SlideShare una empresa de Scribd logo

Web authentication & authorization

Descargar como PPTX, PDF
Alexandru Pasaila
Alexandru Pasaila
Tecnología
1 de 19
WEB AUTHENTICATION & AUTHORIZATION
INTRODUCTION
INTRODUCTION  The nature of today’s web threats is changing, current attacks are much more covert than they were in the past.  Despite the growing array of threats, many organizations are not taking appropriate steps to safeguard their corporate networks, applications or data.  As the number of online services are increasing day by day, their usage is also increasing in the same ratio.  Users of online services have to register separately to each application and the overhead of remembering many ID/Password pairs has led to the problem of memorability.
INTRODUCTION  Authentication is a direct need of each and every organization and so it is becoming paramount for an organization not because it copes with security threats only but for the reason it deals with and develops policies, procedures and mechanisms that provide administrative, physical and logical security.  Whenever an individual requests an access to a pool of resources, to use them or update them as desired, then to authenticate such an individual is referred to as authentication.
INTRODUCTION  In networked environment, users are granted access to the network only when they provide their access information (e.g. user name & password) securely to check and validate their identity.  If a person can prove that who he is, also knows something that only he could knows, it is reasonable to think that a person is he who claims to be.
AUTHENTICATION TECHNOLOGIES
AUTHENTICATION TECHNOLOGIES  Computer industry has created an array of identification and authentication technologies:  userID/Passwords  One Time Password  Kerberos  Secure Socket Layer  Lightweight Directory Access Protocol  Security Assertion Markup Language(SAML)  OpenID. * The technologies are detailed on blog articles!
AUTHENTICATION ATTACKS
BRUTE FORCE ATTACK  It is an automated process of trial and error used to guess a person’s user name, password, credit card number or cryptographic key.  Examples:  Usernames: John, Admin;  Passwords: 12345, password, letmein, admin, (pet names);
INSUFFICIENT AUTHENTICATION  This type of attack occurs when a website permits an attacker to access sensitive content or functionality without having to properly authenticate. Web based administration tools are a good example of web site providing access to sensitive functionality.
WEAK PASSWORD RECOVERY VALIDATION  A website is considered to have Password Recovery Validation when an attacker is able to foil the recovery mechanism being used.  Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses or easily guessed secret questions.
WEAK PASSWORD RECOVERY VALIDATION  Weak methods of Password Recovery:  Password Hints: Password hint aids Brute Force attacks. An attacker can glean about user’s password from the hint provided.  Secret Question and Answer: A secret question like “Where were you born?” helps an attacker to limit a secret answer Brute Force Attack to city names.
AUTHENTICATION TECHNIQUES AND INFRASTRUCTURES
PLUGGABLE AUTHENTICATION MODULES (PAM)  Instead of having applications handle authentication on their own, they can use the PAM API and libraries to take care of the details.  Consistency is achieved when many applications perform the same authentication by referencing the same PAM module.  Additionally, applications needn’t be recompiled to change their authentication behavior: just edit a PAM configuration file(transparent to the application) and you’re done.
SECURE SOCKETS LAYER (SSL)  It provides cryptographically assured privacy (encryption), integrity, optional client authentication, and mandatory server authentication.  Linux includes a popular implementation of SSL, called OpenSSL.
WEB AUTHENTICATION STANDARDS
SINGLE SIGN-ON  Single sign-on allows a user to enter a username and password only once and have access to multiple applications and environments within a session.  Single sign-on uses centralized authentication servers which all applications and systems use for authentication.
OAUTH  Open Authentication (OAuth ) aims at creating an environment where information is shared securely across networks.  Each thread, which includes devices, applications and users, is constantly authenticated and is all- pervasive.  OAuth is a service that is complementary to, but distinct from, OpenID.
OPENID  OpenID is a standard that simplifies signing in.  With OpenID you only use one username and one password to log in to all websites where you have an account.  It offers a secure way of identifying yourself on the Internet.  Used by: Google, Flickr, Yahoo, MySpace,WordPress

Recomendados

Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Authentication
AuthenticationAuthentication
Authentication
primeteacher32
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Network security
Network securityNetwork security
Network security
quest university nawabshah
 

Recomendados

Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Authentication
AuthenticationAuthentication
Authentication
primeteacher32
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Network security
Network securityNetwork security
Network security
quest university nawabshah
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Https presentation
Https presentationHttps presentation
Https presentation
patel jatin
 
HTTP request and response
HTTP request and responseHTTP request and response
HTTP request and response
Sahil Agarwal
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
Rana assad ali
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
Bhavya Chawla
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
Netsparker
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
IIS
IISIIS
IIS
Giritharan V
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Authentication & Authorization in ASPdotNet MVC
Authentication & Authorization in ASPdotNet MVCAuthentication & Authorization in ASPdotNet MVC
Authentication & Authorization in ASPdotNet MVC
Mindfire Solutions
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
OECLIB Odisha Electronics Control Library
 
Network Security and Firewall
Network Security and FirewallNetwork Security and Firewall
Network Security and Firewall
ShafeeqaFarsana
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Sylvain Maret
 
Web authentication
Web authenticationWeb authentication
Web authentication
Pradeep J V
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Https presentation
Https presentationHttps presentation
Https presentation
 
HTTP request and response
HTTP request and responseHTTP request and response
HTTP request and response
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Network attacks
Network attacksNetwork attacks
Network attacks
 
IIS
IISIIS
IIS
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Authentication & Authorization in ASPdotNet MVC
Authentication & Authorization in ASPdotNet MVCAuthentication & Authorization in ASPdotNet MVC
Authentication & Authorization in ASPdotNet MVC
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
 
Network Security and Firewall
Network Security and FirewallNetwork Security and Firewall
Network Security and Firewall
 
Network Security
Network SecurityNetwork Security
Network Security
 

Destacado

Web authentication
Web authenticationWeb authentication
Web authentication
Pradeep J V
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk management
ejlp12
 

Destacado (12)

Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
SSL TSL;& SET
SSL TSL;& SETSSL TSL;& SET
SSL TSL;& SET
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk Management
 
PMP Training - 11 project risk management
PMP Training - 11 project risk managementPMP Training - 11 project risk management
PMP Training - 11 project risk management
 
Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009Implementing Enterprise Risk Management with ISO 31000:2009
Implementing Enterprise Risk Management with ISO 31000:2009
 
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk ManagementThe Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
 
Project Risk Management - PMBOK5
Project Risk Management - PMBOK5Project Risk Management - PMBOK5
Project Risk Management - PMBOK5
 
Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
 

Similar a Web authentication & authorization

An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...
Conference Papers
 
Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...
Conference Papers
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 

Similar a Web authentication & authorization (20)

Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect Design
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- org
 
Week Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptxWeek Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptx
 
76 s201923
76 s20192376 s201923
76 s201923
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
C02
C02C02
C02
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
Risk-based Authentication In Cloud | Sysfore
Risk-based Authentication In Cloud | SysforeRisk-based Authentication In Cloud | Sysfore
Risk-based Authentication In Cloud | Sysfore
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...
 
Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...Adaptive authentication to determine login attempt penalty from multiple inpu...
Adaptive authentication to determine login attempt penalty from multiple inpu...
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
8 i internet_security
8 i internet_security8 i internet_security
8 i internet_security
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
AbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptxAbedElilahElmahmoumP1.pptx
AbedElilahElmahmoumP1.pptx
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptx
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Web authentication & authorization

  • 3. INTRODUCTION  The nature of today’s web threats is changing, current attacks are much more covert than they were in the past.  Despite the growing array of threats, many organizations are not taking appropriate steps to safeguard their corporate networks, applications or data.  As the number of online services are increasing day by day, their usage is also increasing in the same ratio.  Users of online services have to register separately to each application and the overhead of remembering many ID/Password pairs has led to the problem of memorability.
  • 4. INTRODUCTION  Authentication is a direct need of each and every organization and so it is becoming paramount for an organization not because it copes with security threats only but for the reason it deals with and develops policies, procedures and mechanisms that provide administrative, physical and logical security.  Whenever an individual requests an access to a pool of resources, to use them or update them as desired, then to authenticate such an individual is referred to as authentication.
  • 5. INTRODUCTION  In networked environment, users are granted access to the network only when they provide their access information (e.g. user name & password) securely to check and validate their identity.  If a person can prove that who he is, also knows something that only he could knows, it is reasonable to think that a person is he who claims to be.
  • 7. AUTHENTICATION TECHNOLOGIES  Computer industry has created an array of identification and authentication technologies:  userID/Passwords  One Time Password  Kerberos  Secure Socket Layer  Lightweight Directory Access Protocol  Security Assertion Markup Language(SAML)  OpenID. * The technologies are detailed on blog articles!
  • 9. BRUTE FORCE ATTACK  It is an automated process of trial and error used to guess a person’s user name, password, credit card number or cryptographic key.  Examples:  Usernames: John, Admin;  Passwords: 12345, password, letmein, admin, (pet names);
  • 10. INSUFFICIENT AUTHENTICATION  This type of attack occurs when a website permits an attacker to access sensitive content or functionality without having to properly authenticate. Web based administration tools are a good example of web site providing access to sensitive functionality.
  • 11. WEAK PASSWORD RECOVERY VALIDATION  A website is considered to have Password Recovery Validation when an attacker is able to foil the recovery mechanism being used.  Password recovery systems may be compromised through the use of brute force attacks, inherent system weaknesses or easily guessed secret questions.
  • 12. WEAK PASSWORD RECOVERY VALIDATION  Weak methods of Password Recovery:  Password Hints: Password hint aids Brute Force attacks. An attacker can glean about user’s password from the hint provided.  Secret Question and Answer: A secret question like “Where were you born?” helps an attacker to limit a secret answer Brute Force Attack to city names.
  • 13. AUTHENTICATION TECHNIQUES AND INFRASTRUCTURES
  • 14. PLUGGABLE AUTHENTICATION MODULES (PAM)  Instead of having applications handle authentication on their own, they can use the PAM API and libraries to take care of the details.  Consistency is achieved when many applications perform the same authentication by referencing the same PAM module.  Additionally, applications needn’t be recompiled to change their authentication behavior: just edit a PAM configuration file(transparent to the application) and you’re done.
  • 15. SECURE SOCKETS LAYER (SSL)  It provides cryptographically assured privacy (encryption), integrity, optional client authentication, and mandatory server authentication.  Linux includes a popular implementation of SSL, called OpenSSL.
  • 16. WEB AUTHENTICATION STANDARDS
  • 17. SINGLE SIGN-ON  Single sign-on allows a user to enter a username and password only once and have access to multiple applications and environments within a session.  Single sign-on uses centralized authentication servers which all applications and systems use for authentication.
  • 18. OAUTH  Open Authentication (OAuth ) aims at creating an environment where information is shared securely across networks.  Each thread, which includes devices, applications and users, is constantly authenticated and is all- pervasive.  OAuth is a service that is complementary to, but distinct from, OpenID.
  • 19. OPENID  OpenID is a standard that simplifies signing in.  With OpenID you only use one username and one password to log in to all websites where you have an account.  It offers a secure way of identifying yourself on the Internet.  Used by: Google, Flickr, Yahoo, MySpace,WordPress