Authentication and Access Control

Explain Introduction.

Explain AAA: Authentication, Authorization, and Accounting.

Explain Authentication Factors.

Explain Something You Know: Passwords.

Every secure computing system ultimately depends on one foundational question: who are you, and what are you allowed to do?

Authentication and access control are the mechanisms that answer these questions, forming the first line of defense against unauthorized use of systems, data, and resources.

Understanding authentication and access control is not merely a technical exercise.

Every secure computing system ultimately depends on one foundational question: who are you, and what are you allowed to do?

Authentication and access control are the mechanisms that answer these questions, forming the first line of defense against unauthorized use of systems, data, and resources.

Understanding authentication and access control is not merely a technical exercise.

It is a study in how trust is established and enforced between humans and machines, and increasingly between machines and other machines.

Security professionals commonly refer to the "AAA" framework when discussing identity and access: Authentication is the process of verifying that an entity is who it claims to be.

A user presenting a username and password, a server presenting a TLS certificate, or a mobile app presenting a cryptographic token — all of these are acts of authentication.

Authorization is what happens after authentication: determining what an authenticated entity is permitted to do.

Even after you prove you are Alice, the system must decide: can Alice read this file?

Authentication is built around three classical categories of evidence, often called factors :

Authentication Factors connects to risk, controls, and evidence.

Authentication Factors connects to risk, controls, and evidence.

Passwords remain the most prevalent authentication mechanism despite their well-documented weaknesses.

A strong password policy includes length requirements (minimum 12–16 characters), complexity, and prohibition of common or previously breached passwords.

However, the storage of passwords is arguably more important than their complexity.

Password Hashing Passwords should never be stored in plaintext.

Possession-based authentication relies on a physical or digital artifact that the legitimate user holds: One-Time Passwords (OTP) An OTP is a password valid for only a single…

TOTP (Time-based OTP, defined in RFC 6238) generates a 6–8 digit code by computing HMAC-SHA1 of a shared secret combined with the current Unix timestamp divided into 30-second…

Authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator implement TOTP.

HOTP (HMAC-based OTP) is similar but counter-based rather than time-based.

Also called the False Match Rate (FMR).

- False Rejection Rate (FRR) : The probability that the system denies access to a legitimate user.

Also called the False Non-Match Rate (FNMR).

There is an inherent tradeoff: tightening the acceptance threshold decreases FAR but increases FRR, and vice versa.

Multi-factor authentication requires the user to present evidence from two or more distinct factor categories (know, have, are).

The rationale is straightforward: compromising multiple independent factors simultaneously is significantly harder than compromising any single factor.

A password may be phished; a hardware token requires physical possession.

A fingerprint may be spoofed; a PIN must still be known.

Once the number is transferred, any SMS OTPs sent to that number are intercepted by the attacker.

SIM swapping has been used in high-profile cryptocurrency thefts worth millions of dollars.

SS7 Attacks : The Signaling System No.

7 (SS7) protocol, which routes SMS messages globally, has known vulnerabilities that allow skilled adversaries (typically nation-state actors or sophisticated criminals) to…

Passwordless authentication eliminates the shared secret (password) entirely, replacing it with cryptographic mechanisms.

FIDO2 passkeys are the leading passwordless standard: a passkey is a FIDO2 credential stored on a device (or in a password manager/cloud keychain) that authenticates using local…

Passkeys are now supported by Apple, Google, and Microsoft, and are increasingly accepted by major websites.

The security advantages of passwordless authentication are substantial: there is no password to phish, crack, stuff, or breach.

Managing separate credentials for hundreds of applications is impractical.

Single Sign-On (SSO) allows a user to authenticate once with a trusted identity provider (IdP) and then access multiple service providers (SPs) or relying parties without…

Federation extends SSO across organizational boundaries.

Security Assertion Markup Language (SAML) 2.0 is an XML-based standard for exchanging authentication and authorization data between an IdP and an SP.

User attempts to access an SP (e.g., Salesforce).

SP redirects the user to their IdP (e.g., Okta, Azure AD) with a SAML Request.

IdP authenticates the user (prompting for credentials and MFA).

OAuth 2.0 is an authorization framework (not an authentication protocol) that allows a third-party application to obtain limited access to a user's resources on a service…

The key OAuth 2.0 roles are: - Resource Owner : The user who owns the data.

- Client : The application requesting access.

- Authorization Server : Issues access tokens after authenticating the user and obtaining consent.

OpenID Connect is an authentication layer built on top of OAuth 2.0.

While OAuth 2.0 only addresses authorization (what resources can be accessed), OIDC adds an ID Token — a signed JWT (JSON Web Token) that contains claims about the authenticated…

OIDC is now the dominant protocol for web and mobile authentication, used by "Sign in with Google," "Sign in with Apple," and enterprise SSO systems.

Kerberos is a network authentication protocol developed at MIT, now central to Microsoft Active Directory.

It uses symmetric-key cryptography and a trusted third party — the Key Distribution Center (KDC) — to authenticate clients and servers without transmitting passwords over the…

The KDC comprises two services: the Authentication Server (AS) and the Ticket-Granting Server (TGS).

Upon login, the user receives a Ticket-Granting Ticket (TGT); subsequent access to services uses this TGT to request service-specific tickets.

The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing and managing directory information — essentially a structured database of network objects: users,…

Microsoft Active Directory (AD) is the most widely deployed LDAP-based directory service, forming the identity backbone of most enterprise Windows environments.

AD organizes objects in a hierarchical structure of forests , domains , and organizational units (OUs).

Group Policy Objects (GPOs) allow administrators to enforce security configurations across all domain-joined machines.

Once identity is established, access control policies determine what that identity can do.

Several formal models guide implementation: Discretionary Access Control (DAC) : Resource owners control access to their own resources.

The classic Unix file permission model (owner/group/other, read/write/execute) is DAC.

It is flexible but relies on users making correct access decisions — mistakes propagate easily.

The principle of least privilege states that every user, process, and system component should have the minimum permissions necessary to perform its intended function — and no more.

This limits the blast radius of a compromise: a low-privilege account that is hijacked can cause far less damage than an administrator account.

Need-to-know is a related concept: even users with the appropriate clearance or role should only access specific information they need for a specific task.

These principles work together to reduce insider threat risk and limit the movement of external attackers through a network.

Failure to deprovision accounts promptly is a common vulnerability — orphaned accounts are a significant risk.

Privileged Access Management (PAM) is a specialized discipline focused on controlling and auditing access by privileged accounts — system administrators, database administrators,…

Identity and Access Management (IAM) connects to risk, controls, and evidence.

Credential Stuffing exploits the widespread reuse of passwords.

Attackers obtain large lists of username/password pairs from previous data breaches (billions of credentials are available on criminal forums) and systematically test them against…

Because many users reuse passwords across sites, a credential set from a gaming site breach may work on banking or email accounts.

Defenses include MFA, breach-detection feeds (checking user credentials against known breach databases), and rate limiting.

Every secure computing system ultimately depends on one foundational question: who are you, and what are you allowed to do?

Authentication and access control are the mechanisms that answer these questions, forming the first line of defense against unauthorized use of systems, data, and resources.

Understanding authentication and access control is not merely a technical exercise.

It is a study in how trust is established and enforced between humans and machines, and increasingly between machines and other machines.

Introduction

AAA: Authentication, Authorization, and Accounting

Authentication Factors

Something You Know: Passwords

Where Introduction applies.

Where AAA: Authentication, Authorization, and Accounting applies.

How the difference changes the security decision.

Identify the asset or process at risk.

Choose a preventive, detective, or corrective control.

Explain what evidence would prove the control is working.

Define one core concept in plain language.

Compare two controls or threats from the week.

Apply one idea to a campus or business system.

Evaluate why a solution might fail in practice.

Collect evidence, not just screenshots.

Explain what the artifact proves.

Connect the proof back to risk and control selection.

Authentication and Access Control

Security is a decision process, not just a tool list.

Use the reading to justify practical choices.