CompTIA® Security+ Exam Notes : Compare And Contrast Identity And Access Management Concepts

4. Identity and Access Management

4.1 Compare and contrast identity and access management concepts

The five factors of authentication are given below:

1. Something you know, such as a username and password

2. Something you have, such as a smart card, PIV, or a token

3. Something you are, using biometrics, such as fingerprint or retina scan

4. Somewhere you are, such as your location using geolocation.

5. Something you do, such as gestures on a touch screen

However, first three factors are widely recognized factors of authentication. "Somewhere you are" and "something you do" are not widely recognized. For example, if you use "somewhere you are" as authentication, some one else may come in to you position (geographically speaking) at a later time and claim access to the resource. Similarly, repeatability of hand gestures is questionable, and it may lead to uncertainty in identifying the user with certainty. Some experts doubt that 4 and 5 could be used a factors of authentication at all, because one of the requirements of factor of authentication is that it should be able to be used as a stand alone method of authentication.

Authentication Types:

Mutual authentication: Here both the server and client computers authenticate each other. This type of authentication is more secure than one-way authentication, where only the client is authenticated.

Multifactor authentication: Here two or more number of authentication methods are used for granting access to a resource. Usually, it combines a password with that of a biometric authentication.

MFA combines two or more independent credentials (factors). The five broadly known independent credentials are:

1. What the user knows (password),

2. What the user has (security token)

3. What the user is (biometric verification).

4. Where the user is

5. What the user is doing

The goal of MFA is to create a layered defense and make it more difficult for an intruder to access a target such as a physical location, computing device, network or database.

Note that Authentication methods using two or more variables in the same factor still constitute single-factor authentication. For example, a password and a PIN are both in the something you know category, so they can only provide single-factor authentication even when they are used together.

Biometric authentication: Biometric authentication uses measurable physical attributes of a human being such as signature, fingerprint.

CHAP: It is an authentication type that uses three-way hand shake. The passwords are transmitted in encrypted form ensuring security. Compare this with PAP, which transmits passwords in clear text.

Four important aspects of security are authentication, authorization, integrity, and non-repudiation.

  • Authentication refers to identifying a user or a system. For example, when you logon to an FTP server, it is authenticating you after verifying the user name, and password.
  • Authorization refers to the right to access data. For example, after accessing a remote FTP server, you may be allowed to transfer files only to your home folder but not to other folders.
  • Integrity ensures that the data is not compromised. A simple integrity checker is parity. By ensuring that the parity of a transmitted message is correct, you can accept the message. For complex systems, where confidential information is involved, encryption is used for verifying the integrity of a transmitted message.
  • Non-repudiation ensures that the sender, as well as the receiver cannot refuse having sent or received a message. For example, you receive an email from your perspective employer. By using an unsigned email, it might so happen that your employer later denies having sent any such email. Non-repudiation ensures that neither the sender nor the receiver can deny the transmission or the reception of a message respectively.
  • Non-repudiation ensures that the sender of a message or contract can not refuse having sent the message or signed the contract at a later date. This is done by mean of digital signature.

Single sign-on: Single sign-on enables one to use all the eligible services with one sign-in.

1. SSO is used for authenticating a user across multiple platforms without having to login each time.

2. Security Assertion Markup Language (SAML) is an XML- based data format used for SSO on web browsers

3. Normally, SSO provides authentication only. Using SSO, an authenticated user will be able to move from one website to another trusted website without having to sign-on again.

4. SAML provides SSO for web-based applications.

5. SAML is used to exchange authentication and authorization information between different parties.

Client Authentication: A client authenticating itself to a server and that server authenticating itself to the client in such a way that both parties are assured of the others' identity is known as mutual or two-way authentication.


Always try to download, and apply latest patches and service packs (if any) directly from the manufacturer's website. Downloading from unreliable sources may compromise the system security.

Message Authentication Codes (MACs): MAC also called "keyed hashes", are used to verify the authenticity of a message. Let us say, Jane (the sender of a message) and Mike (the recipient) share a secret key. Jane uses the message and the key to compute the MAC, and sends the MAC along with the message. When Mike receives the message, he computes the MAC, and then checks to see if his MAC matches Jane's. If it does, then he knows the message is from Jane and that nobody has changed it since she sent it.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad