8. The Means of Cybersecurity: Access Control 191 online. Then, he successfully reset her account password by answering three security questions. He did not know Sarah Palin so he had no personal insight into her background, but since she was a famous public figure, he was able to find the answers to all her questions through online searches! While there are clever security questions that people can remember yet are not likely to be published anywhere or known by others, this is a weak type of authentication token and should be used with caution. Some security-conscious people provide bogus answers to security questions to make it difficult for them to be guessed by an attacker, but this can also make it difficult for them to remember their own answers! Some take the shortcut of always just using the same bogus answer (e.g, “I’m not telling”) to every question everywhere, but this exposes them to credential stuffing attacks, and is not an ideal solution either. 8.1.1.4 Summary The main issue with passwords is that they put the onus of security on the user. Most users do not understand the risks they are taking and are not prepared for the burden of creating their own authentication token. When users are asked to come up with a password, they think more about convenience than security. We saw this tradeoff in Chapter 5 on cyber risk management. Users prioritize convenience and choose poor passwords they can remember and type in quickly. Unfortunately, these passwords are easy for attackers to guess or at least crack. This is not really a failure of the user as much as it is of the cybersecurity industry. The reason passwords are so commonly used is not because they work exceptionally well, but because they work somewhat well and are inexpensive to use and maintain. 8.1.2 Something You Are “The Gileadites captured the fords of the Jordan leading to Ephraim, and whenever a survivor of Ephraim said, ‘Let me cross over,’ the men of Gilead asked him, ‘Are you an Ephraimite?’ If he replied, ‘No,’ they said, ‘All right, say “Shibboleth.”’ If he said, ‘Sibboleth,’ because he could not pronounce the word correctly, they seized him and killed him at the fords of the Jordan.” - Judges 12:5-6 In the real world authentication is based on physical characteristics. We use our human senses, such as our senses of sight and hearing, to authenticate one another. When computers use physical characteristics to authenticate people it is called biometric authentication. Biometric authentication requires a hardware sensor on the computing device, such as a camera or scanner. During the enrollment phase, users provide a biometric sample via this hardware sensor that is digitized and stored in the authentication database. Then in the recognition phase, users provide a fresh sample which is digitized and compared to the sample on file—if they match, the user is authenticated. This type of authentication is based on something you are—some physical characteristic of the person.
RkJQdWJsaXNoZXIy MTM4ODY=