INVITATION TO CYBERSECURITY 188 There are three main types of authentication tokens. They are based on something the user knows, something the user is, or something the user has. We will explore each of these methods in the following subsections. 8.1.1 Something You Know Something you know is the most popular type of authentication token. During the recognition phase, the computer in effect asks the user, “If you are who you say you are, prove it by telling me something that only the real [username] would know.” We refer to this secret piece of information as a password. The assumption is that only the real user knows his password, so if he is able to input it into the computer, then he must be the user he claims to be. The familiar login screen is the recognition phase for password-based authentication schemes (see Figure 8.2). Figure 8.2 A login page—the recognition phase for password-based authentication. 8.1.1.1 Passwords Password based authentication is popular because it is inexpensive to implement and maintain. The overhead costs of assigning passwords, storing them, and verifying users during the recognition phase is minimal. No extra hardware is required and there are minimal storage and processing costs. Also, in theory, it should work really well—after all, only the correct user should be able to provide his secret piece of information. However, as we saw in Section 4.1.2.3 on credential stealing, there are numerous ways that password-based authentication fails. False positive errors—an imposter authenticating as a valid user—are common. The assumption that only one person, the rightful account owner, knows the password does not hold. Passwords are a great example of the practical realities that confront cybersecurity mechanisms. Many ideas that work well in theory do not work well in practice. The price of failures are cybersecurity incidents. This has definitely been the case with passwords.
RkJQdWJsaXNoZXIy MTM4ODY=