Chapter 10 Authentication

validating the identity of a user
must be easy, non-intrusive, quick, accurate else won't be accepted
false positive: erroneously validated
false negative: erroneously rejected

Basic factors:
something you know: eg. password
something you have: eg. physical ID
something you are: eg. biometric
Implicit factors: where you are (physical or logical location)
Multiple factors: two-factor authentication: eg. ID & password (eg. ATM)

Passwords: previously communicated shared secret
reusable passwords: most widely used authentication. simple to use & implement. Needs to be easy to remember but hard to guess.
cracking: trying all combos or dictionary attack
snooping: sniffing on network
onetime passwords: HW device synchronized with server generates passwords for each use
challenge-response password: questions or cryptographic

Biometrics: fingerprint, retina, iris, face, etc

Direct attacks: guessing & cracking
Indirect attacks: snooping, capture & replay, session hijacking.