= digital authentication =

Establish confidence in user ID in an electronic system

== requirements ==

* ID system users, process, etc
* Authenticate the ID of those users, processes etc

Derived requirements from this,

* use multi factor authentication
* be replay resistant
* prevent reuse of IDs for a defined period
* disable ID after some period of inactivity
* enforce a minimum complexity for passwords
* prohibit passwords for a specific amount of time
* store and transmit only cryptographically protected passwords
* Obscure feedback from authentication
  * IE don't say "wrong password" or "user does not exist"

== means of authentication ==

* password/pin
  * ID that goes with password must be unique
  * Vulns
    * dictionary
    * popular password
    * password guessing against 1 user
    * Social engineering password out of user
* physical token (IE smart card)
* static biometrics (IE finger/face)