[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbV_iDzIsuadgDFIYm_T9nGA3Fwo0rXz_K5YLLDwkQLQ":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":7,"wordCount":8,"readTime":9,"title":10,"nbDownloads":11,"excerpt":7,"lang":12,"url":13,"intro":14,"featured":4,"state":15,"author":16,"authorId":17,"datePublication":21,"dateCreation":22,"dateUpdate":23,"mainCategory":24,"categories":44,"metaDatas":50,"imageUrl":51,"imageThumbUrls":52,"id":60},false,"Strong authentication (generally based on a single factor) is authentication based on a **cryptographic mechanism** whose **parameters and security are considered to be robust** (the secret element is generally a cryptographic key).\r\n \r\nAuthentication protocols that can be considered strong are often based on **challenge-response protocols**.\r\n \r\nThe message sent by the prover to authenticate himself depends on both a **secret key** and a **variable challenge** sent by the verifier.\r\n \r\nWhen a prover wishes to prove his identity to a verifier, the latter sends him a challenge (a random value for example) and the prover must send him a **response calculated from this specific challenge** (a signature of this challenge for example).\r\n \r\nIn order to be considered as strong, authentication must be based on a **cryptographic protocol** which is able to **resist certain attacks** such as :\r\n \r\n- **eavesdropping**, in which an attacker passively eavesdrops on the communication channel between the prover and the verifier;\r\n- **replay attacks**, which consist of an attacker recovering authentication information (such as a password or its fingerprint) and using this information to replay it in order to usurp the target's identity;\r\n- **man-in-the-middle attacks**, in which an attacker intercepts and modifies communications between the prover and the verifier during authentication without being detected;\r\n- **non-forgeability**: if an attacker observes several authentication exchanges with a prover, he must not be able to usurp the prover's identity in a new authentication exchange.\r\n\r\nExamples of **strong authentication based on a possession factor** include :\r\n\r\n- certificate-based **authentication** (stored on smart cards, for example) ;\r\n- the **FIDO2 and FIDO U2F protocols** ;\r\n- OTP** (One-Time Password) protocols such as **HOTP** (HMAC-based OTP [32]), **TOTP** (Time- based OTP [34]) or **OCRA** (OATH Challenge-Response Algorithm [33]).\r\n\r\nIn each of these cases, the prover proves his identity to the verifier by **indirectly demonstrating possession of a cryptographic key which must remain secret**.\r\n \r\nExamples of strong authentication based on a **knowledge factor** include :\r\n\r\n- the Kerberos protocol [27] ;\r\n- PAKE (Password-Authenticated Key Agreement) protocols such as SPAKE2 [3] or OPAQUE [20].\r\n\r\n> Dastra helps you comply with the GDPR, [**request a demo to find out more**](https://www.dastra.eu/en/contacts/demo).","\u003Cp>Strong authentication (generally based on a single factor) is authentication based on a \u003Cstrong>cryptographic mechanism\u003C/strong> whose \u003Cstrong>parameters and security are considered to be robust\u003C/strong> (the secret element is generally a cryptographic key).\u003C/p>\r\n\u003Cp>Authentication protocols that can be considered strong are often based on \u003Cstrong>challenge-response protocols\u003C/strong>.\u003C/p>\r\n\u003Cp>The message sent by the prover to authenticate himself depends on both a \u003Cstrong>secret key\u003C/strong> and a \u003Cstrong>variable challenge\u003C/strong> sent by the verifier.\u003C/p>\r\n\u003Cp>When a prover wishes to prove his identity to a verifier, the latter sends him a challenge (a random value for example) and the prover must send him a \u003Cstrong>response calculated from this specific challenge\u003C/strong> (a signature of this challenge for example).\u003C/p>\r\n\u003Cp>In order to be considered as strong, authentication must be based on a \u003Cstrong>cryptographic protocol\u003C/strong> which is able to \u003Cstrong>resist certain attacks\u003C/strong> such as :\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>eavesdropping\u003C/strong>, in which an attacker passively eavesdrops on the communication channel between the prover and the verifier;\u003C/li>\r\n\u003Cli>\u003Cstrong>replay attacks\u003C/strong>, which consist of an attacker recovering authentication information (such as a password or its fingerprint) and using this information to replay it in order to usurp the target's identity;\u003C/li>\r\n\u003Cli>\u003Cstrong>man-in-the-middle attacks\u003C/strong>, in which an attacker intercepts and modifies communications between the prover and the verifier during authentication without being detected;\u003C/li>\r\n\u003Cli>\u003Cstrong>non-forgeability\u003C/strong>: if an attacker observes several authentication exchanges with a prover, he must not be able to usurp the prover's identity in a new authentication exchange.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Examples of \u003Cstrong>strong authentication based on a possession factor\u003C/strong> include :\u003C/p>\r\n\u003Cul>\r\n\u003Cli>certificate-based \u003Cstrong>authentication\u003C/strong> (stored on smart cards, for example) ;\u003C/li>\r\n\u003Cli>the \u003Cstrong>FIDO2 and FIDO U2F protocols\u003C/strong> ;\u003C/li>\r\n\u003Cli>OTP** (One-Time Password) protocols such as \u003Cstrong>HOTP\u003C/strong> (HMAC-based OTP [32]), \u003Cstrong>TOTP\u003C/strong> (Time- based OTP [34]) or \u003Cstrong>OCRA\u003C/strong> (OATH Challenge-Response Algorithm [33]).\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>In each of these cases, the prover proves his identity to the verifier by \u003Cstrong>indirectly demonstrating possession of a cryptographic key which must remain secret\u003C/strong>.\u003C/p>\r\n\u003Cp>Examples of strong authentication based on a \u003Cstrong>knowledge factor\u003C/strong> include :\u003C/p>\r\n\u003Cul>\r\n\u003Cli>the Kerberos protocol [27] ;\u003C/li>\r\n\u003Cli>PAKE (Password-Authenticated Key Agreement) protocols such as SPAKE2 [3] or OPAQUE [20].\u003C/li>\r\n\u003C/ul>\r\n\u003Cblockquote>\r\n\u003Cp>Dastra helps you comply with the GDPR, \u003Ca href=\"https://www.dastra.eu/en/contacts/demo\">\u003Cstrong>request a demo to find out more\u003C/strong>\u003C/a>.\u003C/p>\r\n\u003C/blockquote>\r\n",null,357,2,"Strong authentication",0,"en","strong-authentication","Definition of strong authentication in information systems security","Published",{"id":17,"displayName":18,"avatarUrl":19,"bio":7,"blogUrl":7,"color":7,"userId":17,"creationDate":20},38,"Paul-Emmanuel Bidault","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg","2019-12-03T19:09:28","2023-12-26T13:49:33.624","2023-12-26T14:49:32.841876","2023-12-26T14:55:01.4240254",{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":7,"count":7,"imageUrl":30,"parent":7,"order":11,"translations":31},21,"Glossary","Definition of every word used by Dastra","glossary","#643bb0","https://static.dastra.eu/tag/b308b9d3-37af-4e92-8354-ab8adec1740a/documentation-1000.png",[32,36,40],{"lang":33,"name":34,"description":35},"fr","Glossaire","La définition de tous les termes utilisés dans Dastra",{"lang":37,"name":38,"description":39},"es","Glosario","La definición de todos los términos utilizados en Dastra",{"lang":41,"name":42,"description":43},"de","Glossar","Die Definition aller in Dastra verwendeten Begriffe",[45],{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":7,"count":7,"imageUrl":30,"parent":7,"order":11,"translations":46},[47,48,49],{"lang":33,"name":34,"description":35},{"lang":37,"name":38,"description":39},{"lang":41,"name":42,"description":43},[],"https://static.dastra.eu/content/041b3add-6075-40f3-9e68-2db30c8cd39a/strong-authentication-original.png",[53,54,55,56,57,58,59],"https://static.dastra.eu/content/041b3add-6075-40f3-9e68-2db30c8cd39a/strong-authentication-1000.webp","https://static.dastra.eu/content/041b3add-6075-40f3-9e68-2db30c8cd39a/strong-authentication.webp","https://static.dastra.eu/content/041b3add-6075-40f3-9e68-2db30c8cd39a/strong-authentication-1500.webp","https://static.dastra.eu/content/041b3add-6075-40f3-9e68-2db30c8cd39a/strong-authentication-800.webp","https://static.dastra.eu/content/041b3add-6075-40f3-9e68-2db30c8cd39a/strong-authentication-600.webp","https://static.dastra.eu/content/041b3add-6075-40f3-9e68-2db30c8cd39a/strong-authentication-300.webp","https://static.dastra.eu/content/041b3add-6075-40f3-9e68-2db30c8cd39a/strong-authentication-100.webp",56299]