.jpg)
Technology Tap
Technology Tap
Cybersecurity Fundamentals: Cracking the Authentication Code Chapter 4
Ever wonder what happens behind the scenes when you tap "Login" on your favorite app? Authentication is the invisible guardian standing between your personal data and potential attackers, and it's more sophisticated than you might think.
Authentication systems rely on three critical principles: Confidentiality keeps your credentials private, Integrity ensures no one can fake their way past security, and Availability guarantees you can access your accounts when needed. These principles form the foundation of digital security across every platform you use.
The strongest protection comes from combining multiple authentication factors. Your passwords represent "something you know," while those codes texted to your phone verify "something you have." Fingerprint and facial recognition add "something you are" to the equation. When companies layer these factors together, they create robust security that can stop 99% of automated attacks according to Microsoft research.
Despite advances in authentication technology, passwords remain the primary defense for most accounts. Security experts now recommend longer passphrases over complex combinations with special characters. A memorable phrase like "Purple Dungeon eats pizza at noon!" creates a formidable 27-character barrier against brute force attacks. Password managers have become essential tools for generating and storing unique credentials for each service, protecting against credential stuffing attacks where hackers try stolen login information across multiple sites.
Beyond basic authentication lies the world of access control – determining what you can do once your identity is verified. Modern systems implement various models from Discretionary Access Control to Attribute-Based Access Control, applying the principle of least privilege to minimize potential damage from compromised accounts or insider threats.
Ready to strengthen your digital security? Start by enabling multi-factor authentication on your critical accounts today. Consider using a password manager to generate strong, unique passwords for each site. Remember that authentication isn't just about keeping the bad guys out – it's about protecting what matters most to you online.
Interviews with Tech Leaders and insights on the latest emerging technology trends.
Listen on: Apple Podcasts Spotify
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
And welcome to Technology Tap. I'm Professor J Rod. In this episode we'll talk about passwords and multi-factor authentication. Let's get into it. All right, welcome to Technology Tap. I'm Professor Jay Rod.
e:So we're going to do something a little bit different going forward, so here's a little bit of housekeeping, as I like to call it. W e joined the PodMatch network, so hopefully that's going to help us in getting more listeners. Two we're going to do three episodes a week and they're going to be released Tuesdays, Thursdays and Sundays. Tuesdays and Thursdays are going to be chapter episodes on a topic, either security or A+, and then on Sunday we're going to go over the modern the history of computing. Right, like what we're doing with the floppy. We did the 8-inch floppy floppy, we did the eight inch floppy, next we have the five and a quarter floppy, and then we'll go to three and a half and so forth. So that is how it's going to go from now on. So hopefully this format will bring more listeners and bring more enjoyment to everyone who is listening. All right, so welcome to Technology Tap, the show where we take complex technology and break them down into stories. You can relate.
e:I'm Professor J Ron, and today we're diving into something that affects every single person who uses a computer, smartphone or tablet authentication. Think about the morning routine. You wake up, check your phone, maybe log into your email or social media. Every one of these actions begins with a question Are you really you? That question and the technology behind answering is what we'll be exploring today. We'll look into passwords, password managers, multi-factor authentication, biometrics and even passwordless future tech, and I promise you'll come away from this episode with practical steps you can take to stay secure.
e:Let's tap in. Authentication is simply providing your identity to a system, but in cybersecurity, we always think in terms of CIA confidentiality, integrity and availability. Confidentiality means your credentials, like your password, are private. Integrity means no one can fake their way past the login screen. And availability means the system works reliably, even at 2 am when you're trying to reset your password before deadline and for my students, their homework assignments, we'll roll the sample. Think about online banking. Confidentiality ensures no one else can see your credentials. Integrity ensures a hacker can bypass the login screen with a fake cookie. Availability ensures you can check your balance on payday without getting locked out.
e:And to make authentication strong, we use the following factors Something that you know, like the password for your Netflix account, something that you have. Your bank might text you a code to prove you have your phone. Something that you have. Your bank might text you a code to prove you have your phone. Something that you are. Face ID or fingerprint scan on your iPhone. Someone where you are. Your employer may only let you log in from your office VPN. Something that you do. Your smartwatch might know. The way you walk is unique. When companies combine these factors, they are creating layered security.
e:Passwords are the oldest form of authentication and still the most common. Let's talk length first. Longer is stronger. Think of password cracking like trying every combination on a bike lot. The more characters you add, the more combinations a hacker has to try. Real breach story In 2012, linkedin suffered a data breach that exposed millions of passwords.
e:Many were things like 123456 or LinkedIn Attackers guessed them instantly. Modern guidelines from NIST actually says we should stop forcing people to change passwords every 60 days unless there's evidence of compromise. Why? Because humans are predictable. People would just pick up something like summer 2023, then fall 2023. Hackers guess these patterns. Instead, the focus is on using long passphrase. Imagine Purple Dungeon eats pizza at noon. That's 27 characters to remember plus the exclamation point Very hard to brute force and never reuse passwords. When one website gets hacked, attackers try the same email password combo everywhere. That's called credential stuffing, and they do that right. If Netflix gets hacked, whatever username and password that you have, they're going to try it on Amazon, they're going to try it on Hulu, they're going to try it on you know all your stuff Hotmail, gmail.
e:So password manager? Here's the problem. No one can remember 200 unique passwords. That's where the password managers come in. Think of them as your digital keychain. They generate and store strong passwords for each site. You unlock the keychain with one master password. So yes, your master password needs to be very strong.
e:Real world example let's say you use Bitwarden. You log into your vault with your master password and maybe a code from your phone. The vault decrypts locally on your device. Even Bitwarden servers can't see your password because they're encrypted. End-to-end Security tip Choose a reputable manager with zero knowledge. Encryption. Turn on MFA for your password manager account. Back up your vault, because losing your master password usually means you're locked out permanently.
e:And here's a kicker. A password manager can also protect you from phishing. If you land on a fake PayPal site, the manager won't autofill because the domain doesn't match Multi-factor authentication. Let's say you have a strong password, can attackers still get in? Yes, if they trick you with phishing or if the site gets hacked. That's why multi-factor authentication is so powerful. It adds another wall. We'll roll the example.
e:Remember the 2020 Twitter hack? Attackers called employees pretending to be IT and tricked them into giving up credentials. Accounts of high-profile users Elon Musk, barack Obama were taken over. Twitter now enforces MFA for many internal tools. Mfa options include hardware tokens like RSA, secure IDFOPs, apps like Google Authenticator that generate time-based codes, push notifications that let you tap approve on your phone, and biometrics combined with a pin. Mfa can stop 99% of automated account attacks, according to Microsoft.
e:If you haven't enabled it on your email and bank accounts, do it today. Don't just pause this and then go and do that right. Handle your business, guys, and I always like to say you know the. The. I always tell my students you know, there's something that you are, something that you have. You know has been around for a long time. It's been around for years. Think about it when you take money out of a bank, right, you need your card, which is something that you know, and you need your pin something that you have. So you know that's been around for a long time. You know, we just haven't, we just haven't taken advantage of it or that much advantage of it now. Plus, as I was telling one of my classes, you know it takes a long time for people to get used to things, right, you know it's now that we're doing, you know, multi-factor authentication that sends a code to your phone. Right, I love that, but it's taking us a long time for people to get used to that, right, because, again, you know, they want to make things convenient for everybody on the commercial side, on the customer side, and that usually means giving up security. But I think people are getting used to it now. So now that's becoming a thing now where you know you log into something and then a code gets sent to your phone, which I absolutely love. I mean, I think you know that's. I mean, can you get hacked? Yes, but what are the chances of you getting hacked? Right, that's the thing. Right, it's lower than just having password 123 on your account, right?
e:Biometrics? Biometrics uses your body as the password and they're everywhere. Your phone might scan your face. Disney theme parks use fingerprint readers to match guests' tickets. Airports uses facial recognition to speed boarding. But biometrics are important. Systems can reject you that's called false rejection or worse, accept someone who isn't you, which is a false acceptance. Real story Researchers have shown that cheap 3D print masks can bypass some facial recognition systems.
e:That's why most secure systems combine biometric with something else, like a pen, and, unlike passwords, you can't change your fingerprints. If it gets stolen from a database, yes, that's happening. You just can't pick a new one. That's why protecting biometrics data is critical, and you know it's. It's a whole. It's a whole new thing that we need to be a little bit more security conscience.
e:Right, there's a on YouTube If you could look it up there's. If you look up jimmy kimmel, social engineering, you know those people. You know they try to get their passwords and people freely give it to them like they ask questions, and next thing, you know they've given up their password. It's, it's. It's an amazing video. I show it up in all my classes. There's actually two videos of that when they walk over to people and they ask them their password. At first they they initially say no, but eventually they give them the password, which is absolutely insane. Yeah, it's crazy. You should watch it. Look it up. It's on youtube. All right, let's wrap it up.
e:Today, we explore authentication, passwords, passwords managers, mfa and biometrics all the ways we prove who we are online. So here's your homework Pick one account that doesn't have MFA enabled. Turn it on today. Download a password manager and generate strong, unique passwords. Experiment with passphrases instead of random gibberish. They're easier to remember and just as strong.
e:Alright, welcome back to Technology Tap. I'm Professor J-Rod. If you joined us the last time, we explored how we prove who we are authentication passwords, multi-factor authentication and biometrics. But proving who you are is just one step. Once the system knows it's you, it faces the next big question what are you allowed to do? This is where access control comes in. Today, we'll explore the major access control model discretionary, mandatory, role-based and attribute-based. We'll talk about the principle of least privilege, account provisioning and deprovisioning, account restriction and privileged access management. And, of course, I'll share real-world examples, from insider threats to IT horror stories, to help make these concepts stick. All right, let's start Access control models.
e:Once you authenticate, the system uses access control to determine which files, systems or actions you can access. Think of it like a bouncer at a club. You show your ID at the club. That's authentication, but the bouncer still checks if you're on the VIP list or just a general guest authorization. Right, that'll be authorization. Discussionary access control or DAC. Dac is an owner control. If you create a file, you decide who gets read, write or execute permission. So here's an example Imagine Alice creates a Google Doc and shares it with Bob, giving him edit rights. Bob can then share it with Charlie if he wants. That flexibility is great, but also risky. Malware or compromised accounts can spread access quickly in a DAC system.
e:Mandatory access control, mac or MAC. Mac is stricter. Access is based on security levels and system-enforced policies. Users can't just decide to share data. Example in the military, a document labeled secret can only be opened by someone with secret clearance or higher. You can't just give a friend access. The system enforces it. Mac is used in government and defense environments where leakage of information can be catastrophic.
e:Next we go to Role-Based Access Control or RBAC. Rbac assigns permissions to roles, not individual users. Example when a new HR employee joins, it assigns them the HR role. That role gives them access to payroll data automatically. No need to configure access manually every time somebody joins or leaves. This is scalable, easy to manage and great for organizations with well-defined job functions Attribute-based access control, or ABAC.
e:Abac is even more dynamic. It grants access based on attributes like user department, device trust level, location, time of day and risk score. Here's an example Imagine a finance analyst can access the quarterly budget report, but only from a company issues laptop on the corporate VPN during business hours. Try to log in from a personal tablet at 2 am from a foreign country. Access denied. Abac powers modern zero-day models, zero-trust models Never trust. Trust always verifies. And then we have rule based or rule back. This model uses presets rules. For example, deny all log after 6 pm, block connections from outside the US or allow access only if antivirus is up to date. You probably experience this if your VPN locks you out until you install the latest security patches.
e:Next we're going to move to the principle of least privilege, which says users should have the minimum access needed to do their job. Nothing more, nothing less. Case study In 2013, edward Snowden had brought access to the NSA data far more than he needed for his role as a contractor. That access allowed him to leak classified documents. This is why modern systems implemented just-in-time access, giving admin rights only temporarily. Practical steps Review permission regularly, remove stale accounts and use privileged access management tools to grant temporary elevation.
e:Next, user provisioning and deprovisioning. Provisioning is the process of creating, configuring and maintaining user accounts. For example, onboarding, when Sarah is hired in marketing, hr triggers an automatic workflow. An active directory account is created, email, slack and VPN access are granted, and a welcome packet reminds her of the security policies though I would not give somebody who just started VPN access as soon as they start, unless if they're working from home. Right, but the provisioning is just as critical. When Sarah leaves the company, her account must be disabled immediately. Yes, at the minimum right. Maximum is deleting the account. The minimum is disabling immediately. Horror story 2021 report found that 25% of former employees at some companies still had access to cloud files, which is incredibly unbelievable. That's an insider threat waiting to happen. Imagine a disgruntled ex-employee downloading sensitive data after they leave. It happens more often than you think.
e:Next, talk about account attributes and access policy. Every account has attributes like username, security, id, role, department, access history. Access control systems use these attributes to apply policies. For example, users in the finance user groups get access to budget files. Group policy objects apply restrictions like disabling USB drives, and conditional access may block loggings from risky IP addresses. This is why logging in from a new country sometimes triggers an email alert or MFA prompt.
e:The system noticed something unusual. You get this sometimes when you if you always download in New York City I'm sorry, you always log in in New York City to your Gmail account Every day, every day, all day, every seven days a week, 365. And then one day you go to LA and you log in and not your computer but somebody else's computer. It might trigger something. It might say hey, you never logged in in LA from this PC before, let's make sure it's you, especially if it's in another country, right, if it's like in the Philippines, not, you know, hitting up, not making fun of my Philippine people or anything, but you know somewhere that you've never gone, it's going to trigger that Account restrictions.
e:To further reduce risk, companies use location-based and time-based controls. Location example a hospital may block all logins from outside the US to protect patient data. Time example contractors may only be able to log in during business hours and the system may detect impossible travel. Logging in from New York and then Tokyo five minutes later. That's a flag and it's suspicious because it's impossible. These restrictions help reduce the attack surface If you work for a bank, right banks are not going to let you be there until like 8 o'clock, 9 o'clock at night, after I think it's 7 pm.
e:Most banks will lock you out automatically and you can't log in. I think you have to wait to 8 am. If you work in the branch, you got to wait to 8 am to log in. Maybe 7, 7.30. But like you can't go in there at 6 in the morning and start doing work, they won't. The computers won't turn off.
e:Privileged Access Management, or PAM. Pam is all about controlling administrators and super user accounts. In 2017, not paid attack. Malware stole domain admin credentials from infected machines and spread rapidly across networks. Organizations that use PAM tools were able to limit the blast radius by rotating admin credentials and requiring MFA Key. Pam practice zero standing privileges. No one keeps permanent admin rights. They get them temporarily when needed Credentials. Admin passwords expire quickly and rotate automatically. Password vaulting privileged credentials are stored securely and admins check them out like a library book. This approach drastically reduces insider threat risk and limits damage from account compromise.
e:Now on to the questions. Now that we've gone through these topics, I'm going to ask you four questions and I'm going to give you time to think about it and then you're going to answer the question. Let's see if we can get four out of four. All right, which access control model is owner controlled and commonly used in personal or commercial systems? A, mac, b, dac, c, rbac. A, mac, b, dac, c, rbac, d, abac. I'll read it again which access control model is owner-controlled and commonly used in personal or commercial systems? A, mac, b, dac, c, rbac? Answer is B DAC Discretionary Access Control. The resource owner decides permission For MAC. This is system enforced. Rbac uses roles and ABAC uses attributes. So the answer is B. Next question number two so the answer is B.
e:Next question number two the principle of least privilege helps organizations by A giving users admin access for efficiency. B assigning only the permission necessary for a task. C allowing employees to share accounts freely. D removing the need for authentication entirely. I'm going to read it again the principle of least privilege helps organizations by A giving users admin access for efficiency. B assigning only the permission necessary for tasks. C allowing employees to share accounts freely. And. D removing the need for authentication entirely. So I'll give you five seconds to think about it. See what the answer is Five, four, three, two, one. And the answer is B, assigning only the permissions necessary for the task. On principle, these privileges minimize risk by restricting access to just what's needed. Giving admin rights is A or sharing account C increases the risk, while removing authentication undermines security entirely, right? So then, why even have people logging in? If you're going to do that, all right.
e:Question three which access control model is policy-based, dynamic and context-aware, often used in cloud and zero-trust environments? A, dac, b, rbac, c, abac, d, mac? I'll do it again which access control model is policy-based, dynamic and context-aware, often used in cloud and zero-trust environments? A, dac, b, rbac, c, abac or D MAC? I'll give you five seconds to think about it. Five, four, three, two, one, all right, the answer is C, abac. Attribute-based access control considers attributes like user role, device, location and time, right, dac is owner-based, rbac is role-based and less flexible, and MAC is rigid and policy-enforced. Hope you got that right. Now, last one, let's go for four, for four, hopefully, right, and we got three of them right and this will be the number four, all right.
e:What is the main purpose of PAM, privileged Access Management? A to remove the need for user provisioning. B to store encryption keys for end users. C to secure, monitor and limit accounts and elevated rights, and D to replace MFA for all accounts. I'll read it again what is the main purpose of Privileged Access Management? A to remove the need for user provisioning. B to store encryption keys for end users. C to secure, monitor and limit accounts with elevated rights. And. D to replace MFA for all accounts. I'll give you five seconds to think about that. Five, four, three, two, one. And the answer is C to secure, monitor and limit accounts with elevated rights.
e:Pam protects powerful accounts like domain admins or root by limiting their use, requiring just-in-time elevation and monitoring activity. A provisioning. A is more like provisioning, it's separate encryption keys. B are unrelated and PAM doesn't replace MFA, it just complements it. All right, that was pretty good. Hopefully we got four out of four right, which I'm sure we do right.
e:We got a lot of smart listeners out there, especially my listeners in Georgia and my listeners in Texas, and I think I have a listener in Athens, greece, that likes to listen to my podcast. So shout out to you guys for listening. I appreciate it. All right, let's wrap it up. Today we saw how systems decided what you can access after logging. We covered DAC, mac, rbac, abac and lease privilege account restrictions in PAM and provisioning. Here's your action list. Privilege account restrictions in pam and provisioning. Here's your action list. Order your own accounts. Do you have access to things you no longer need? Turn on conditional access or time-based restrictions where possible. If you're in it, start exploring pam tools like cyber arc or beyond trust, just remember. Authentication gets you in the door, but authorization determines what rooms you can enter. I'm Professor J Ron and until next time, keep tapping into technology.