CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)       9  1.2  Authentication

1.2.6  Multi-Factor 1 1.2.8  Biometrics

(Also refer to 4.3)

Mutual authentication involves both parties authenticating themselves to each other. It’s a two-way transaction. IE, the server authenticates itself to the client and the client authenticates itself to the server. As described in section 1.2.1, Kerberos can be configured to use mutual authentication. Another option is for a client and a server to trust a third party, such as a certificate authority, which can authenticate each party to the other.

Why bother to do this? Shouldn’t the client trust their organization’s server? MAYBE. But most likely, the answer to, “Shouldn’t the client trust that arbitrary e-commerce site they reached via a web link?” is PROBABLY NOT. The client may want to verify that it is connecting to the real server it requested, rather than an impostor run by a malicious user. If you’re connecting to an e-commerce web site, and about to provide your personal information and credit card number, you might want to make sure that the server really is the one you think it is. Malicious users have perpetrated more than one web scam by duping users into entering credit card information into a fake copy, run by the scammer, of a well-known e-commerce site.

1.2.6  Multi-Factor 1 1.2.8  Biometrics