Authentication Management – SY0-601 CompTIA Security+ : 3.8

As a security professional, you’ll have many options for managing your passwords. In this video, you’ll learn about password keys, password vaults, trusted platform modules, hardware security modules, and knowledge-based authentication.


One type of hardware-based authentication might be something like a password key. This is a physical device that you would plug into a USB drive that would allow you access to a system and use this as part of the authentication process. This would prevent someone else from logging into your account, even if they had your username and password. They would not be able to complete that authentication, however, because they do not have this physical password key to plug into their system.

And like most things associated with the authentication process, we wouldn’t simply use this single form of authentication. We would still want to use some other types of authentication along with this. So we might use a username, a password, perhaps use this password key, and then maybe also use a personal identification number that’s associated with this password key. That way, someone couldn’t steal your key and gain access to the system. They would still need that additional authentication factor to gain access.

One thing you don’t want to do is to use exactly the same username and password for all of the different systems that you might authenticate with. Unfortunately, it’s difficult to remember a different password for every single system. In those particular cases, you might want to use a password vault. This is a password manager that allows you to store all of your passwords in one central secure area. And then you would be able to set different passwords for every single location you logged into.

The core database of this password manager would all be encrypted data. So even if somebody gained access to your password vault, they still would not be able to see any of the passwords that you use. There are often cloud synchronization options available with the software so that you could set up passwords, encrypt them on your local machine, and that encrypted information would be shared in the cloud. This would allow you to access those passwords from wherever you happened to be. And the passwords themselves would all be stored safely in the cloud.

With so many breaches occurring on so many different sites, it’s now very easy for an attacker to be able to gather usernames and passwords. If you’re able to change the password on every single site that you access, having access to one single site’s authentication would not allow someone access to your account on a different site. And of course, there are options for these password vaults to use for not only personal use but to use in a corporate environment as well so that administration would have access to all of the passwords you would use for business purposes.

If you’re using any advanced cryptography on your system, especially if you’re doing full-disk encryption, then you’re probably using a Trusted Platform Module or TPM. This is a feature that’s either part of the motherboard that you’re using, or it might be a module that you can add to the motherboard. This is going to provide you with additional secure cryptography functions to be able to create random numbers or key generators from this Trusted Platform Module.

These TPMs often have keys that are burned into the TPM that can’t be changed. That means if you do see this key in use, you know exactly what TPM it’s associated with. We can also securely store keys on this TPM. And that storage is protected from any type of brute-force attack.

If you’re managing a large number of servers that are using encryption, then you need some way to centralize the management of all of these different keys. One way to do that is to use a Hardware Security Module or HSM. This is usually a server like the one we see here. But it usually has specialized hardware inside that allows it to perform cryptographic functions very, very quickly. This means this HSM can be used for centralized storage of all of our encryption and decryption keys.

And we also have accelerators inside of this device that can offload the encryption and decryption process from our servers and instead perform that function inside of this specialized hardware. It’s common to see these HSMs used in very large environments. And because of that, we’re going to need redundancy for these keys as well. So we might have multiple HSMs. And each one of those may have redundant power supplies to maintain the uptime and availability of all of our HSMs.

During the authentication process, you may find that you’re asked for some very specific information that only you might know. This is called Knowledge-Based Authentication or KBA. You may find two different kinds of KBA. One is a static KBA. And the other is a dynamic KBA. Static KBA is some type of secret that we’ve previously configured in our system. This is usually used to change a password or recover an account on a system. You might be asked a question that was previously configured when you originally made the account. For example, you may be asked what the make and model of your first car is. And you would have to answer that correctly in order to perform that account reset.

A dynamic KBA might be used for a similar purpose. But the question that’s being posed to you is not a question that you previously configured in the system. This uses an identity verification service. And it may pull information from public records or from private information in order to pose a question to you. For example, it might ask you what the street number was when you lived in a particular house at a particular location. And only you may be able to answer that question or answer in a very short period of time that would allow you access to perform this reset.