Authentication is the process of recognizing users who appeal access to a system, network, or

device. Access control often determines a user's identity by credentials such as username and password.
Other authentication technologies such as biometrics and authentication applications are also used to
verify the user's identity.

An user agent (such as a web browser, system etc) can utilise Basic Authentication to send a username
and password along with a request.
Users include an encoded text in the Authorization header of each request they make while using Basic
Authentication. The recipient of the request uses the string to confirm the user's legitimacy and
authorization to access a resource.

Username: A username may be a name that uniquely identifies someone on a automatic data processing
system.
Password: A password may be a string of characters used for authenticating a user on a automatic data
processing system.

For example, you will have an account on your computer that needs you to log in. so as to successfully
access your account, you need to provide a sound username and password. this mixture is
usually stated as a login. While usernames are generally public information, passwords are private to
every user.

There are 4 types of access control

Discretionary Access Control (DAC)
A discretionary access control system allows the business owner to regulate how many persons
have access to a certain location (DAC). At each access control point, a list of authorised users
is maintained. Every time a keycard is scanned, a PIN is input, or a fingerprint is scanned, the
system checks the credential against the list, and depending on the previously specified
allowances, either gives or denies access.
In comparison to other forms of access control, DAC systems are thought to be the most adaptable and
to provide the greatest number of permissions. The most flexible form also has the lowest level of
security, especially when compared to systems that require access control. The system is completely
under the control of one person, who may give access to someone who shouldn't. Systems with
discretionary access controls work best for businesses that demand the greatest flexibility and usability.

Mandatory Access Control (MAC)

Mandatory access control systems (MAC), on the other hand, are the most secure kind of access control.
The only people who can use the systems are owners and custodians. The system administrator has
predetermined all access control settings, and they cannot be altered or withdrawn without that
administrator's consent. A MAC system functions by identifying all users and granting them access to
regions in accordance with the system's programming, as opposed to DAC systems, which create access
lists on each individual entry point. You will need to set up 150 user rights in the system if you have 150
employees.
The most stringent and secure access control measures are mandatory access control systems,
but they are also the most rigid. The administrator must modify not just the security lists at the
entry point but also the specific user's access in order to adjust permissions. Companies and
government organisations that want the highest levels of security frequently utilise MAC
systems.

Role-Based Access Control (RBAC)

The most common kind of access control is quickly evolving into role-based access control
(RBAC). An RBAC system operates by granting permits to a certain job title rather than issuing
them to specific people as in a MAC system. It reduces the amount of time needed to set up or
modify user access. In the event that there are twenty salespeople, two managers, and three
accountants, for instance, you wouldn't need to set up 25 different security profiles in the
system. Only three would need to be made, one for each different job title. When an employee
is promoted, all they need are credentials appropriate for the new position, and they are ready
to go.

Rule-Based Access Control

Rule-based access control, which should not be confused with the other "RBAC," is frequently used as an
addition to the other types of access control. In addition to the access control type you select, rule-
based access control can modify permissions in accordance with a particular set of rules that the
administrator has established.
If your company closes at 5, nobody—not even managers—needs access to the main office after that
time. You can set a rule under rule-based access control to prevent anyone from accessing the system
from 5 p.m. until 9 a.m. the following morning. There are rules for almost every situation.

The importance of user authentication

A technique to prevent unauthorised users from accessing sensitive data is user authentication. For
instance, User A can only see information that is pertinent and cannot view User B's sensitive
information.
When user authentication is not secure, cybercriminals can enter a system and steal data. Data breaches
like Yahoo, Equifax, and firms like Adobe have experienced are examples of what happens when
corporations don't secure user authentication.
Between 2012 and 2016, hackers were able to enter Yahoo user accounts and take private emails,
contacts, and calendars. More than 147 million people's credit card information was compromised in
the 2017 Equifax data leak. Any firm could be at danger if there is no safe authentication procedure in
place.

Five Common Types of Authentication Cybercriminals are constantly refining their attacks.
Security teams thus have a lot of difficulties with authentication. Due of this, businesses are
beginning to build more complex incident response strategies that incorporate authentication.
The list that follows examines various popular authentication techniques for securing
contemporary systems.

1. Password-based authentication

The most used form of authentication is passwords. Various combinations of letters, numbers, and
special characters can be used as passwords. Make sure your passwords are strong and incorporate a
variety of characters in order to protect yourself.
However, phishing assaults and poor password hygiene can undermine its usefulness. Only 54% of users
utilise unique passwords across all of their accounts, despite the fact that the average person has
roughly 25 different online accounts.

There are actually numerous passwords that need to be remembered. Therefore, a lot of individuals
favour ease over security. Because they are simpler to remember, most people choose for using easy
passwords rather than secure ones.

2. Multi-factor authentication
Multi-Factor Authentication (MFA) is an authentication technique that necessitates the usage of
two or more distinct methods of user identification. Examples include the user's smartphone's
generated codes, Captcha puzzles, fingerprints, voice biometrics, or facial recognition. Users'
trust is increased by MFA authentication methods and technologies since they add several
layers of protection. MFA has its own drawbacks even though it may be a solid barrier against
the majority of account hacks. People could misplace their SIM cards or phones, rendering them
unable to generate an authentication code.

There are additional elements that can be used. Authentication factors can be divided into three
categories, which are as follows:
 Something you know, for example, a password
 Something you have, for example, a smartphone
 Something you are, for example, biometric authentication

“Something you know”

A user must demonstrate their knowledge in order to use this authentication factor. This usually
involves the user and the Identity Access Management (IAM) system sharing a password or Personal
Identification Number (PIN).
The system requires the user to supply that shared information in order to use this factor.

“Something you have”

In this situation, the user must demonstrate possession of an item, such as a smartphone, smart card, or
mailbox. The system tests the user to see if they possess the necessary authentication factor. For
instance, it can text the user's smartphone a Time-based One-Time Password (TOTP). Alternatively, it
can email a text code.

“Something you are”

This authentication factor is based on data that is stored within and unique to the user (inherence
factor). Typically, this data is a biometric trait like a voiceprint or fingerprint. Facial recognition is
another example of this category of authentication factor.

3. Certificate-based authentication
Digital certificates are used in certificate-based authentication solutions to identify individuals,
machines, or devices. A digital certificate is an electronic document that is modelled like a passport or a
driver's licence.
The certificate includes both a certification authority's digital signature and the user's digital identity,
which includes a public key. Digital certificates, which can only be issued by a certification body,
demonstrate public key ownership.
When logging into a server, users give their digital certificates. The server checks the legitimacy of the
certificate authority and the digital signature. The user's possession of the proper private key that goes
with the certificate is then verified by the server using cryptography.

4. Biometric authentication
An individual's distinctive biological traits are used as the basis for the security procedure known as
biometric authentication. Key benefits of utilising biometric authentication technologies include the
following:
• Comparing approved features stored in a database with biological traits is simple.
• You can incorporate biometrics into your multi-factor authentication procedure to manage physical
access by installing biometric authentication on gates and doors.
Consumers, governments, and commercial companies employ biometric authentication systems at
airports, military installations, and international crossings. The technology is being used more frequently
because it can deliver a high level of security without causing user irritation. These are typical biometric
authentication techniques:
Facial recognition: matches the many facial features of a person trying to access an authorised
face kept in a database. When comparing faces from different angles or when comparing
persons who share a similar appearance, such as close relatives, face recognition might be
unreliable. Spoofing is avoided via facial liveness, such as ID R&D's passive facial liveness.

Fingerprint scanners - compare the distinctive fingerprint patterns of different people. Even the
vascular patterns in people's fingertips can be evaluated by some modern fingerprint scanners.
Despite their many errors, fingerprint scanners are currently the most widely used biometric
technology for ordinary consumers. The popularity of iPhones is to blame for this.

Speaker Recognition—also referred to as voice biometrics—looks at a speaker's speech patterns to see if

any certain shapes or tones are formed. Similar to a password, a voice-protected device typically uses
standardised terms to identify users.
Eye scanners—include equipment for iris and retinal recognition. Iris scanners shine a bright light into
the eye and scan the colourful ring surrounding the pupil for distinctive patterns. The patterns are then
contrasted with authorised data kept in a database. Wearing spectacles or contact lenses might cause
errors in eye-based authentication.

5. Token-based authentication

Users can enter their credentials only once to employ token-based authentication technologies, which
will then provide them with a special encrypted string of random characters. When accessing secured
systems, you can use the token rather than repeatedly entering your credentials. The digital token
demonstrates that you are already granted access. RESTful APIs that are utilised by various frameworks
and clients are use cases for token-based authentication.

Password less Authentication

Passwordless authentication, as the name implies, is an authentication method without the usage of a
password. Password fatigue, or the effort needed for the user to remember and maintain the security of
a strong password, is the main driver behind this sort of authentication.
Phishing assaults are rendered worthless when passwords are not required to be remembered.
Depending on what you have and who you are, you can use any authentication factor to perform
passwordless authentication. For instance, you could utilise facial recognition technology or email to
send the user a code so they may access a service or programme.

Authentication at Auth0
Since Auth0 provides identity management services, authentication is the foundation of all of our
offerings. Every month, Auth0 handles 2.5 billion authentication requests to assist businesses of all sizes
in securing their infrastructure. Making authentication procedures more safe and simple to apply
involves every single person at Auth0 in some way.

Targeted Cyber attacks

Phishing
When a hostile actor sends emails that appear to be from reliable, trustworthy sources in an effort to
trick the target into divulging critical information, this is known as a phishing attack. Phishing attacks,
which mix social engineering and technology, get their name from the fact that the attacker is essentially
"fishing" for access to a restricted area using the "bait" of an apparent reliable sender.

To carry out the attack, the malicious party may send a link that directs you to a website where you are
subsequently tricked into downloading malware like viruses or providing the attacker with your personal
data. Often, the victim is unaware that they have been penetrated, which gives the attacker the
opportunity to target other members of the same group without raising suspicions.

Email Phishing
Email is the primary method of phishing attempts. The fraudster will register a bogus domain that
impersonates a legitimate business and submit thousands of boilerplate requests.

The fake domain frequently uses character substitution, such as creating the word "rn" instead of the
letter "m" by placing the letters "r" and "n" close to one other.

In other instances, the scammers design a special domain using the name of the real company in the
URL.
Spear phishing
There are two other, more complex phishing email schemes.

Spear phishing, which is the first, refers to malicious emails delivered to a specific individual. Criminals
that do this will already be in possession of some or all of the victim's information listed below:

Its name;
location of employment
career title;
email address, as well.
details regarding their work description.

Whaling
Attacks against whales are even more specific and target high executives. Whaling attacks have a similar
end result to other phishing attacks, but their method is typically far more covert.
Tricks like malicious URLs and false links are useless in this situation because the thieves are posing as
senior officials.
Another common excuse used in whaling emails is that the CEO is busy and needs the employee to
perform them a favour.

Smishing and vishing

Phone calls take the place of emails when smishing or vishing is involved.
Vishing includes a phone call, while smishing involves criminals sending text messages (whose content is
quite similar to that of email phishing).
Messages purporting to be from your bank warning you of unusual behaviour are among the most
popular smishing pretexts.

Angler phishing
Social media has a number of opportunities for crooks to deceive people as a relatively new
assault vector. People can be tricked into disclosing private information or downloading malware
via fake URLs, cloned websites, posts, and tweets, instant messaging (which is effectively the
same as smishing), and cloned websites, posts, and tweets. Alternately, thieves might develop
highly targeted attacks using the information that individuals willingly post on social media.

Malware
Any programme or file that purposefully harms a computer, network, or server is known as malware,
sometimes known as malicious software.

Computer viruses, worms, Trojan horses, ransomware, and spyware are examples of malware types.
These dangerous applications steal, encrypt, and erase private information. They also change or hijack
critical computer operations and track end users' online behaviour.

Malware comes in a variety of forms, each with their own distinctive features. Malware comes in the
following varieties:

A Virus: the most prevalent kind of malware that can run on its own and spread by contaminating other
files or programmes.

A worm: can duplicate itself without the aid of a host programme and often spreads without the
involvement of the malware's creators.

A Trojan horse: is made to look like a trustworthy software package in order to access a system. Trojans
can carry out their nefarious tasks if triggered after installation.

Spyware: without the user's awareness, gathers data and information on the user's activity as well as
the device.

Ransomware: contaminates a user's computer and encrypts their data. The victim is then required to
pay a ransom to the cybercriminals in order to have the data on the system decrypted.

A rootkit : gains system administrator access on the victim's computer. The programme grants threat
actors root or privileged access to the system after it has been installed.
A backdoor virus or remote access Trojan (RAT): builds a backdoor into an infected computer system in a
covert manner, allowing threat actors to access it remotely without alerting the user or the security
software on the machine.

Adware: records a user's download and browsing history with the goal of displaying pop-up or banner
ads that persuade the user to buy something. To better target advertising, an advertiser, for instance,
can use cookies to track which websites a user visits.

Kyeloggers: sometimes known as system monitors, keep tabs on practically all computer usage. Emails,
opened websites, software, and keystrokes fall under this category.

Authentication mechanism which are implemented to overcome basic authentication in times

of cyber attacks
1) https://docs.oracle.com/cd/E19424-01/820-4811/gdzeq/index.html
2) https://auth0.com/blog/different-ways-to-implement-multifactor/
3) https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/set-up-certificate-based-
authentication-across-forest-without-trust
4)

Conclusion