WEBVTT 1 00:00:00.000 --> 00:00:01.560 In this lesson, 2 00:00:01.560 --> 00:00:05.340 we will learn about user identity control. 3 00:00:05.340 --> 00:00:10.320 User identity control is the process used to manage, 4 00:00:10.320 --> 00:00:14.790 verify, and secure the identities of users 5 00:00:14.790 --> 00:00:19.050 to ensure they have appropriate access to resources. 6 00:00:19.050 --> 00:00:23.610 User identity control concepts include credentials, 7 00:00:23.610 --> 00:00:28.110 the use of biometrics, and multi-factor authentication. 8 00:00:28.110 --> 00:00:31.920 Credentials are the information that users provide 9 00:00:31.920 --> 00:00:33.780 to prove their identity. 10 00:00:33.780 --> 00:00:36.690 Biometrics like facial recognition 11 00:00:36.690 --> 00:00:41.040 and fingerprints may also be used to validate identity. 12 00:00:41.040 --> 00:00:43.890 Authentication is then the process 13 00:00:43.890 --> 00:00:48.600 of validating user presented credentials or biometric data 14 00:00:48.600 --> 00:00:51.090 to confirm a user's identity. 15 00:00:51.090 --> 00:00:54.120 Authorization is then used to determine 16 00:00:54.120 --> 00:00:59.120 what resources the authenticated user is allowed to access. 17 00:00:59.130 --> 00:01:02.130 Finally, multi-factor authentication 18 00:01:02.130 --> 00:01:05.520 or MFA requires users to provide 19 00:01:05.520 --> 00:01:08.220 two or more verification factors 20 00:01:08.220 --> 00:01:12.360 before being granted access to the enterprise network. 21 00:01:12.360 --> 00:01:16.710 Let's learn more about credentials, the use of biometrics, 22 00:01:16.710 --> 00:01:19.650 and multi-factor authentication. 23 00:01:19.650 --> 00:01:22.050 First, we have credentials. 24 00:01:22.050 --> 00:01:26.730 Credentials are the information users provide to a system 25 00:01:26.730 --> 00:01:28.560 to verify who they are. 26 00:01:28.560 --> 00:01:32.100 The most common types of credentials are passwords, 27 00:01:32.100 --> 00:01:36.240 personal identification numbers, and digital certificates. 28 00:01:36.240 --> 00:01:40.590 For example, when you log in to a system such as your email 29 00:01:40.590 --> 00:01:43.260 or work account, you're likely asked 30 00:01:43.260 --> 00:01:46.020 to enter a username and a password. 31 00:01:46.020 --> 00:01:48.690 The password is your credential proving 32 00:01:48.690 --> 00:01:51.750 that you have legitimate access to that account 33 00:01:51.750 --> 00:01:54.330 and that you are who you say you are. 34 00:01:54.330 --> 00:01:56.400 Passwords are the most basic 35 00:01:56.400 --> 00:01:59.190 and widely used form of credentials, 36 00:01:59.190 --> 00:02:02.010 and their simplicity makes them easy 37 00:02:02.010 --> 00:02:05.280 to implement across almost any system. 38 00:02:05.280 --> 00:02:08.220 However, the simplicity of credentials 39 00:02:08.220 --> 00:02:10.770 is also what makes them vulnerable. 40 00:02:10.770 --> 00:02:14.790 Passwords can be guessed, stolen, or forgotten. 41 00:02:14.790 --> 00:02:17.520 For example, a weak password like 42 00:02:17.520 --> 00:02:22.520 123456 or P-A-S-S-W-O-R-D can be easily cracked 43 00:02:25.830 --> 00:02:28.800 by attackers using automated tools. 44 00:02:28.800 --> 00:02:32.220 Even strong passwords can be compromised 45 00:02:32.220 --> 00:02:35.220 if they are reused across multiple sites 46 00:02:35.220 --> 00:02:38.520 or if they're exposed in a data breach. 47 00:02:38.520 --> 00:02:42.360 Digital certificates are another form of credentials 48 00:02:42.360 --> 00:02:44.070 that provide a higher level 49 00:02:44.070 --> 00:02:46.950 of security compared to passwords. 50 00:02:46.950 --> 00:02:50.100 Certificates are electronic documents 51 00:02:50.100 --> 00:02:52.890 that verify a user's identity 52 00:02:52.890 --> 00:02:55.200 using cryptographic techniques. 53 00:02:55.200 --> 00:02:57.750 They are commonly used in environments 54 00:02:57.750 --> 00:03:00.450 that require strong authentication 55 00:03:00.450 --> 00:03:05.450 such as securing access to corporate networks or websites. 56 00:03:05.580 --> 00:03:09.630 For example, when you access a secure website, 57 00:03:09.630 --> 00:03:13.500 your browser uses digital certificates to confirm 58 00:03:13.500 --> 00:03:15.210 that the site is legitimate 59 00:03:15.210 --> 00:03:18.300 and establish a secure connection. 60 00:03:18.300 --> 00:03:21.090 Similarly, certificates can be used 61 00:03:21.090 --> 00:03:25.890 to authenticate users proving their identity without relying 62 00:03:25.890 --> 00:03:30.030 on easily compromised credentials like passwords. 63 00:03:30.030 --> 00:03:32.910 Second, we have biometrics. 64 00:03:32.910 --> 00:03:36.840 Biometrics are a method of identity control 65 00:03:36.840 --> 00:03:39.780 that uses a person's unique physical 66 00:03:39.780 --> 00:03:43.590 or behavioral traits to verify their identity. 67 00:03:43.590 --> 00:03:47.160 Instead of relying on something a user knows 68 00:03:47.160 --> 00:03:52.020 like a password, biometrics rely on something a user is, 69 00:03:52.020 --> 00:03:56.340 making it a powerful tool for secure authentication. 70 00:03:56.340 --> 00:03:59.910 Common types of biometrics include fingerprints, 71 00:03:59.910 --> 00:04:03.810 facial recognition, iris scans, retina scans, 72 00:04:03.810 --> 00:04:05.580 and voice recognition. 73 00:04:05.580 --> 00:04:08.580 These characteristics are hard to replicate, 74 00:04:08.580 --> 00:04:11.430 making biometrics much more secure 75 00:04:11.430 --> 00:04:14.460 when compared to traditional credentials. 76 00:04:14.460 --> 00:04:17.760 For example, when you unlock your smartphone 77 00:04:17.760 --> 00:04:19.350 using your fingerprint, 78 00:04:19.350 --> 00:04:23.760 the device matches your fingerprint against a stored image 79 00:04:23.760 --> 00:04:27.480 of your print to confirm that it is really you. 80 00:04:27.480 --> 00:04:30.450 This process is quick, convenient, 81 00:04:30.450 --> 00:04:33.300 and provides a high level of security 82 00:04:33.300 --> 00:04:37.140 because fingerprints are unique to each individual. 83 00:04:37.140 --> 00:04:41.460 Similarly, facial recognition works by scanning the features 84 00:04:41.460 --> 00:04:45.360 of your face and comparing them to a stored template. 85 00:04:45.360 --> 00:04:48.390 So biometrics offer an easy 86 00:04:48.390 --> 00:04:52.620 and fast way to verify your identity without the hassle 87 00:04:52.620 --> 00:04:54.810 of having to remember a password 88 00:04:54.810 --> 00:04:57.300 or personal identification number. 89 00:04:57.300 --> 00:05:01.350 However, biometric systems are not perfect 90 00:05:01.350 --> 00:05:03.900 and are measured using key metrics 91 00:05:03.900 --> 00:05:06.513 like the crossover error rate or CER, 92 00:05:07.380 --> 00:05:10.320 the false acceptance rate or FAR, 93 00:05:10.320 --> 00:05:13.980 and the false rejection rate or FRR. 94 00:05:13.980 --> 00:05:18.120 The crossover error rate is a standard measurement used 95 00:05:18.120 --> 00:05:21.990 to determine the accuracy of a biometric system. 96 00:05:21.990 --> 00:05:25.200 Crossover error rate represents the point 97 00:05:25.200 --> 00:05:28.020 where the rate of the false acceptances 98 00:05:28.020 --> 00:05:30.990 and the false rejections are equal 99 00:05:30.990 --> 00:05:33.840 when multiple systems are compared. 100 00:05:33.840 --> 00:05:37.080 A lower crossover error rate indicates 101 00:05:37.080 --> 00:05:40.860 the more accurate system as it reflects a balance 102 00:05:40.860 --> 00:05:44.070 between security and usability. 103 00:05:44.070 --> 00:05:46.590 The false acceptance rate measures 104 00:05:46.590 --> 00:05:51.000 how often a biometric system incorrectly accepts 105 00:05:51.000 --> 00:05:52.950 an unauthorized person. 106 00:05:52.950 --> 00:05:56.310 For example, if a facial recognition system 107 00:05:56.310 --> 00:06:00.870 mistakenly identifies a stranger as an authorized user, 108 00:06:00.870 --> 00:06:03.120 this is a false acceptance. 109 00:06:03.120 --> 00:06:05.400 High false acceptance rates 110 00:06:05.400 --> 00:06:08.490 mean that the system is not secure enough 111 00:06:08.490 --> 00:06:11.760 as it allows unauthorized access. 112 00:06:11.760 --> 00:06:15.330 On the other hand, false rejection rate measures 113 00:06:15.330 --> 00:06:20.190 how often the system wrongly rejects an authorized user. 114 00:06:20.190 --> 00:06:23.790 For example, if you try to unlock your phone 115 00:06:23.790 --> 00:06:25.230 with your fingerprint, 116 00:06:25.230 --> 00:06:29.430 but it fails to recognize you, this is a false rejection. 117 00:06:29.430 --> 00:06:32.700 High false rejection rates can be frustrating 118 00:06:32.700 --> 00:06:37.080 because they make the system inconvenient, denying access 119 00:06:37.080 --> 00:06:41.460 even when the correct person is trying to authenticate. 120 00:06:41.460 --> 00:06:44.820 So balancing the false acceptance rate 121 00:06:44.820 --> 00:06:47.490 and false rejection rate is important 122 00:06:47.490 --> 00:06:49.980 to creating a biometric system 123 00:06:49.980 --> 00:06:53.580 that is most secure and user-friendly. 124 00:06:53.580 --> 00:06:56.550 The goal is to minimize both rates 125 00:06:56.550 --> 00:06:59.610 and achieve that low crossover error rate, 126 00:06:59.610 --> 00:07:03.720 providing a system that correctly identifies users 127 00:07:03.720 --> 00:07:05.580 with high accuracy. 128 00:07:05.580 --> 00:07:10.170 Overall, biometrics offer a strong, convenient 129 00:07:10.170 --> 00:07:14.130 and reliable method for user identity control, 130 00:07:14.130 --> 00:07:17.820 enhancing security by using traits that are unique 131 00:07:17.820 --> 00:07:21.240 to individuals and difficult to replicate. 132 00:07:21.240 --> 00:07:26.240 Third and last, we have multi-factor authentication or MFA. 133 00:07:27.930 --> 00:07:32.130 To improve the security of your network, use MFA 134 00:07:32.130 --> 00:07:35.670 which requires two or more independent factors 135 00:07:35.670 --> 00:07:38.100 to verify a user's identity. 136 00:07:38.100 --> 00:07:41.790 These factors include something you know, 137 00:07:41.790 --> 00:07:44.880 something you have, something you are, 138 00:07:44.880 --> 00:07:46.860 and somewhere you are. 139 00:07:46.860 --> 00:07:49.950 This approach as layers of security 140 00:07:49.950 --> 00:07:53.940 to the authentication process, making it much harder 141 00:07:53.940 --> 00:07:57.510 for unauthorized users to gain access. 142 00:07:57.510 --> 00:08:00.030 In multi-factor authentication, 143 00:08:00.030 --> 00:08:04.290 the first factor, something you know, involves information 144 00:08:04.290 --> 00:08:07.170 that the user knows, such as a password, 145 00:08:07.170 --> 00:08:09.450 personal identification number, 146 00:08:09.450 --> 00:08:12.210 or answers to security questions. 147 00:08:12.210 --> 00:08:15.000 The second factor, something you have, 148 00:08:15.000 --> 00:08:19.230 relies on a physical item in the user's possession, 149 00:08:19.230 --> 00:08:21.780 such as a smart card, key fob, 150 00:08:21.780 --> 00:08:25.830 or smartphone that receives authentication codes. 151 00:08:25.830 --> 00:08:30.420 The third factor, something you are involves biometrics 152 00:08:30.420 --> 00:08:33.540 such as fingerprints, facial recognition, 153 00:08:33.540 --> 00:08:37.680 or voice patterns, which are all unique to an individual. 154 00:08:37.680 --> 00:08:40.500 The fourth factor, somewhere you are 155 00:08:40.500 --> 00:08:44.820 uses geographical location data like GPS 156 00:08:44.820 --> 00:08:47.370 or IP addresses to verify 157 00:08:47.370 --> 00:08:50.520 that the user is in an authorized location 158 00:08:50.520 --> 00:08:52.500 when attempting access. 159 00:08:52.500 --> 00:08:55.590 Using only one of these factors is known 160 00:08:55.590 --> 00:08:58.350 as single factor authentication. 161 00:08:58.350 --> 00:09:01.920 This would be like logging in with a password alone. 162 00:09:01.920 --> 00:09:04.290 Combining two different factors, 163 00:09:04.290 --> 00:09:07.530 such as using a personal identification number, 164 00:09:07.530 --> 00:09:11.640 and a smart card creates-two factor authentication, 165 00:09:11.640 --> 00:09:14.070 which is also called 2FA. 166 00:09:14.070 --> 00:09:17.610 2FA significantly increases security. 167 00:09:17.610 --> 00:09:20.850 Multi-factor authentication or MFA 168 00:09:20.850 --> 00:09:23.220 goes a step further by combining two 169 00:09:23.220 --> 00:09:27.300 or more distinct factors such as a smart card, 170 00:09:27.300 --> 00:09:31.380 a biometric scan, and a location verification 171 00:09:31.380 --> 00:09:34.110 to provide even greater protection. 172 00:09:34.110 --> 00:09:36.750 High security environments often use 173 00:09:36.750 --> 00:09:40.680 multi-factor authentication with multiple factors 174 00:09:40.680 --> 00:09:43.230 to safeguard sensitive information. 175 00:09:43.230 --> 00:09:45.510 As security threats evolve, 176 00:09:45.510 --> 00:09:50.250 so do authentication methods including advanced options 177 00:09:50.250 --> 00:09:54.720 like time-based one-time passwords, or TOTP 178 00:09:54.720 --> 00:09:57.960 and hash-based message authentication code 179 00:09:57.960 --> 00:10:01.020 one-time passwords or HOTP, 180 00:10:01.020 --> 00:10:04.740 which generate single-use codes that change frequently. 181 00:10:04.740 --> 00:10:09.450 Multi-factor authentication can also be implemented in band 182 00:10:09.450 --> 00:10:13.650 where the authentication code is received on the same device 183 00:10:13.650 --> 00:10:17.010 used for access or out of band 184 00:10:17.010 --> 00:10:20.580 where the code is received on a different device altogether, 185 00:10:20.580 --> 00:10:23.190 adding an extra layer of security. 186 00:10:23.190 --> 00:10:27.360 So if your organization requires higher security, 187 00:10:27.360 --> 00:10:29.460 consider implementing two-factor 188 00:10:29.460 --> 00:10:31.860 or multi-factor authentication, 189 00:10:31.860 --> 00:10:34.860 especially using out-of-band methods 190 00:10:34.860 --> 00:10:39.000 to enhance the offenses against unauthorized access 191 00:10:39.000 --> 00:10:42.030 and protect critical systems and data. 192 00:10:42.030 --> 00:10:46.200 So remember, user identity control 193 00:10:46.200 --> 00:10:48.270 is the process of managing, 194 00:10:48.270 --> 00:10:52.080 verifying, and securing user identities 195 00:10:52.080 --> 00:10:55.800 to ensure appropriate access to resources. 196 00:10:55.800 --> 00:10:59.040 It involves using credentials, biometrics, 197 00:10:59.040 --> 00:11:03.900 and multi-factor authentication to confirm user identity 198 00:11:03.900 --> 00:11:08.550 and maintain security credentials such as passwords, 199 00:11:08.550 --> 00:11:10.830 personal identification numbers 200 00:11:10.830 --> 00:11:15.540 and certificates are the most basic form of verification 201 00:11:15.540 --> 00:11:18.540 that users provide to prove their identity. 202 00:11:18.540 --> 00:11:22.440 Biometrics use physical traits like fingerprints 203 00:11:22.440 --> 00:11:26.670 and facial recognition to validate users, adding a layer 204 00:11:26.670 --> 00:11:29.790 of security beyond what the user knows. 205 00:11:29.790 --> 00:11:31.800 Multi-factor authentication 206 00:11:31.800 --> 00:11:36.000 or MFA combines multiple authentication factors 207 00:11:36.000 --> 00:11:38.070 requiring users to provide two 208 00:11:38.070 --> 00:11:42.840 or more types of verification, such as something they know, 209 00:11:42.840 --> 00:11:45.690 something they have, something they are, 210 00:11:45.690 --> 00:11:47.220 or somewhere they are 211 00:11:47.220 --> 00:11:50.493 to strengthen the authentication process.