Further Reading: Authentication

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 17.

Suggested order

  1. Read the NIST SP 800-63B sections on authenticators and AAL to anchor the assurance model and the modern password guidance (this chapter's spine).
  2. Skim the OWASP Authentication Cheat Sheet and Password Storage Cheat Sheet for the concrete engineering do's and don'ts.
  3. Browse the FIDO Alliance explainer on passkeys and WebAuthn to see phishing resistance from the standards body that defines it.
  4. Keep a Security+ or CISSP reference nearby for the factor/biometric/MFA terminology as you study.

Standards & primary documents (Tier 1)

  • NIST, SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management. 📋🏗️📜 The authoritative source for authenticator assurance levels (AAL1–3), modern password guidance (length over complexity, no forced periodic expiration, screen breached passwords), and the requirement that AAL3 be phishing-resistant. The single most important reading for this chapter.
  • NIST, SP 800-63 (suite overview). 📋📜 Context for how authentication (63B) fits with identity proofing (63A) and federation (63C) — the last of which sets up Chapter 18.
  • W3C, Web Authentication (WebAuthn) specification. 🏗️ The browser API behind passkeys and security keys; read the registration/authentication ceremony to see the origin-bound challenge-response in full.
  • FIDO Alliance, passkeys and FIDO2/CTAP resources (fidoalliance.org). 🏗️📜 The standards body's own explainers on how phishing-resistant, public-key authentication works and how passkeys sync vs. bind to hardware. Clear, vendor-neutral, and current.
  • OWASP, Authentication Cheat Sheet and Password Storage Cheat Sheet (cheatsheetseries.owasp.org). 🏗️🛡️ The practical engineering companion to this chapter: exactly how to hash (Argon2id/bcrypt/scrypt parameters), how to handle lockout and MFA, and the anti-patterns to avoid in code review.
  • OWASP, Credential Stuffing Prevention Cheat Sheet. 🛡️🏗️ The defender's playbook for the §16.6 attack: breach-password screening, bot defense, rate-limiting, and step-up MFA — the Case Study 2 control stack, sourced.
  • PCI-DSS v4.0 (PCI Security Standards Council). 📋📜 The MFA requirements for cardholder-data and administrative access that Meridian maps to in Case Study 1 — and the floor it goes beyond.
  • CISA, guidance on phishing-resistant MFA and MFA for everyone. 📋🛡️ Government advisories making the operational case for FIDO2/WebAuthn over phishable factors, with the threat context (push fatigue, SIM swap, AITM) that drives the recommendation.

Reports & evidence (Tier 1 / Tier 2)

  • Verizon, Data Breach Investigations Report (DBIR) (annual). 🛡️📋 Year after year, stolen and weak credentials and phishing dominate breach causes — the empirical case that authentication is the most attacked control. (Tier 1 for the report; cite the specific year's figures, not from memory.)
  • Industry reporting on the 2022 MFA-fatigue breaches of large technology firms. 🛡️ Real-world demonstrations that push bombing defeats humans, not crypto — the motivation for number matching and for moving crown-jewel access to phishing-resistant MFA. (Tier 2: read well-sourced accounts; specifics vary by retelling.)
  • Reporting on SIM-swap account-takeover cases. 🛡️📋 Concrete illustrations of why "possession of a phone number" is weaker than it looks (§16.3). (Tier 2.)

Books (Tier 1)

  • Anderson, R., Security Engineering (3rd ed.). 🏗️ The chapters on passwords, authentication, and biometrics are a deep, opinionated survey of how these systems fail in the real world — including the human factors this chapter emphasizes.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 Exam-aligned coverage of factors, MFA, biometrics (FAR/FRR/CER), and federated identity at the depth Security+ tests.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜📋 The Identity and Access Management domain treats AAL, authentication models, and biometric error rates at the breadth CISSP expects.

Tools to explore (in your own lab / accounts only)

  • A reputable breach-check service exposing a range/k-anonymity API (e.g., a have-I-been-pwned-style service). 🛡️🏗️ The real-world version of authn.py's breached_prefix — see how only a hash prefix is sent so the password is never revealed. Use it on your own accounts to understand the privacy model.
  • A FIDO2 hardware security key or your device's platform passkey support. 🏗️ Enroll one on a personal account (only) and feel the absence of a code to type — the §16.4 property an attacker cannot exploit.
  • A password manager. 🏗️🛡️ The practical enabler of long, unique, random passwords per site, which kills the password reuse that powers credential stuffing.

⚖️ Authorization & Ethics reminder: Several resources describe credential attacks (stuffing, spraying, SIM swap, AITM) in operational detail. Study them to defend — to build the detections and controls in §16.6. Apply any technique only to systems and accounts you own or are explicitly authorized to test (Chapter 39). Biometric data in particular is sensitive and often legally regulated; handle it as if it were irrevocable, because it is.