Tutorial / Cram Notes
Authentication is a critical component in the security process, ensuring that users are who they claim to be. In the context of the SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam, authentication refers to the process by which an individual’s identity is verified before they are allowed access to systems, applications, or data.
Methods of Authentication
There are several methods of authentication, typically categorized into three main types, often referred to as authentication factors:
- Something You Know: This factor includes passwords, PINs, and patterns. It’s the most common form of authentication. Users provide their password or PIN, which must match the one stored in the authentication server.
- Something You Have: This includes tokens, smart cards, and mobile phone authentication apps. These devices generate a code that changes at regular intervals or can be used to prove possession of a particular device.
- Something You Are: Also known as biometrics, this factor includes fingerprint scans, facial recognition, iris scans, and voice recognition. These physical or behavioral traits are unique to each user and are becoming more common in various authentication systems.
Exam Objective Examples
Let’s look at examples relative to the SC-900 exam objectives:
- Password Authentication: Users enter their username and password to access their Microsoft 365 applications.
- Two-Factor Authentication (2FA): To access Azure portal, a user might need to enter a password (something they know) and then approve a notification on their smartphone (something they have).
- Biometric Authentication: A user can access a Windows 10 device using Windows Hello, which includes facial recognition or fingerprint scanning (something they are).
- Multi-Factor Authentication (MFA): MFA requires two or more of the above-mentioned authentication factors, providing an additional layer of security. For example, a user signs into their Microsoft 365 account with their password and then must enter a code provided by an authenticator app on their phone.
Comparison of Authentication Methods
| Authentication Factor | Example | Security Level | User Convenience |
|---|---|---|---|
| Something You Know | Password | Low to Moderate | High |
| Something You Have | Auth App OTP | Moderate to High | Moderate |
| Something You Are | Biometrics | High | High |
| Multi-Factor (2 or more factors) | Password + Auth App OTP | Very High | Moderate to Low |
Azure Active Directory and Authentication
Authentication in Microsoft systems is often managed using Azure Active Directory (Azure AD). Azure AD supports several authentication methods, including password-based authentication, certificate-based authentication, Azure AD Multi-Factor Authentication, and federated authentication using external identity providers.
Federated authentication involves using a third-party identity provider to authenticate before access is granted to Microsoft applications and services. When using federated authentication, the actual verification process takes place outside of Azure AD, and the third-party service confirms to Azure AD that the user’s identity has been verified.
This system is beneficial when organizations prefer to use a single set of credentials within their own identity provider to access both on-premises and cloud-based applications. Examples of federated authentication include the use of Active Directory Federation Services (AD FS) or third-party identity providers such as Okta or Google G Suite.
Importance of Authentication in Security
The SC-900 exam tests the knowledge in several areas of Microsoft security, and understanding how authentication plays a role in the overall security posture is crucial. Whether it’s basic password security, implementing MFA, or setting up federated services, authentication is a fundamental element in protecting and securing data in any organizational environment.
Practice Test with Explanation
True or False: Authentication is the process of ensuring that content is not altered during transmission.
- A) True
- B) False
Answer: B) False
Explanation: Authentication is the process of verifying the identity of a user or device. Ensuring content is not altered during transmission is a matter of integrity, not authentication.
Which of the following factors are commonly used in multi-factor authentication (MFA)?
- A) Something you know
- B) Something you have
- C) Something you are
- D) All of the above
Answer: D) All of the above
Explanation: Multi-factor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification).
True or False: Biometric verification is considered a weak form of authentication because it is easily replicated.
- A) True
- B) False
Answer: B) False
Explanation: Biometric verification is considered a strong form of authentication because it uses unique physical characteristics that are difficult to replicate.
Single sign-on (SSO) is a user/authentication process that allows a user to access multiple applications with one set of login credentials.
- A) True
- B) False
Answer: A) True
Explanation: Single sign-on enables users to log in once and gain access to various systems without being required to log in again at each of them.
Which of these is NOT a typical form of authentication?
- A) Passwords
- B) Usernames
- C) Encryption keys
- D) Security questions
Answer: B) Usernames
Explanation: Usernames are generally used to identify a user, not authenticate them. It is typically the password or another factor that is used to authenticate that identity.
True or False: Knowledge-based authentication is an example of “something you have.”
- A) True
- B) False
Answer: B) False
Explanation: Knowledge-based authentication is considered “something you know,” such as a password or an answer to a security question.
Which authentication method relies on a physical object possessed by the user?
- A) Token authentication
- B) Biometric authentication
- C) Password authentication
- D) Cognitive authentication
Answer: A) Token authentication
Explanation: Token authentication involves something the user has, such as a security token or a smart card.
Which of the following is NOT an advantage of using multifactor authentication?
- A) It provides an additional layer of security
- B) It can fully eliminate the need for passwords
- C) It reduces the risk of compromised credentials
- D) It makes unauthorized access more difficult
Answer: B) It can fully eliminate the need for passwords
Explanation: While multifactor authentication enhances security, it does not always eliminate the need for passwords; it often is used in conjunction with them.
True or False: Credential stuffing is a type of attack that is mitigated by implementing strong authentication methods.
- A) True
- B) False
Answer: A) True
Explanation: Credential stuffing, where stolen account credentials are used to gain unauthorized access to user accounts, can be mitigated by using strong, multifactor authentication methods.
In the context of Azure Active Directory, what does Conditional Access refer to?
- A) It controls access to resources based on the user’s role within the organization
- B) It grants access to all users by default
- C) It denies access to all users by default
- D) It controls access to resources based on the state or condition of a user’s identity
Answer: D) It controls access to resources based on the state or condition of a user’s identity
Explanation: Conditional Access is a capability in Azure Active Directory that enables you to enforce controls on the access to apps in your environment based on specific conditions or criteria.
True or False: Password expiration policies are a good practice to ensure password-based authentication remains secure.
- A) True
- B) False
Answer: B) False
Explanation: While password expiration policies were once standard practice, recent guidance suggests they may encourage poor password practices, such as creating simpler passwords or incrementally changing them. Instead, having strong, unique passwords coupled with multifactor authentication is now recommended.
Interview Questions
What is the difference between authentication and authorization?
Authentication is the process of verifying a user’s identity while authorization is the process of verifying if an authenticated user has access to a resource.
What is multi-factor authentication?
Multi-factor authentication is a security process in which a user provides two or more authentication factors to verify their identity.
What are the types of authentication factors?
The types of authentication factors are something you know, something you have, and something you are.
What is passwordless authentication?
Passwordless authentication is a method of authentication that does not require a password for a user to access a resource.
What are the benefits of passwordless authentication?
The benefits of passwordless authentication include increased security, reduced risk of credential theft, and improved user experience.
What is Azure AD authentication?
Azure AD authentication is a cloud-based authentication service that enables users to authenticate with applications, devices, and services.
What is Active Directory authentication?
Active Directory authentication is an on-premises authentication service that enables users to authenticate with applications, devices, and services.
What are the types of Azure AD authentication?
The types of Azure AD authentication include password-based authentication, federated authentication, and managed identity authentication.
What are the benefits of using Azure AD authentication?
The benefits of using Azure AD authentication include centralized identity management, single sign-on, and improved security.
What are the different types of federated authentication?
The different types of federated authentication include Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
What is hybrid authentication?
Hybrid authentication is a combination of on-premises authentication and cloud-based authentication.
What is Windows Hello for Business?
Windows Hello for Business is a biometric authentication service that uses facial recognition, fingerprint, and iris recognition to authenticate users.
What is a smart card?
A smart card is a small electronic device that contains authentication data and can be used to verify a user’s identity.
What is an identity provider?
An identity provider is a service that provides authentication and authorization services to applications and services.
What is Active Directory Federation Services (ADFS)?
Active Directory Federation Services (ADFS) is a service that enables users to use their on-premises Active Directory credentials to authenticate with cloud-based services.
Authentication is the process of verifying the identity of a user, device, or other entity in a computer system.
I appreciated the detailed explanation on authentication methods in this blog post.
Could someone explain the difference between authentication and authorization?
Passwords are the most common form of authentication. What are some alternatives?
In the context of SC-900, understanding Azure AD authentication is key.
Thanks for this informative post!
MFA is increasingly popular, but does it actually increase security?
Is biometric authentication secure? What are its risks?