Identification and authentication in the CISSP
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
In this article, we will look at two of the three powerful access control strategies namely identification authentication and authorization.
Let’s first look at the very basic meaning of all three access control strategies, and then we will look at the methods for Identification and authorization and how they relate to the CISSP certification exam.
Identification and the CISSP
Identification is the starting point for all access control as without proper identification it will not be possible to grant resources to any identity. The main objective of identification is to bind a user to appropriate controls based on the identity.
Authentication and the CISSP
Authentication is the process of verifying the identity of a user. During the authentication process, the user provides some way of proving their identity to assert that the user is who they are claiming to be. The information provided by the user to authenticate is a secret known to the user only. Once authenticated, trust is established between user and system.
Authorization and the CISSP
Authorization is the final step in the process, and it allocates appropriate controls, privileges based on the identity in the system. This is where in big organizations users are divided into roles and groups to manage access, privileges smoothly. So, authorization is the process of defining what resources a user needs and type of access to those resources.
Identification and authentication methods
Let’s look into the most common Identification and Authentication Methods:
- User Id: It is the most standard form of identification and is used most often by organizations as a mode of identification to distinguish a user amongst others. Whenever user supplies user id during identification process, the user is telling the system that it wants to be recognized by that user id and after that the process of authenticating the user, granting appropriate resources to user starts.
- MAC address: All computers have a 48-bit number assigned called a media access control (MAC) address to identify themselves uniquely. Earlier MAC address was embedded into the hardware of the device and could not be changed by the end user. Thus, it was a safe Identifier but nowadays most of the network devices have the MAC installed into the software and thus can be changed by the user. So, it is not considered now to be that unique and secure identification
- IP address: MAC address helps in identifying the physical location of a computer whereas an IP address would help in identifying the logical location of a system. It is allocated to all systems using the TCP/IP network protocol. IP addresses are a range of pool of IP address and thus can be subdivided to form subnets. Different systems in different subnets can have the same IP address, but it must be unique in the device’s same subnet. It can be easily changed by the user, so it is also not a strong identifier.
- Personal Identification Number(PIN): PIN is given to the user to identify whether the user has the right to perform any action on an identity. It is most coming seen in banking transactions and is the second form of user identification.
- Identification Badges: Identification can not only be logical but can also be physical. Thus organizations must have some badges to identify their employees since the badge is supposed to hold the username with their photo. It is made to deter any possible activity that can arouse from a non-employee at the very entry point within an organization. Sounds an efficient identification method but it is most often not properly used by the employees and security guards also make mistakes while comparing a person to that in the badge photo.
- Email Address: In recent years a new form of identification known as an email address has started to serve also as a unique identifier. However, they are unique only by convention and should not be used as a trusted factor only as an email address can be easily spoofed and organizations must use other authentication controls to tie an email address to a user.
As we have seen above, there are some important things that organizations must ensure before creating identities. For instance, identities should be short and should not reveal too much information about the user. Identities should be unique and must be used with multiple additional security controls to verify the identity. Some IDs should be made so that they cannot be changed, such as username root.
Now let’s look at authentication mechanisms.
As mentioned above, authentication is when the user provides a credential to the system to prove the identity. Authentication factors can be of the following types:
- Something you know: A secret or a PIN
- Something you have: Smart card or token
- Something you are: Facial Recognition, Biometrics
Single-factor authentication uses one of the types mentioned above as their authentication mechanism for example use of a password which is covered something users know.
Since single-factor authentication can be defeated, multi-factor authentication is used.Multi-factor authentication covers combination or all from above three mentioned. For example, nowadays banking systems use 2-factor authentication for transactions in the form of username-password (something the user knows) and grid information printed on the debit card back side (something the user has).
Organizations must also be aware of the cons of these using together, for example, using biometrics as a form of authentication, it totally depends on the acceptance rate set under the policy.
Types of failure
There are two types of failures under biometrics identification:
- False Acceptance: False recognition by accepting an imposter as a legitimate user.
- False Rejection: Rejecting an authorized and legitimate user access to the system/premises.
There are various types of biometrics recognition ways like fingerprint recognition, signature dynamics, vascular patterns, retina scanning, hand geometry, iris recognition, voice recognition, facial image, etc.