Page 973 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 973

In contrast, if the message containing the numeric code is sent to
                  an email address or a phone using Voice over Internet Protocol

                  (VoIP), it isn’t possible to uniquely identify the device receiving the
                  message. SP 800.63B recommends against using a device if it isn’t
                  possible to prove possession of the device, such as when it sent as
                  an email or using VoIP.

                  SP 800.63B has noted some risks with sending codes using the
                  Short Message Service (SMS). SMS messages can sometimes be

                  intercepted, and they can also be sent to VoIP devices.
                  As a better alternative, SP 800.63B recommends the use of push

                  notifications. A push notification first establishes an authenticated
                  protected channel. Once the channel is established, it sends the
                  notification to the receiving device.




               Biometrics

               Another common authentication and identification technique is the
               use of biometrics. Biometric factors fall into the Type 3, something

               you are, authentication category.

               Biometric factors can be used as an identifying or authentication
               technique, or both. Using a biometric factor instead of a username or
               account ID as an identification factor requires a one-to-many search of
               the offered biometric pattern against a stored database of enrolled and
               authorized patterns. Capturing a single image of a person and
               searching a database of many people looking for a match is an example

               of a one-to-many search. As an identification technique, biometric
               factors are used in physical access controls.

               Using a biometric factor as an authentication technique requires a
               one-to-one match of the offered biometric pattern against a stored
               pattern for the offered subject identity. In other words, the user claims
               an identity, and the biometric factor is checked to see if the person
               matches the claimed identity. As an authentication technique,

               biometric factors are used in logical access controls.

               Biometric characteristics are often defined as either physiological or
               behavioral. Physiological biometric methods include fingerprints, face
   968   969   970   971   972   973   974   975   976   977   978