1. Security Password Policy

A Security Password Policy defines a set of rules that govern how passwords should be created, managed, and used to ensure the protection of sensitive data and systems. The goal of such policies is to minimize the risk of password-related security breaches by enforcing strong, unique, and regularly updated passwords. This section covers the essential elements of a security password policy and its importance in maintaining organizational security.

1.1 Importance of a Security Password Policy

Inadequate password management can lead to unauthorized access, data breaches, and system compromise. A robust password policy provides clear guidelines to ensure that users create and maintain secure passwords, reducing the risk of account compromise and protecting sensitive information.

• Prevents Unauthorized Access: Weak passwords can be easily guessed or cracked, granting attackers access to sensitive data and systems.
• Mitigates Security Risks: Enforcing strong passwords reduces the likelihood of common attacks such as brute force, phishing, and credential stuffing.
• Compliance with Regulations: Many regulations (e.g., GDPR, HIPAA) require organizations to implement strong password policies to protect personal and sensitive data.

1.2 Key Components of a Security Password Policy

A strong password policy typically includes the following elements:

1.2.1 Password Complexity

To ensure that passwords are hard to guess or crack, a password policy should enforce complexity requirements. This includes:

• Minimum Length: Passwords should be at least 12-16 characters long.
• Character Variety: Users must include a mix of uppercase letters, lowercase letters, numbers, and special characters.
• Avoidance of Common Patterns: Users should avoid predictable patterns (e.g., "password123") or personal information (e.g., names, birthdates).

1.2.2 Password Expiration and Rotation

Regularly rotating passwords and setting expiration periods reduce the risk of long-term exposure if a password is compromised. Best practices include:

• Expiration Period: Passwords should expire every 60-90 days to ensure they are regularly updated.
• Password History: Users should not reuse their previous passwords to prevent recycling weak or compromised passwords.

1.2.3 Secure Password Storage

Passwords should be stored securely to prevent them from being exposed in the event of a data breach. Common practices include:

• Hashing: Passwords must be hashed using strong algorithms (e.g., bcrypt, Argon2) before storage.
• Salting: Salts should be added to passwords before hashing to defend against rainbow table attacks.
• Encryption: For additional security, password databases may be encrypted to prevent unauthorized access.

1.2.4 Password Recovery and Reset

Secure recovery and reset mechanisms should be in place to prevent unauthorized users from gaining access through password resets. Guidelines include:

• Multi-factor Authentication (MFA): Password resets should require additional verification through MFA (e.g., OTP or security questions).
• Temporary Passwords: If a temporary password is issued during recovery, it should be time-limited and require immediate change after login.

1.3 Password Policy Enforcement

For a password policy to be effective, it must be enforced consistently across the organization. Methods for enforcement include:

• Automated Password Checks: Systems should automatically enforce complexity, length, and reuse policies during password creation and updates.
• User Training: Employees should be trained on the importance of password security and the organization's specific password policies.
• Regular Audits: Regular password audits ensure that the policy is being followed and that any weak or compromised passwords are flagged.

2. Security Password Policy Elements - Management

Effective management of passwords is critical to ensuring the security and integrity of systems. Password management encompasses the processes and technologies used to create, store, update, and enforce password policies within an organization. Proper management reduces the risk of breaches caused by weak or compromised passwords and ensures compliance with security standards.

2.1 Password Creation

Password creation is the first line of defense against unauthorized access. Organizations must enforce policies that ensure users create strong, secure passwords. This includes:

• Complexity Requirements: Enforcing the use of upper and lowercase letters, numbers, and special characters.
• Prohibited Patterns: Blocking common patterns, easily guessable information (e.g., "password123"), and dictionary words.
• Password Length: Requiring passwords to be long enough to resist brute-force attacks (e.g., 12-16 characters).

2.2 Password Storage and Protection

Storing passwords securely is crucial to prevent their exposure in case of a breach. Best practices for password storage include:

• Hashing: Passwords should be hashed using a strong algorithm (e.g., bcrypt, Argon2) to prevent attackers from retrieving plaintext passwords.
• Salting: A unique salt should be added to each password before hashing to mitigate precomputed attacks such as rainbow tables.
• Encryption: Encrypting password storage databases adds an additional layer of security, making it harder for attackers to access hashed passwords.
• Access Control: Limiting access to password databases and ensuring only authorized personnel can manage or view password data.

2.3 Password Rotation and Expiration

Regular password rotation minimizes the impact of compromised passwords by limiting the time they can be used. Key management practices for password rotation include:

• Password Expiration: Setting a time limit (e.g., 60-90 days) for password validity, requiring users to update their passwords periodically.
• Password History: Enforcing a policy that prevents users from reusing their previous passwords, reducing the risk of credential reuse.
• Forced Updates: Prompting users to update their passwords after a security breach or suspected compromise.

2.4 Password Recovery and Reset

A secure password recovery process is essential to prevent unauthorized access through password resets. The following practices should be implemented:

• Multi-factor Authentication (MFA): Password recovery should require users to verify their identity through an additional factor, such as an OTP or security questions.
• Temporary Passwords: If a temporary password is issued during recovery, it should expire after a short period and force the user to create a new, secure password.
• Secure Communication: Password reset links and temporary passwords should be sent via secure channels to prevent interception.

2.5 User Education and Training

Proper password management requires users to be aware of the organization's security policies. Regular training and guidelines should be provided to ensure compliance:

• Security Awareness Training: Educating users on the importance of strong passwords and password hygiene.
• Password Creation Best Practices: Providing clear instructions on how to create secure passwords that comply with organizational policies.
• Avoiding Common Mistakes: Training users to avoid practices like password sharing, writing down passwords, or using the same password across multiple accounts.

3. Password Complexity

Password complexity is a crucial aspect of security that ensures passwords are resistant to guessing, brute-force attacks, and other forms of unauthorized access. Implementing complex passwords increases the time and effort required for attackers to crack them. This section explores the elements of password complexity, why they are important, and how they are enforced.

3.1 Length

The length of a password significantly influences its strength. Longer passwords exponentially increase the number of possible combinations, making brute-force attacks more difficult.

• Recommended Length: A minimum of 12-16 characters is generally advised.
• Exponential Growth of Complexity: Each additional character increases the number of possible combinations, making the password harder to crack.
• Example: A password with 8 characters chosen from uppercase, lowercase, numbers, and special characters can have up to 95⁸ combinations, while a 16-character password would have 95¹⁶.

3.2 Character Variety

Using a mix of character types (uppercase, lowercase, numbers, special symbols) adds complexity and makes it harder for attackers to guess passwords.

• Uppercase and Lowercase Letters: Distinguishing between 'A' and 'a' increases possible combinations.
• Numbers: Adding digits (0-9) expands the character set, increasing complexity.
• Special Characters: Symbols such as @, #, $, %, etc., further broaden the character set, making passwords more resistant to brute-force attacks.

Including a variety of character types helps protect against dictionary attacks, where attackers try common passwords or combinations of words. It forces users to avoid easily guessable passwords like "password123".

3.3 Avoidance of Predictable Patterns

Many users create passwords based on common patterns, such as using birthdays, names, or sequences (e.g., "12345" or "qwerty"). Such patterns are easy to guess and should be avoided.

• Common Patterns: Attackers often use lists of common words, phrases, and patterns in dictionary attacks.
• Best Practices: Passwords should avoid dictionary words, keyboard patterns, and personal information (like names or dates).
• Example: Avoid simple substitutions like "P@ssw0rd" (a common variation of "password") as attackers are aware of these strategies.

3.4 Prohibition of Password Reuse

Using the same password across multiple sites or reusing old passwords significantly increases the risk of compromise, especially in credential stuffing attacks (where attackers use leaked passwords from one site to access other accounts).

• Password History: Many systems enforce a password history policy to prevent users from reusing old passwords.
• Credential Stuffing: Attackers leverage databases of compromised passwords to attempt login on other platforms.

3.5 Use of Passphrases

Passphrases, or long sequences of random or unrelated words, are increasingly recommended as a way to meet complexity requirements while being easier to remember.

• Length and Simplicity: A passphrase like "PurpleHorseBatteryStaple" is long but easy to remember, while still offering strong resistance to attacks.
• Entropy: The randomness and length of passphrases increase the entropy (or randomness), which is a measure of how unpredictable a password is.

3.6 Enforcement of Complexity

Organizations enforce password complexity through various technical means:

• Password Policies: Systems can require certain minimum complexity standards (length, variety, avoidance of reuse).
• Password Generators: Some systems offer password generators to ensure complexity without relying on user choices.
• Password Managers: Encourage users to store complex passwords securely in password managers, reducing the need to memorize them.

4. Password Alternatives - Multifactor Authentication (MFA)

Multifactor Authentication (MFA) enhances security by requiring multiple forms of verification before granting access to a system. By adding layers of security, it minimizes the risk of unauthorized access, even if a password is compromised. This section provides a detailed look into the components and benefits of MFA.

4.1 What is Multifactor Authentication (MFA)?

MFA is a security method that requires users to provide two or more verification factors to authenticate their identity. The idea is to combine something the user knows (password), something they have (device), and something they are (biometrics).

• Something You Know: Typically a password or PIN.
• Something You Have: A physical object, such as a smartphone or hardware token.
• Something You Are: Biometric data, such as fingerprints or facial recognition.

4.2 Factors of Authentication

Multifactor authentication relies on using at least two of the following categories of authentication factors:

4.2.1 Knowledge Factor (Something You Know)

This is typically a password or PIN known by the user. While passwords alone can be vulnerable, MFA ensures that a password is only one part of the authentication process.

• Weakness: If an attacker guesses or obtains the password, they still cannot access the system without the second factor.

4.2.2 Possession Factor (Something You Have)

This factor relies on something the user physically possesses. This could be a smartphone for receiving one-time passwords (OTPs), security tokens, or smart cards.

• One-Time Password (OTP): A temporary code sent via SMS, email, or generated by an app (e.g., Google Authenticator, Authy) that must be entered along with the password.
• Hardware Tokens: Dedicated devices, like RSA SecurID tokens, that generate time-based or event-based OTPs.
• Smart Cards: Physical cards equipped with a chip that contains encrypted authentication information.
• Security Keys (U2F): Physical keys (e.g., YubiKey) that users insert into their device to authenticate securely.

4.2.3 Inherence Factor (Something You Are)

This factor uses biometrics to verify a user's identity. Since biometric data is unique to each individual, this adds a highly secure layer to the authentication process.

• Fingerprints: Scanning a fingerprint to unlock a device or gain access to a system.
• Facial Recognition: Verifying identity using face recognition technology (e.g., Apple's Face ID).
• Retina/Iris Scans: Using eye scans to authenticate a user, typically used in high-security environments.
• Voice Recognition: Systems that identify users based on their voice patterns.

4.3 MFA Methods

Various MFA methods are used depending on the security requirements and user convenience. Some common methods include:

4.3.1 SMS and Email-based OTP

One of the most commonly used MFA methods, this sends a temporary OTP to the user’s phone via SMS or to their email. The OTP is time-sensitive and must be entered to complete authentication.

• Pros: Easy to implement and widely used.
• Cons: Vulnerable to SIM-swapping attacks and email interception.

4.3.2 Authentication Apps

Apps like Google Authenticator, Microsoft Authenticator, and Authy generate time-based one-time passwords (TOTP) that users must enter alongside their password.

• Pros: More secure than SMS-based OTPs because they aren’t vulnerable to SMS interception.
• Cons: Requires users to have access to their phone at all times.

4.3.3 Push Notifications

Push-based MFA sends a notification to the user's device, asking them to approve or deny the authentication attempt. This is widely used by platforms like Google and Microsoft.

• Pros: Convenient and quick for the user.
• Cons: Device must have an internet connection, and users can mistakenly approve fraudulent access requests.

4.3.4 Security Keys (FIDO U2F)

Universal 2nd Factor (U2F) devices, such as YubiKey, provide hardware-based authentication. The user inserts the physical key into the USB port or taps it on a mobile device to authenticate.

• Pros: Extremely secure, as the key cannot be phished or intercepted.
• Cons: Requires the user to carry the physical key.

4.3.5 Biometrics

Biometric authentication uses unique physical characteristics (e.g., fingerprints, facial recognition) to validate identity. It's becoming more common in modern devices.

• Pros: High security and convenient; users do not need to remember anything.
• Cons: Privacy concerns and the potential for false positives or negatives.

4.4 Benefits of Multifactor Authentication

• Increased Security: MFA significantly reduces the risk of unauthorized access by requiring multiple forms of authentication.
• Protection Against Phishing: Even if a password is compromised via phishing, the second factor provides an additional safeguard.
• Reduced Reliance on Passwords: By requiring multiple factors, the risk of weak or reused passwords is mitigated.
• Compliance: Many industries and regulations (e.g., HIPAA, GDPR) mandate MFA for access to sensitive systems and data.

4.5 Challenges and Considerations

• User Experience: Adding more authentication steps can sometimes inconvenience users. Balancing security and usability is important.
• Device Dependency: MFA methods often rely on physical devices (e.g., smartphones, security tokens), which can be lost or stolen.
• Implementation Cost: Setting up and maintaining MFA systems can incur costs, especially for organizations with large user bases.
• Backup Methods: Organizations need to provide fallback mechanisms (e.g., backup codes) for users who lose access to their second factor.

5. Password Alternatives - Certificates

Certificates offer a strong alternative to traditional password-based authentication by using cryptographic keys to verify identity. This approach is part of Public Key Infrastructure (PKI), where certificates authenticate both users and devices. Certificates eliminate the need for users to remember passwords and provide a higher level of security for sensitive environments.

5.1 What is Certificate-based Authentication?

Certificate-based authentication relies on digital certificates to verify a user's or device's identity. These certificates are electronic documents that include a public key and the identity of the certificate holder, issued by a trusted Certificate Authority (CA).

• Public Key Infrastructure (PKI): PKI provides the framework for managing digital certificates and public-key encryption.
• Private and Public Keys: Each user or device has a private key (kept secret) and a public key (shared with others). The certificate contains the public key and identity information.
• Digital Signature: A digital signature, created using the private key, is used to verify the authenticity of the certificate holder.

5.2 How Certificates Work

Certificates use a combination of public-key cryptography and digital signatures to establish trust between users and systems. Here’s how the process works:

• Step 1: Issuance of Certificate: A user or device generates a pair of cryptographic keys (public and private keys). A Certificate Authority (CA) issues a certificate that links the public key to the user or device.
• Step 2: Authentication Process: When the user or device tries to authenticate, the system verifies the certificate using the CA’s public key. The system also verifies that the private key matches the public key in the certificate.
• Step 3: Encryption and Decryption: For encrypted communications, the user or device encrypts data using the public key from the certificate. The recipient decrypts it with their private key, ensuring secure transmission.

5.3 Components of Certificate-based Authentication

Several key components are involved in certificate-based authentication:

5.3.1 Certificate Authority (CA)

The CA is a trusted entity that issues digital certificates. It validates the identity of the certificate holder and signs the certificate to verify authenticity. Popular CAs include Let's Encrypt, DigiCert, and GlobalSign.

• Issuance: The CA validates and issues certificates to users or devices.
• Revocation: CAs can revoke certificates if they are compromised or no longer valid, adding an additional layer of security.

5.3.2 Digital Certificates

A digital certificate is an electronic document that contains:

• Public Key: The user’s or device’s public key for encryption and authentication.
• Identity Information: Details such as the name of the certificate holder, organization, and validity period.
• CA Signature: A digital signature from the CA that verifies the authenticity of the certificate.

5.3.3 Certificate Revocation List (CRL)

A CRL is a list maintained by the CA that contains all revoked certificates. Systems check the CRL during the authentication process to ensure that the certificate being used has not been revoked.

5.3.4 Online Certificate Status Protocol (OCSP)

OCSP is an alternative to CRLs, providing real-time certificate status checks. Instead of downloading a complete list of revoked certificates, the system queries the CA directly to verify the status of a single certificate.

5.4 Types of Certificates

Different types of digital certificates are used depending on the context:

• User Certificates: Used to authenticate individual users in an organization or network. These certificates are issued to verify the identity of the user during login and communication.
• Device Certificates: Used to authenticate devices (such as routers, servers, or IoT devices) within a network, ensuring secure communication between trusted devices.
• Server Certificates (SSL/TLS): Used for websites to secure communications between web browsers and servers through SSL/TLS encryption (e.g., HTTPS).
• Email Certificates: Secure email communications using digital signatures and encryption to verify the sender's identity and encrypt the email contents (e.g., S/MIME).

5.5 Benefits of Certificate-based Authentication

• High Security: Certificates use strong encryption and public-private key pairs, making them resistant to brute-force attacks and password-related vulnerabilities.
• No Passwords: Eliminates the need for users to remember complex passwords, reducing password fatigue and the risk of weak or reused passwords.
• Non-repudiation: Since certificates are tied to a cryptographic key pair, they provide non-repudiation, meaning the user cannot deny their actions (e.g., digitally signing a document).
• Scalability: Certificates can be scaled to authenticate millions of users or devices, making them suitable for large organizations or networks with IoT devices.
• Automation: Systems like ACME (used by Let's Encrypt) allow for automatic certificate issuance and renewal, simplifying certificate management for administrators.

5.6 Challenges of Certificate-based Authentication

• Initial Setup: Implementing a PKI infrastructure requires expertise and resources, including setting up CAs and managing certificates.
• Certificate Management: Managing the lifecycle of certificates (issuance, renewal, revocation) can be complex, especially in large-scale environments.
• Compromised Private Keys: If a user’s private key is compromised, their identity can be impersonated. Certificate revocation processes must be in place to mitigate this risk.
• Device Dependency: The user must always have access to their private key, whether stored on a device or a hardware security module (HSM).
• Cost: Depending on the CA and level of security required, certificate issuance and management can be expensive, especially for commercial solutions.

5.7 Use Cases of Certificate-based Authentication

• Secure Web Browsing (SSL/TLS): Ensures encrypted communication between web browsers and servers, preventing eavesdropping or tampering with web traffic.
• VPN Access: Many VPN services use certificates for authenticating users and devices, ensuring secure remote access.
• IoT Devices: Certificates are used to authenticate devices in the Internet of Things (IoT), ensuring that only trusted devices can communicate on a network.
• Email Security (S/MIME): Digital certificates authenticate the sender of an email and encrypt the contents, ensuring secure and verified communication.
• Enterprise Networks: Organizations use certificate-based authentication to securely authenticate users and devices within internal networks, especially in industries that require high security (e.g., finance, healthcare).

6. Password Alternatives - Biometrics

Biometric authentication is an increasingly popular alternative to traditional passwords. It relies on unique physical or behavioral traits to verify identity, offering a more secure and user-friendly solution for authentication. Biometrics are considered highly secure because they are difficult to replicate or forge. This section explores biometric authentication, its types, benefits, challenges, and real-world applications.

6.1 What is Biometric Authentication?

Biometric authentication uses the unique characteristics of an individual to verify their identity. These characteristics can be physical (e.g., fingerprints, facial features) or behavioral (e.g., typing patterns). Because biometric data is unique to each person, it provides a strong form of authentication.

• Physical Biometrics: Uses physical traits such as fingerprints, iris patterns, or facial structure.
• Behavioral Biometrics: Involves behavioral traits such as voice patterns, typing rhythm, or walking gait.

6.2 Types of Biometrics

Various types of biometric data can be used for authentication. Each has its strengths and is suited for different use cases.

6.2.1 Fingerprint Recognition

Fingerprint recognition is one of the most widely used forms of biometric authentication. It scans the unique ridge patterns on a person’s fingertip and matches them against a stored template.

• Accuracy: Fingerprints are highly accurate and difficult to replicate.
• Speed: Fast and easy to use, often employed in smartphones, laptops, and secure access systems.
• Challenges: Fingerprints can be affected by injuries, skin conditions, or dirt, which may interfere with recognition.

6.2.2 Facial Recognition

Facial recognition systems analyze the unique geometry of a person’s face, such as the distance between the eyes, nose, and mouth, to authenticate identity.

• Convenience: Facial recognition is often hands-free and convenient for users, making it popular in smartphones (e.g., Apple Face ID).
• Accuracy: Modern systems are highly accurate but can be influenced by lighting conditions or changes in appearance (e.g., glasses, facial hair).
• Privacy Concerns: Since faces can be scanned from a distance, facial recognition raises concerns about privacy and surveillance.

6.2.3 Iris and Retina Scanning

Iris and retina scanning use the unique patterns in a person’s eye for authentication. Iris scans focus on the colored ring around the pupil, while retina scans analyze the blood vessel patterns in the back of the eye.

• High Security: Iris and retina patterns are highly unique and stable over a person’s life, providing extremely secure authentication.
• Use Cases: Often used in high-security environments such as government agencies and airports.
• Challenges: Requires specialized equipment and may be less convenient for users compared to other biometrics.

6.2.4 Voice Recognition

Voice recognition systems authenticate users by analyzing the unique characteristics of their speech, such as pitch, tone, and cadence.

• Non-intrusive: Users can be authenticated simply by speaking, making it convenient for certain applications (e.g., call centers).
• Challenges: Voice recognition can be affected by background noise, illness (e.g., a cold), or voice recordings, which could lead to spoofing attempts.

6.2.5 Behavioral Biometrics

Behavioral biometrics authenticate users based on their behavior rather than physical characteristics. Examples include typing rhythm, mouse movements, and gait recognition (how a person walks).

• Continuous Authentication: Behavioral biometrics can be used for continuous monitoring, ensuring that the authenticated user is still the one interacting with the system.
• Challenges: Behavioral patterns can change over time or be influenced by environmental factors (e.g., stress, injury).

6.3 Benefits of Biometric Authentication

• Security: Biometric traits are unique to each individual and difficult to forge or steal, making biometrics more secure than traditional passwords.
• Convenience: Users do not need to remember complex passwords or carry tokens. Authentication is often quick and seamless.
• Non-repudiation: Since biometrics are tied directly to the individual, it is difficult for users to deny their actions (e.g., logging into a system).
• Reduced Risk of Phishing: Unlike passwords, biometric data cannot be easily shared or stolen through phishing attacks.
• Efficient for Large-Scale Use: Biometric authentication can be scaled to large populations, making it ideal for airports, border control, and other high-traffic environments.

6.4 Challenges of Biometric Authentication

• Privacy Concerns: Since biometric data is personal and permanent, there are significant privacy concerns around how the data is stored, managed, and shared. Breaches of biometric data cannot be "reset" like passwords.
• False Positives and Negatives: Biometric systems may sometimes fail to correctly identify users, either allowing unauthorized users (false positives) or denying legitimate ones (false negatives).
• Data Security: Storing biometric data securely is critical. If compromised, biometric data cannot be changed, unlike passwords or tokens.
• Environmental Factors: Biometrics can be affected by external factors such as lighting (for facial recognition), background noise (for voice recognition), or injuries (for fingerprint recognition).
• Cost of Implementation: Deploying biometric systems can be expensive, especially in environments where high accuracy and specialized hardware (e.g., iris scanners) are required.

6.5 How Biometric Authentication Works

Biometric authentication typically follows a process involving enrollment, storage, and matching.

• Enrollment: During the enrollment phase, the user’s biometric data is captured and stored as a reference template. This template is stored securely for future comparisons.
• Storage: The biometric template is either stored locally (on a device) or in a centralized database. Best practices include storing hashed or encrypted biometric data to prevent misuse in case of a breach.
• Matching: When the user attempts to authenticate, their live biometric data is captured and compared to the stored template. If the two match, the user is granted access.

Unlike traditional authentication methods, biometrics do not transmit passwords or secrets during the authentication process, reducing the risk of interception.

6.6 Use Cases of Biometrics

Biometric authentication is used in various industries and applications, offering enhanced security and convenience:

• Smartphones and Laptops: Many devices now use fingerprint or facial recognition for unlocking and secure access (e.g., Apple Face ID, Windows Hello).
• Border Control and Airports: Biometric systems like e-passports and facial recognition streamline identity verification at border checkpoints, enhancing security and reducing wait times.
• Banking and Finance: Financial institutions increasingly use biometrics (e.g., voice recognition, fingerprint) to secure mobile banking apps and prevent fraud.
• Healthcare: Biometrics are used to securely manage patient data and verify healthcare professionals' access to sensitive medical records.
• Government Agencies: High-security environments such as defense or law enforcement agencies use biometrics for access control and identity verification.

6.7 Privacy and Ethical Considerations

Biometric authentication raises significant concerns around privacy and ethics:

• Surveillance Risks: Facial recognition and other biometrics can be used for mass surveillance, raising concerns about government overreach and loss of anonymity.
• Data Breaches: If biometric data is compromised, it cannot be easily changed, leading to lifelong security risks for affected individuals.
• Informed Consent: Organizations must ensure that users provide informed consent when enrolling in biometric systems, especially in environments where biometrics are mandatory.
• Bias and Discrimination: Biometric systems can sometimes exhibit bias, leading to inaccurate authentication for certain demographic groups (e.g., facial recognition systems failing to correctly identify people with darker skin tones).