Security Resource Hub
Identity and Access Management

Topic 1: Authentication and Authorization

Complete & Continue Next Lesson Learn More

Understanding Authentication and Methods

Authentication is verifying the identity of users or entities attempting to access a system, application, or resource. It ensures that only authorized users are granted access to sensitive information and functionalities. Authentication typically involves presenting credentials, such as usernames and passwords, to a system and validating these credentials against stored records to confirm the user's identity.

Authentication Methods:

  • Passwords: Users authenticate themselves by entering a unique combination of characters known only to them. While passwords are widely used, they are susceptible to brute-force attacks, phishing, and password reuse.

  • Biometrics: Biometric authentication relies on unique physical characteristics, such as fingerprints, iris patterns, or facial features, to verify a user's identity. Biometrics offer strong security but may raise privacy concerns and require specialized hardware.

  • Multi-Factor Authentication (MFA): MFA combines two or more authentication factors to enhance security.

    • Something you are: Refers to the physical characteristics—for example, biometrics, fingerprint, retina scan, and voice recognition.

    • Something you have: Refers to data that a user can carry physically. For Example, Smart Card

    • Something you know: Refer to if a user stores it in the memory and can retrieve it when needed—for example, A password or PIN.

    • Somewhere you are: Refers to the users' location via an IP address. For Example, Geolocation and IP address.

    • Something you do: Refers to a type of authentication that proves the user's identity by observing actions. For Example Keystrokes

  • Single Sign-On (SSO): SSO allows users to access multiple applications or systems with a single set of credentials. Users authenticate once, and subsequent access to other resources is granted without requiring additional authentication. SSO improves user experience but may increase the risk of credential compromise.

  • OAuth and OpenID Connect: OAuth and OpenID Connect are protocols used for delegated authentication and authorization. OAuth allows applications to access resources on behalf of users, while OpenID Connect provides authentication services by enabling users to authenticate using third-party identity providers (e.g., Google, Facebook).

Understanding Authorization and Policies

Authorization determines what actions or resources users can access after successful authentication. It ensures that authenticated users are granted appropriate privileges based on their roles, responsibilities, and permissions. Authorization controls access to sensitive data, functionalities, and resources to prevent unauthorized actions and maintain data confidentiality, integrity, and availability.

Authorization Policies:

Authorization policies define the rules and conditions that govern access to resources and functionalities within an application or system. These policies specify who (users or groups) has access to what (resources or actions) under which circumstances. Here are some common types of authorization policies:

  • Role-Based Access Control (RBAC): RBAC assigns permissions to users based on their roles within an organization. Users are assigned roles, and each role is granted specific privileges or permissions.

  • Attribute-Based Access Control (ABAC): ABAC evaluates attributes (e.g., user attributes, resource properties, environmental conditions) to make access control decisions. Policies are defined based on user roles, location, access time, device type, and data classification. ABAC offers fine-grained access control and flexibility in defining access policies.

  • Rule-Based Access Control (RBAC): RBAC uses rules or conditions to determine access rights dynamically. Access decisions are based on predefined rules that evaluate user attributes, resource properties, and contextual information. RBAC allows for more granular access control and supports dynamic access management based on changing conditions.

  • Hierarchical Access Control: Hierarchical access control establishes access rights based on the organizational hierarchy or relationship between users and resources. Users inherit access permissions from higher-level entities (e.g., organizational units, departments, managers) in the hierarchy. Hierarchical access control simplifies access management in large organizations with complex structures.

  • Mandatory access control (MAC): MAC uses labels to determine access for users and data. Administrators assign labels to both users and files. Labels often reflect classification levels of data and clearances granted to individuals. When the labels match, the system grants users access to a file. 

  • Discretionary access control (DAC): DAC is where every file or folder has an owner. The owner has complete control over the access of the objects.