Passwords & Authentication | IGCSE Information and Communication Technology Preparation - Year 11 PDF Download

Passwords

• Passwords serve as a commonly used security measure, usually linked with a username or email address. They are prevalent in various online platforms like banking websites, virtual learning environments, and email accounts.
• This security method is frequently encountered when interacting with online banking services, virtual learning platforms, email services, and more.
• There exist several strategies to bolster password security. It is advisable to periodically change passwords to mitigate risks associated with unauthorized access. Creating complex passwords comprising a mix of uppercase letters, lowercase letters, numbers, and symbols significantly enhances security. For instance, while "iloveict" is deemed a weak password, "1lov3ICT#" is considered strong.
• It is crucial to avoid incorporating personal information such as birth dates, names, or pet names in passwords. Regularly running anti-spyware software can help prevent unauthorized parties from intercepting sensitive data, including passwords.

Password Security Best Practices

• It is crucial to change your password on a regular basis, especially if there is a possibility that it has been compromised either accidentally or through illicit means.
• For enhanced security, ensure that your password comprises a mix of uppercase letters, lowercase letters, numbers, and symbols. This combination makes it significantly more challenging for unauthorized individuals to guess your password.
• Example: - "iloveict" is considered a weak password due to its simplicity and lack of complexity. - On the other hand, "1lov3ICT#" is a strong password as it incorporates uppercase, lowercase, numbers, and symbols.
• Avoid including personal information such as your date of birth, name, or the name of your pet in your passwords. This information is easily guessable and compromises the security of your accounts.

Additional Security Measures

• Regularly run anti-spyware software to safeguard your information, including passwords, from being illicitly accessed by third parties.
• Example: Utilizing anti-spyware tools ensures that your sensitive data remains protected and prevents unauthorized users from intercepting your confidential information.

Authentication

• Alternative Authentication Methods: In addition to traditional password-based authentication, there exist innovative methods such as "zero login." This concept aims to minimize manual user input by automatically verifying user credentials. Biometric authentication is one such alternative method.
• Zero Login Concept: Zero login eliminates or reduces the need for users to manually enter their details. Instead, it relies on systems to authenticate users automatically. This can involve various factors like networks, location, device data, and behavioral patterns for user recognition.
• Biometric Authentication: Biometric authentication uses unique physical traits like fingerprints or facial features to verify a user's identity. By scanning these biometric details, systems can authenticate users securely and efficiently.
• New Approaches to Zero Login Authentication: Modern zero login methods extend beyond biometrics and may include network information, location data, device specifics, and human behavior patterns for automatic user recognition. While these approaches offer convenience, they raise concerns about data security and accuracy.
• Considerations with Automatic Authentication: When implementing automatic authentication methods, it is crucial to address certain concerns. These include understanding the types of personal data collected, ensuring the secure storage of this data, and verifying that the system logs in and out accurately to maintain security.
  • Understanding Personal Data Collection: When we talk about personal data collection, we refer to the information that is gathered from individuals. This could include details like names, addresses, contact information, and more. It's crucial to know what specific data is being collected to ensure privacy and security.
  • Ensuring Data Security: One critical aspect of data collection is to ensure that the collected data is kept securely. This means implementing measures to protect the information from unauthorized access, use, or disclosure. It involves using encryption, access controls, and other security protocols.
  • Timely Login and Logout: It's essential for systems to accurately log users in and out at the correct times. This helps in tracking user activities, managing access rights, and maintaining security protocols. Timely login and logout procedures are integral to ensuring system integrity.

Magnetic Stripe Cards

• Understanding Magnetic Stripe Cards: Magnetic stripe cards are physical cards that store user data on a magnetic strip typically located on the back of the card. These cards are commonly used for various purposes like access control, payments, and identification.
• Authentication Process: When a user scans a magnetic stripe card, the data on the card is compared with the information stored in the system. If there's a match, the user is authenticated and granted access. This process ensures that only authorized users can use the system or facility.
• Advantages of Magnetic Stripe Cards: Using magnetic stripe cards comes with several advantages. They are widely accepted, cost-effective, easy to use, and versatile. A single card can serve multiple functions within an organization, making them a convenient choice for various applications.

Advantages of Magnetic Stripe Cards

• Widely used and accepted
• Cheap
• Simple to use
• A single card can serve multiple purposes within an organisation such as doors, purchasing food from canteens and accessing IT equipment

Disadvantages of Magnetic Stripe Cards

• Some cards use a holographic or photographic ID to detect forged or stolen copies
• The card may need to be scanned multiple times before the user is accepted and authenticated
• The cards can become damaged or wear out over time (especially with constant use)
• Cards can be easily cloned

Smart Cards

• Chip-Based Technology: Smart Cards contain an embedded microchip that stores and processes data. This chip enables various functionalities and enhances security compared to traditional magnetic stripe cards.
• Contactless Usage: Smart Cards support contactless transactions, eliminating the need to insert or swipe the card through a machine. They can be detected from a short distance away using radio frequency identification (RFID) or near-field communication (NFC) technology.
• Storage of Personal Information: Smart Cards can store personal identification information such as name, address, date of birth, and banking details. This information can be securely accessed when needed for authentication or transaction purposes.
• Encryption for Data Security: The information stored on Smart Cards is encrypted, ensuring that it can only be accessed and read by authorized devices. This encryption provides a high level of security and prevents unauthorized access or tampering with the data.
• Personal Identification Number (PIN): Smart Cards often require a Personal Identification Number (PIN) to access the stored information or perform transactions. The PIN adds an additional layer of security, ensuring that only authorized users can use the card and access its functionalities.

Advantages of Smart Cards

• Durable: Smart cards are built to withstand wear and tear, ensuring longevity.
• Wide Range of Applications: For instance, smart cards can be utilized for making secure payments at retail stores, granting access to restricted areas in a company, and storing sensitive personal information like medical records.
• Enhanced Security: Smart cards employ advanced encryption techniques to protect data, reducing the risk of unauthorized access or fraud.

Disadvantages of Smart Cards

• Risk of Loss: If a smart card is misplaced or stolen, there is a possibility of unauthorized individuals gaining access to the information stored on it.
• Initial Infrastructure Requirements: Implementing smart card systems may require initial setup costs for the necessary infrastructure, including card readers and software.
• Higher Cost Compared to Traditional Cards: Smart cards can be more expensive to produce and distribute than conventional plastic cards, impacting the overall cost for businesses and consumers.

Physical Tokens

• A Physical Token for Secure Authentication: A physical token is a small physical device used for authentication. It adds an extra layer of security by requiring the user to enter a security code generated by the token along with their username and password.
• Usage of Physical Tokens: Physical tokens can be directly connected to the device being accessed or can generate a one-time password (OTP) to be manually entered into the system. This OTP is typically created by the device after the user enters their PIN and any additional authentication details.
• Generation of One-Time Passwords: When a user needs an OTP, they input their PIN and other requirements into the physical token. If all criteria are met, the token uses its internal clock to produce the OTP, which is displayed briefly on its screen. These passwords change frequently for enhanced security and are valid for a short duration, usually around one minute.

Advantages of Physical Tokens

• Offline Authentication: Physical tokens provide a method of authentication that does not require an internet connection or online verification. This allows for authentication even in environments where internet connectivity is limited or unavailable, enhancing reliability and accessibility.
• Portable: Physical tokens are typically small and lightweight, making them highly portable. Users can easily carry them in pockets, wallets, or keychains, allowing for convenient access to authentication or authorization capabilities wherever they go. This portability enhances flexibility and usability for users who need to access secured systems or resources from different locations.

Disadvantages of Physical Tokens

• Cost: Refers to the expenses associated with acquiring and maintaining physical tokens.
• Loss or Theft of the Physical Token: When the physical token is misplaced or stolen, security risks arise.
• Physical Dependence: Users rely on having the physical token with them for authentication.

There are two main types of physical tokens:

• Disconnected Physical Token: Disconnected physical tokens require a separate device to generate a one-time password (OTP) which is then manually entered by the user for authentication purposes. This method enhances security by adding an extra layer of verification.
• Connected Physical Token: Connected physical token is a device that generates a one-time password (OTP) and sends it to the system automatically via a physical connection. This method eliminates the need for users to manually input the password.

Electronic tokens

• Electronic Tokens are a type of software that users install on their devices, typically smartphones, to verify their identity and access secure websites.
• Users need to download and set up the electronic token software app before they can enter secure websites.
• During the authentication process on a website, users open the app to receive a one-time passcode (OTP), which they input along with other credentials like a username and PIN.
• Both the web server and the app on the smartphone have synchronized clocks to generate matching numbers. If the authentication details align, users gain access to the website.

Authentication Methods Using Electronic Tokens

• One method involves users entering their username and password on the website. After successful login, a code is generated. This code is then input into the app on the user's phone to produce another code. The final code from the app is entered on the website for access.
• It's important to note that these methods ensure secure access to websites while simplifying the authentication process for users.
• Authentication Process:
  • The user is first prompted to enter their username and password on the website.
  • Upon successful input, the website generates a code for the user.
  • This code is then entered into the application software on the user's phone, which in turn generates another code.
  • The final code from the application software is entered back into the website.
  • If all authentication steps are completed successfully, the user gains access to the website.