### What makes a good authentication system? 1. It should be easy for a legitimate user to login ([[02 - Design principles for secure systems#User acceptability|psychological acceptability]]) 2. It should be hard for an attacker to access ([[02 - Design principles for secure systems#Security economics|adversary's work factor should be high]]) ![[attachments/Screenshot 2023-05-30 at 5.17.35 PM.png]] ### How is authentication done? System knows something unique about each user (initially provided securely out-of-band): 1. Something you know 2. Something you have 3. Something you are ### How does a system implement this? - Threat model assumes that all the data stored on the host may become available to the attacker - Store something that is derived from a secret (hashed password) instead of the secret itself - Threat model assumes the implementation of secret obfuscation (hash, salt, etc.) is known - For systems with variance, handle variations in input (e.g., voice biometric) ### How do we know how good a method is? - High true positives In this context, true positive means a legitimate user is signing in, in contrast with the incident response terminology where true positive typically refers to a successful attack sequence. In IR, true positive would refer to a successful login/login attempt by the attacker - Zero or very low false positives for given work factor - [[Guessing Entropy|Guessing entropy]] helps us quantify the strength of the system