, PIN, and smart card is an

4. example of three-factor authentication.

5. What methods can be used to implement location-based authentication?

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Topic 7B
Implement Knowledge-based Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Syllabus Objectives Covered

• 1.2 Given a scenario, analyze potenial indicators to determine the type of attack

• 3.8 Given a scenario, implement authentication and authorization solutions

• 4.1 Given a scenario, use the appropriate tool to assess organizational security
(Password crackers only)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
Local, Network, and Remote Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Kerberos Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
Kerberos Authorization

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
PAP, CHAP, and MS-CHAP Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
 PAP
Short for Password Authentication Protocol
Described in RFC 1334
Initialized by the client
Authentication is performed only once during a session when
the initial connection is established
Used by Point-to-Point Protocol (PPP) to validate users and to
describe password authentication in other protocols such as
RADIUS and Diameter
Uses a Two-Way Handshake mechanism
Provides no protection against replay attacks
Sends the password in clear-text form, which makes it
vulnerable to even the simplest Man-in-the-Middle (MITM)
attacks.
Supported by RADIUS as RADIUS PAP and therefore
supported by Rublon Multi-Factor Authentication
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
CHAP
Abbreviation of Challenge-Handshake Authentication Protocol
Described in RFC 1994
Initialized by the server
Authentication is performed during the initial establishment
of connection; authentication can also be requested and
performed after the connection has been established
(midsession authentication)
Used by Point-to-Point Protocol (PPP) to validate users and to
authenticate in other protocols such as RADIUS and Diameter
Uses a Three-Way Handshake mechanism
Provides protection against replay attacks
Requires the client and the server to know the password in a
clear-text form but never sends the password over a network
Supported by RADIUS as RADIUS CHAP and therefore
supported by Rublon Multi-Factor Authentication
16
Password Attacks

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Brute Force and Dictionary Attacks

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Password Crackers

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Authentication Management

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
 Activities

1. Why might a PIN be a particularly weak type of something you know

authentication?
2. In what scenario would PAP be considered a secure authentication method?
3. True or false? In order to create a service ticket, Kerberos passes the user's
password to the target application server for authentication.
4. A user maintains a list of commonly used passwords in a file located deep within
the computer's directory structure. Is this secure password management?
5. Which property of a plaintext password is most effective at defeating a brute-force
attack?

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
Topic 7C
Implement Authentication Technologies

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Syllabus Objectives Covered

• 2.4 Summarize authentication and authorization design concepts

• 3.3 Given a scenario, implement secure network designs (HSM only)

• 3.8 Given a scenario, implement authentication and authorization solutions

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Smart Card Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24
Key Management Devices

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Extensible Authentication Protocol/IEEE 802.1X

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Remote Authentication Dial-in User Service

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
Terminal Access Controller Access-Control System

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Token Keys and Static Codes

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Open Authentication (OATH)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
2-Step Verification

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
 Activities
1. True or false? When implementing smart card logon, the user's private key is stored
on the smart card.
2. You are providing consultancy to a firm to help them implement smart card
authentication to premises networks and cloud services. What are the main
advantages of using an HSM over server-based key and certificate management
services?
3. Which network access control framework supports smart cards?
4. What is a RADIUS client?
5. What is EAPoL?
6. How does OTP protect against password guessing or sniffing attacks?

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32
Topic 7D
Summarize Biometrics Authentication Concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33
Syllabus Objectives Covered

• 2.4 Summarize authentication and authorization design concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34
Biometric Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35
Fingerprint Recognition

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 36
Facial Recognition

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 37
Behavioral Technologies

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 38
 Activities

1. Apart from cost, what would you consider to be the major considerations for

evaluating a biometric recognition technology?

2. How is a fingerprint reader typically implemented as hardware?

3. Which type of eye recognition is easier to perform: retinal or iris scanning?

4. What two ways can biometric technologies be used other than for logon

authentication?

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 39
Lesson 7
Summary

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 40