2 cissp ® Official Study Guide Eighth Edition



Download 19,3 Mb.
Pdf ko'rish
bet556/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   552   553   554   555   556   557   558   559   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Two-Step Authentication
A trend that many online organizations are using is two-step authentication. As an exam-
ple, imagine that you do online banking and log on with a username and password. Your 
bank recently required you to provide your cell phone number. Now, when you log on, 
the bank’s website indicates that it sent a text message to your phone with a code. It then 
prompts you to enter the code to complete the logon process. Sure enough, when you look 
at your smartphone you see a six-digit numeric code. After entering it on the website, you’re 
logged on.
In this scenario, your smartphone is effectively mimicking a hardware token, making 
this two-factor authentication, though many organizations such as Google call it two-step 
authentication. This process typically takes advantage of one of the following standards.
HOTP
The hash message authentication code (HMAC) includes a hash function used by 
the HMAC-based One-Time Password (HOTP) standard to create onetime passwords. It 
typically creates HOTP values of six to eight numbers. This is similar to the asynchronous 
dynamic passwords created by tokens. The HOTP value remains valid until used.
TOTP
The Time-based One-Time Password standard is similar to HOTP. However, it 
uses a timestamp and remains valid for a certain timeframe, such as 30 seconds. The TOTP 

Comparing Identification and Authentication 
595
password expires if the user doesn’t use within the timeframe. This is similar to the syn-
chronous dynamic passwords used by tokens.
Many online organizations use a combination of HOTP and TOTP and provide users 
with onetime passwords using two-step authentication.
While this sounds secure, we frequently see a common vulnerability addressed by NIST. 
Specifically, SP 800-63B recommends that the code sent to the user’s smartphone should 
not be viewable until the user unlocks the phone. However, the code almost always appears 
as a notification without unlocking the phone.
Another popular method of two-step authentication that many online websites use is an 
email challenge. When a user logs on, the website sends the user an email with a PIN. The 
user then needs to open the email and enter the PIN on the website. If the user can’t enter 
the PIN, the site blocks the user’s access. While an attacker may be able to obtain a user’s 
credentials after a data breach, the attacker probably cannot access the user’s email (unless 
the user has the same password for all accounts).
When a Second Factor May not Be Secure
Adding a second factor is helpful when you want to limit the impact of a stolen or cracked 
password, but what happens when the second factor isn’t secure? That’s the concern that 
drove updated NIST recommendations in SP 800.63B.
As discussed in this section, a numeric code sent to a smartphone is a secure method. 
The reason is that the smartphone has a subscriber identify module (SIM) card that 
uniquely identifies the device. Devices with a SIM card receive messages over the public 
switched telephone network (PSTN).
In contrast, if the message containing the numeric code is sent to an email address or a 
phone using Voice over Internet Protocol (VoIP), it isn’t possible to uniquely identify the 
device receiving the message. SP 800.63B recommends against using a device if it isn’t 
possible to prove possession of the device, such as when it sent as an email or using VoIP.
SP 800.63B has noted some risks with sending codes using the Short Message Service 
(SMS). SMS messages can sometimes be intercepted, and they can also be sent to VoIP 
devices.
As a better alternative, SP 800.63B recommends the use of push notifications. A push 
notification first establishes an authenticated protected channel. Once the channel is 
established, it sends the notification to the receiving device.

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   552   553   554   555   556   557   558   559   ...   881



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish