Prevention Methods: Authentication (Passwords, Biometrics, Two-Factor)

This lesson covers authentication as a network security prevention method, as required by OCR J277 Section 1.4. Authentication is the process of verifying that a user or device is who they claim to be.

---

What Is Authentication?

Authentication is the process of confirming the identity of a user before granting access to a system, network, or resource. It answers the question: "Are you really who you say you are?"

Authentication is different from authorisation:

• Authentication = verifying identity (who are you?)
• Authorisation = granting permissions (what are you allowed to do?)

A user must be authenticated before they can be authorised.

---

The Three Factors of Authentication

Authentication methods are based on three factors:

Factor	Description	Example
Something you know	Information only the user should know	Password, PIN, security question
Something you have	A physical item the user possesses	Smart card, phone (for SMS codes), security token
Something you are	A biological characteristic unique to the user	Fingerprint, facial recognition, iris scan

OCR Exam Tip: The three authentication factors are a common exam question. Remember them as: know, have, are. Two-factor authentication uses at least two of these three categories.

---

Passwords

Passwords are the most common form of authentication. The user enters a secret string of characters that must match what is stored (in hashed form) on the system.

Characteristics of strong passwords:

Feature	Weak Password	Strong Password
Length	4-6 characters	12+ characters
Character types	Lowercase only	Mix of upper, lower, numbers, symbols
Predictability	Common words (password123)	Random or complex phrases
Reuse	Same password on multiple sites	Unique password for each account

Password vulnerabilities:

• Brute force attacks — trying every combination
• Dictionary attacks — trying common words and passwords
• Phishing — tricking users into revealing passwords
• Shoulder surfing — observing password entry
• Data breaches — stolen password databases

Password best practices:

• Use a minimum of 8-12 characters (longer is better)
• Include uppercase, lowercase, numbers, and special characters
• Do not reuse passwords across different accounts
• Use a password manager to generate and store complex passwords
• Change passwords regularly
• Never share passwords with others

---

Biometrics

Biometric authentication uses unique physical or behavioural characteristics to verify identity.

Types of biometric authentication:

Type	Method	How It Works
Fingerprint	Scans the unique ridge pattern on a finger	Sensor captures fingerprint and compares to stored template
Facial recognition	Analyses facial features (distance between eyes, nose shape, etc.)	Camera captures face and uses algorithms to match
Iris/retina scan	Scans the unique pattern in the iris or retina	Infrared camera captures eye pattern
Voice recognition	Analyses unique vocal characteristics	Microphone captures voice and compares to stored voiceprint

Advantages of biometrics:

Advantage	Explanation
Cannot be forgotten	Unlike passwords, biometric data is always with you
Difficult to forge	Fingerprints and iris patterns are unique to each individual
Convenient	Quick and easy to use (e.g. fingerprint unlock on phones)
Cannot be shared	You cannot give someone your fingerprint like you can share a password

Disadvantages of biometrics:

Disadvantage	Explanation
Cannot be changed	If biometric data is compromised, you cannot change your fingerprint
Privacy concerns	Storing biometric data raises ethical and legal issues
False positives/negatives	The system may incorrectly accept or reject users
Cost	Biometric hardware (scanners, cameras) can be expensive
Environmental factors	Dirty fingers, poor lighting, or illness can affect accuracy

OCR Exam Tip: A common exam question asks you to give advantages and disadvantages of biometric authentication. The most important disadvantage to remember is that biometric data cannot be changed if compromised — unlike a password, you cannot get a new fingerprint.

---

Two-Factor Authentication (2FA)

Two-factor authentication (2FA) requires the user to provide two different types of authentication from different categories (factors).

Examples of 2FA:

• Password + SMS code — Something you know + something you have
• Password + fingerprint — Something you know + something you are
• PIN + smart card — Something you know + something you have

Why 2FA is more secure:

• Even if an attacker steals your password, they also need the second factor.
• It significantly reduces the risk of unauthorised access.
• It protects against phishing (the attacker gets your password but not your phone/fingerprint).

Limitations of 2FA:

• SMS codes can be intercepted (SIM swapping attacks)
• Adds extra steps to the login process (less convenient)
• Users may lose access if they lose their second factor (e.g. phone)

Method	Factor Used	Security Level	Convenience
Password only	Something you know	Low	High
Biometrics only	Something you are	Medium	High
Password + SMS	Know + have	High	Medium
Password + biometric	Know + are	Very high	Medium

The flow diagram below shows what happens behind the scenes when a user logs in with 2FA.

sequenceDiagram
  participant U as User
  participant S as Server
  participant A as Authenticator App
  U->>S: 1. Submit username + password
  S->>S: 2. Hash and compare to stored hash
  alt Password correct
    S->>U: 3. Request second factor
    U->>A: 4. Open app, read 6-digit code
    U->>S: 5. Submit code
    S->>S: 6. Verify time-based code
    alt Code valid
      S->>U: 7. Access granted
    else Code invalid
      S->>U: Access denied
    end
  else Password wrong
    S->>U: Access denied
  end

---

Summary