Authentication Methods & Password Protection

Authentication methods are crucial for securing access to systems, applications, and data. They help ensure that only authorized users can access resources. Below is a breakdown of the authentication methods you've mentioned:

1. Password-Based Authentication

• Description: The user provides a password, typically a secret combination of letters, numbers, and symbols, which is checked against a stored value.

• Pros: Simple, widely used, and familiar.

• Cons: Vulnerable to attacks like brute force, dictionary attacks, and phishing. Security depends on the strength of the password and how well it is protected.

2. Multi-Factor Authentication (MFA)

MFA requires more than one method of authentication to verify the identity of the user. It combines two or more of the following types:

Knowledge Based

a. Something You Know (Knowledge-Based Authentication)

• Description: This is typically a secret, such as a password or PIN, that the user knows.

• Example: A password, a PIN, or an answer to a security question.

• Pros: Easy to implement, widely recognized.

• Cons: Vulnerable to attacks like phishing, social engineering, or keylogging.

Bio metric Based

b. Something You Are (Biometric Authentication)

• Description: This refers to using unique biological traits for authentication.

• Example: Fingerprint, facial recognition, retina scan, voice recognition, or iris scan.

• Pros: Difficult to replicate, offers strong security.

• Cons: Privacy concerns, hardware requirements, and false positives/negatives.

Possession Based

c. Something You Have (Possession-Based Authentication)

• Description: This involves using a physical device or token that only the user has.

• Example: A security token, smartcard, mobile phone for app-based authentication, or a one-time password (OTP) sent to a device.

• Pros: Adds an additional layer of security beyond just a password.

• Cons: If the device is lost or stolen, it can lead to vulnerabilities. Also, some users might find it inconvenient.

---

Authentication Mechanisms

Azure Active Directory (Azure AD) provides several mechanisms to secure password-based authentication and enhance the overall security of user accounts. Below are key components that Azure AD uses to protect password-based authentication:

1. Banned Password Lists

• Description: Azure AD maintains a banned password list that includes a set of commonly used, easily guessed, or vulnerable passwords. These are passwords that are considered weak and insecure.

• Purpose: The goal is to prevent users from choosing passwords that are easy to guess (e.g., "password123", "qwerty", "admin", etc.), reducing the risk of brute force and dictionary attacks.

2. Custom Account Lockout Policies

• Description: Custom account lockout policies are designed to protect against brute force attacks by limiting the number of failed login attempts before the account is locked.

• Key Configuration Options:

  • Lockout Threshold: Specifies the number of failed login attempts allowed before the account is locked.

  • Lockout Duration: Determines how long the account remains locked after reaching the threshold.

  • Observation Window: Defines the period during which failed attempts are counted.

• Purpose: These policies make brute force attacks more difficult and time-consuming, reducing the likelihood of unauthorized access through repeated guesswork.

3. Custom Weak Password Lists

• Description: In addition to the banned password list, Azure AD allows organizations to create their own custom weak password lists. This enables companies to specify particular passwords that are weak or too commonly used, making them unsuitable for secure accounts.

• Customization: Organizations can tailor the list according to the specific context of their business or their users. For instance, they might add terms related to company names, product names, or other easily guessable combinations that could be used by attackers.

• Purpose: By creating a custom weak password list, organizations can ensure that passwords are not only secure but also unique and difficult to guess based on internal knowledge.