Fatskills
Practice. Master. Repeat.
Study Guide: Principles of Information Security: Authentication Methods (Passwords, MFA, Biometrics, Certificate-based)
Source: https://www.fatskills.com/first-aid/chapter/information-security-authentication-methods-passwords-mfa-biometrics-certificatebased

Principles of Information Security: Authentication Methods (Passwords, MFA, Biometrics, Certificate-based)

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~6 min read

Authentication Methods (Passwords, MFA, Biometrics, Certificate?based)

Authentication Methods Study Guide

(Passwords, MFA, Biometrics, Certificate-Based)

What This Is

Authentication is the process of verifying a user’s or system’s identity before granting access to resources. It’s the first line of defense against unauthorized access—weak authentication is like leaving your front door unlocked. A real-world example: In 2021, the Colonial Pipeline ransomware attack started with a single compromised password (no MFA), leading to a $4.4M ransom payment and fuel shortages across the U.S. East Coast. Strong authentication methods (like MFA or certificates) could have prevented this.

Key Terms & Concepts

  • Authentication (AuthN): Verifying a user/system’s claimed identity (e.g., username + password). Contrast with Authorization (AuthZ), which determines what an authenticated user can do.
  • Password-Based Authentication: The most common method, using a secret string (e.g., "P@ssw0rd123"). Weaknesses: brute-force attacks, credential stuffing, and poor password hygiene.
  • NIST SP 800-63B: Guidelines for password policies (e.g., no complexity requirements, allow long passphrases, ban common passwords).
  • Tools: Have I Been Pwned (password breach checker), KeePass (password manager).
  • Multi-Factor Authentication (MFA): Requires two or more of the following:
  • Something you know (password, PIN).
  • Something you have (smart card, TOTP token, YubiKey).
  • Something you are (fingerprint, facial recognition).
  • TOTP (Time-Based One-Time Password): Temporary codes (e.g., Google Authenticator, Authy).
  • FIDO2: Open standard for passwordless authentication (e.g., Windows Hello, YubiKey).
  • Biometric Authentication: Uses unique physical traits (fingerprint, iris, voice, or behavioral biometrics like typing rhythm).
  • False Acceptance Rate (FAR): % of unauthorized users incorrectly granted access (e.g., fingerprint spoofing).
  • False Rejection Rate (FRR): % of authorized users incorrectly denied access (e.g., dirty fingerprint sensor).
  • Crossover Error Rate (CER): Point where FAR = FRR; lower CER = better biometric system.
  • Liveness Detection: Prevents spoofing (e.g., detecting a photo vs. a real face).
  • Certificate-Based Authentication: Uses digital certificates (X.509 standard) to verify identity. Common in:
  • TLS/SSL: HTTPS (e.g., browser certificates).
  • Smart Cards: DoD CAC cards, PIV cards.
  • Mutual TLS (mTLS): Both client and server authenticate each other (used in zero-trust networks).
  • PKI (Public Key Infrastructure): Framework for managing certificates (e.g., issuing, revoking via CRL or OCSP).
  • Single Sign-On (SSO): Allows users to log in once and access multiple systems (e.g., Okta, Azure AD, SAML/OAuth).
  • SAML (Security Assertion Markup Language): XML-based standard for SSO (common in enterprise).
  • OAuth 2.0: Delegation protocol (e.g., "Log in with Google").
  • Risk-Based Authentication (RBA): Adjusts authentication requirements based on risk (e.g., location, device, time of access).
  • Example: Bank prompts for MFA if login is from a new country.
  • Passwordless Authentication: Eliminates passwords entirely (e.g., FIDO2, magic links, biometrics).
  • Credential Stuffing: Attackers use leaked username/password pairs from one breach to access other accounts (e.g., 2019 Disney+ breach).
  • Brute-Force Attack: Automated guessing of passwords (e.g., Hydra, John the Ripper).
  • Defense: Account lockout, rate limiting, CAPTCHA.
  • Phishing-Resistant MFA: MFA methods resistant to phishing (e.g., FIDO2, hardware tokens). SMS/email OTPs are not phishing-resistant!

Step-by-Step / Process Flow

How to Implement Strong Authentication (Enterprise Example)

  1. Assess Requirements:
  2. Identify sensitivity of data (e.g., PII, financial records) and compliance needs (e.g., HIPAA, PCI DSS, GDPR).
  3. Use NIST SP 800-63-3 for guidance on authentication assurance levels (IAL, AAL, FAL).
  4. Choose Authentication Methods:
  5. Low-risk systems: Password + TOTP (e.g., Google Authenticator).
  6. High-risk systems: FIDO2 (e.g., YubiKey) or certificate-based (e.g., smart cards).
  7. Legacy systems: Add MFA via RADIUS or LDAP proxies.
  8. Deploy MFA:
  9. Use conditional access policies (e.g., Azure AD, Duo Security) to enforce MFA for:
    • Remote access (VPN, RDP).
    • Privileged accounts (admin, root).
    • High-value transactions (e.g., wire transfers).
  10. Test failover: Ensure backup MFA methods (e.g., SMS if TOTP fails).
  11. Monitor & Respond:
  12. Enable SIEM alerts for:
    • Multiple failed MFA attempts (possible brute-force).
    • Unusual login locations (e.g., Tor exit nodes).
  13. Revoke compromised credentials immediately (e.g., via CRL or OCSP for certificates).
  14. User Training:
  15. Teach users to:
    • Recognize phishing (e.g., fake MFA prompts).
    • Avoid reusing passwords.
    • Report lost/stolen tokens (e.g., YubiKey).
  16. Audit & Improve:
  17. Conduct penetration tests (e.g., simulate credential stuffing attacks).
  18. Review authentication logs for anomalies (e.g., impossible travel).

Common Mistakes

Mistake Correction
Assuming MFA is "unhackable." MFA can be bypassed via phishing (e.g., adversary-in-the-middle attacks), SIM swapping, or stolen session tokens. Use phishing-resistant MFA (FIDO2, hardware tokens).
Enforcing overly complex password policies (e.g., "Change every 30 days, must include !@#$"). NIST recommends long passphrases (e.g., "PurpleElephantsJump@Midnight") and no forced rotation unless compromised. Complexity rules lead to predictable passwords (e.g., "Password1!").
Using SMS for MFA in high-security environments. SMS is vulnerable to SIM swapping and SS7 attacks. Use TOTP or FIDO2 instead.
Ignoring biometric spoofing risks. Fingerprint scanners can be fooled with gelatin prints or 3D-printed faces. Use liveness detection and multi-modal biometrics (e.g., fingerprint + vein pattern).
Not revoking certificates after employee departure. Orphaned certificates can be exploited for man-in-the-middle (MITM) attacks. Use automated certificate management (e.g., HashiCorp Vault) and short-lived certificates.

Certification Exam Tips

  1. CISSP:
  2. Management vs. Technical: CISSP favors risk management over implementation details. Example question: "Which authentication method provides the highest assurance for remote access to a nuclear facility?" Answer: Certificate-based (smart cards) + biometrics (highest AAL per NIST).
  3. MFA Factors: Know the 3 categories (knowledge, possession, inherence) and examples. "Something you do" (e.g., typing rhythm) is not a standard MFA factor—it’s a subset of biometrics.

  4. PKI: Understand CRL vs. OCSP (OCSP is real-time; CRL is a list).

  5. Security+:

  6. Password Policies: Memorize NIST SP 800-63B (no complexity rules, allow long passphrases).
  7. MFA Bypass: Know SIM swapping and phishing as attack vectors.

  8. Biometrics: Focus on FAR, FRR, and CER. Example question: "Which biometric system has the lowest CER?" Answer: Iris scan (most accurate).

  9. CEH:

  10. Attack Tools: Know how to bypass MFA (e.g., Evilginx for phishing, Modlishka for session hijacking).
  11. Password Cracking: Understand rainbow tables (precomputed hashes) vs. brute-force (slow, tries all combinations).
  12. Certificate Attacks: MITM via self-signed certificates, certificate pinning bypass (e.g., Frida).

Quick Check Questions

  1. A company wants to implement MFA for remote access. Which method is most resistant to phishing?
  2. A) SMS-based OTP
  3. B) TOTP (Google Authenticator)
  4. C) FIDO2 security key

  5. D) Email magic link Answer: C) FIDO2 security key. FIDO2 uses cryptographic challenges that cannot be intercepted via phishing.

  6. During a penetration test, an attacker gains access to a user’s password hash. Which attack is most likely to succeed if the password is weak?

  7. A) Rainbow table attack
  8. B) Brute-force attack
  9. C) Credential stuffing

  10. D) Pass-the-hash Answer: A) Rainbow table attack. Rainbow tables precompute hashes for common passwords, making cracking fast. Brute-force (B) is slower; credential stuffing (C) requires leaked passwords; pass-the-hash (D) bypasses passwords entirely.

  11. A bank uses certificate-based authentication for its mobile app. Which PKI component is responsible for revoking compromised certificates?

  12. A) Certificate Authority (CA)
  13. B) Registration Authority (RA)
  14. C) Online Certificate Status Protocol (OCSP)
  15. D) Key Escrow Answer: C) OCSP. OCSP provides real-time certificate revocation status. The CA (A) issues certificates; the RA (B) verifies identities; key escrow (D) stores private keys.

Last-Minute Cram Sheet

  1. MFA Factors: Something you know (password), have (token), are (biometric).
  2. NIST SP 800-63B: No password complexity rules; allow long passphrases; no forced rotation.
  3. FIDO2: Phishing-resistant MFA standard (e.g., YubiKey, Windows Hello).
  4. Biometrics: FAR (false accept), FRR (false reject), CER (where FAR = FRR).
  5. Certificate-Based Auth: X.509 standard; used in TLS, smart cards, mTLS.
  6. PKI Components: CA (issues certs), RA (verifies identity), CRL/OCSP (revocation).
  7. SMS MFA: Not phishing-resistant (vulnerable to SIM swapping).
  8. Password Attacks: Brute-force (slow), rainbow tables (fast), credential stuffing (reused passwords).
  9. Risk-Based Auth: Adjusts MFA based on context (e.g., location, device).
  10. Zero Trust: "Never trust, always verify" – mTLS and continuous authentication are key.

⚡ Recently practiced quizzes in this class
Certified Information Security Manager (CISM) Test Prep Questions CISM Certified Information Security Manager Acronyms CISM: Certified Information Security Manager Certified Encryption Specialist Information Security Associate Exam - SkillFront Exam Questions Information Cyber Security (ICS) Practice Test Information Security C724 Information Systems Management - WGU GIAC

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.