Auth basics and exercise on username enumeration via different responses
Types of Auth
- Knowledge factor — password, user names you know, probably the easiest to simulate and weakest
- Possession factor — a physical object like mobile phone or token or what we usually see the “second factor authentication (2FA)
- Inherence factors — personally I find the most convenient of them all, biometrics or patterns or behavior. Face ID, touch ID probably are common examples
Authentication vs Authorization
This was a week that involve a lot of thoughts about role-based access controls (RBAC). In education and healthcare, there are a bunch of examples of overspeced user roles and controls and it is common for non-technically trained project managers to imagine any and every position-at-present to have a corresponding access control digitally.
While the mapping is familiar and ‘intuitive’, typically it makes for overly cluttered and complicated access controls for software.
For instance, intern v teacher v trainee teacher v head of department v assistant head of department — while semantically yes they do different things, they do not…