Skip main navigation

The Credential Selection Process

In this video, you will learn about the credential selection process.
We also need to factor in some kind of process to ensure that we can select and manage appropriate credentials. What are we selecting as an identifier, and what are we using for authentication? And how are we reaching those decisions? Where are the decisions recorded, and are those decisions reviewed at any point? We can use a token, a key fob, and this could be used as both an identifier or as a form of authentication. Well, we’ve mentioned biometric, and what we typically look at when selecting a credential is the convenience, the operational acceptability, versus the security of the solution. We need to decide how many factors we’re going to use. Username and password is increasingly being supplemented by multi-factor authentication.
We talked about some of the issues that we have with passwords, these include the reuse, and there’s a great website called Have I Been Pwned, commonly referred to on the internet as HIBP. And if you enter your email address into Have I Been Pwned, it will tell you where your accounts have been compromised on web-based services.
And what typically arises – these data sets of usernames and passwords are available to purchase on the dark net, and these data sets are then used for what’s called password stuffing, where people try your username and password from one system that they have access to from dark net, from a list that they bought on the dark net, and they try to use that against a different set of systems. So they try your Hotmail account against your Amazon account or vice versa. And again, we talked about the lack of complexity with passwords, even with password requirements enforced. Password complexity requirements as defined by NIST allow for password 01!, with an exclamation mark, to be deemed an acceptable complex password.
And we know it isn’t. Where we are just using usernames and passwords, we have the issue of replay, where people write them down or where key logging activity occurs. We also need to think about credential management. And increasingly what we’re seeing is, because of the high number of user accounts and passwords that are required to be maintained, people are starting to use credential management solutions. And these occur for home users but also occur on an enterprise platform. Now if we’re putting all of our usernames and passwords
into a single system, we have a very obvious concern: how secure is that store? Who can access the store? Is access to the store monitored, governed appropriately? So we have services like LastPass, 1Pass, for end users, and most web-based systems, most browsers, will offer credential management as well. We need to be really careful. If we look at browsers, if you log into a browser on a multi-user machine, say in a cybercafe, and we leave that browser logged in, even if the session ends, the next time somebody logs in, it is possible that the browser remains logged in. And those passwords and usernames are often cached onto the local system, and they are frequently poorly secured.
So we need to make sure that we understand how we are managing our credentials. And, ideally, we’re using a one time password or multi-factor authentication to help address some of these issues around just using a username and password in isolation. So we want this to be simple and as straightforward as possible but also to meet our minimum security requirements, to meet our minimum security needs. What we have seen and we referenced is the growth in adaptive authentication, and this is becoming very popular for this reason.
Here, if you look at your smartphone, quite often you can log in with a biometric factor on its own, but maybe once a month, your smartphone will ask you to log in with your password or with your PIN number. So this is an example, again, of adaptive authentication. And in fact, this is adaptive authentication with multi-factor authentication. It will drop back to a single factor when appropriate but require multiple factors periodically or after a number of incorrect attempts have been made to log in.

In this video, you will learn about the credential selection process.

Credentials can be used to authenticate a user or act as an identifier. The credential selection process needs to consider the convenience and the operational acceptability versus the security of the solution. The factors used as credentials also need to be considered. For example, username and passwords versus biometric and multi-factor authentication.

Reflect and share: How do you approach the credential selection process? What factors stand out or have not been mentioned in this video? Share below.

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education