>> Another important cybersecurity model is the AAA or triple A model,which doesn't have anything to do with the American Automobile Association.
>>另一个重要的网络安全模式是AAA或3a模式,与美国汽车协会无关。
The first A refers to authentication, which is the processof proving you are who you say you are.
第一个A是指身份验证,这是证明你是你所说的那个人的过程。
When you claim you are someone, that's called identification.
当你声称自己是某个人的时候,这就叫做认同。
When you prove it, that's authentication.
当你证明它的时候,这就是认证。
If I drove from Rochester to Canada and told the border patrol, "I'm Jonathan S. Wiseman,let me into Canada," I would get some strange looks at the very least.
如果我从罗切斯特开车去加拿大,告诉边境巡逻队,“我是乔纳森·s·怀斯曼,让我进入加拿大。”
Authentication requires proof in one of three possible forms: Something you know,like a password; something you have, like a key fob; something you are -- biometrics.
身份验证需要三种可能形式之一的证明:您知道的东西,比如密码;你有的东西,比如钥匙扣;生物测定学。
When you combine more than one of these categories,that's called multifactor authentication, and that really is the future of authentication.
当您组合多个类别时,这称为多因素身份验证,这就是身份验证的未来。
Multifactor authentication makes it really hard to authenticateas someone else -- impersonating them.
多因素身份验证使得身份验证(模拟他人身份验证)变得非常困难。
Because if a hacker steals your password, he'd also have to possess a small key fob with a codethat rotates in parallel with code on the server you're logging into.
因为如果黑客窃取了你的密码,他还必须拥有一个小密钥卡,上面的代码与你正在登录的服务器上的代码并行旋转。
Or he'd need your iris, retina, or hand geometry.
或者他需要你的虹膜,视网膜,或者手的几何形状。
Using two passwords is not multifactor authentication because they both fallunder the same something you know category.
使用两个密码不是多因素身份验证,因为它们属于相同的类别。
It's like putting two locks on your door at home that could be opened with the same key.
这就像在家里的门上加了两把可以用同一把钥匙打开的锁。
There was a belief at some point that biometrics would simply replace passwords.
人们曾一度认为,生物识别技术可以简单地取代密码。
But especially with all the data breaches in recent years,it's very clear that while you can change your password,you simply cannot change your biometrics.
但特别是近年来所有的数据泄露事件,很明显,虽然你可以改变密码,但你无法改变你的生物特征。
If your biometrics are stolen, then what?
如果你的生物识别技术被盗了,那该怎么办?
You also lose anonymity when using credentials that are directly tied to you.
当使用直接与您关联的凭证时,您也会失去匿名性。
Your profile can easily be constructed, tied to all your actions,linking together everything you do and everywhere you go in cyberspace.
你的个人资料可以很容易地建立起来,与你的所有行动联系起来,把你在网络空间里做的每件事和去的每一个地方联系起来。
Not that sharing credentials is necessarily a good thing, but if you temporarily had to,for instance, in an emergency situationand biometrics was the only option, then what would you do?
并不是说共享凭证一定是件好事,但如果你在紧急情况下临时不得不这么做,而生物识别是唯一的选择,那么你会怎么做?
What happens when you grow a beard and the biometric authentication fails?
如果你长了胡子,生物特征认证失败了,会发生什么?
False positives and false negatives are legitimate issuesand could restrict or even allow access in error.
假阳性(误报)和假阴性(漏报)是合法的问题,可能会限制甚至允许错误访问。
These are the most compelling arguments for a combination of authentication methods knownas 2FA or two-factor authentication.
对于称为2FA或双因素身份验证的身份验证方法的组合,这些是最有说服力的论据。
Many companies like Google, LinkedIn,and banks have recently enabled their sites for this 2FA system.
许多公司如谷歌、LinkedIn和银行最近都启用了他们的网站来支持这个2FA系统。
Sending codes to your phone through SMS, short message service -- text messages --you use these codes that are texted to your phone in additionto a password to access an account.
发送代码到你的手机通过短信,短信息服务-短信-你使用这些代码是短信到你的手机除了密码访问一个帐户。
NIST, the National Institute of Standardsand Technology subsequently denounced two-factor authentication through text messages.
NIST(美国国家标准与技术研究所)随后谴责了通过短信进行的双因素认证。
They stated that 2FA with SMS should be deprecated immediately due to the factthat SMS messages can be intercepted or redirected.
他们指出,2FA(2种认证方式:如密码,邮件认证,短信验证码等)与短信应该立即弃用,因为短信可以被拦截或重定向。
NIST recommended other options like Google authenticator or even certain USB dongles.
NIST推荐了其他选项,如谷歌认证器,甚至某些USB狗。
However, Google, Twitter, Facebook, and tonsof other major websites are still using text messages for two-factor authentication today.
然而,谷歌、Twitter、Facebook和大量其他主要网站目前仍在使用文本消息进行双因素身份验证。
NIST's demand at least to this point has been completely ignoredby both companies and their users.
NIST的要求至少在这一点上被两家公司及其用户完全忽略了。
转载于:https://www.cnblogs.com/sec875/articles/10299666.html
相关资源:Cloud.Computing.Security.Foundations.and.Challenges