Identification and authentication in the CISSP
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
In this article, we will look at two of the three powerful access control strategies namely identification authentication and authorization.
Let’s first look at the very basic meaning of all three access control strategies, and then we will look at the methods for Identification and authorization and how they relate to the CISSP certification exam.
Earn your CISSP, guaranteed!
Identification and the CISSP
Identification is the starting point for all access control as without proper identification it will not be possible to grant resources to any identity. The main objective of identification is to bind a user to appropriate controls based on the identity.
Authentication and the CISSP
Authentication is the process of verifying the identity of a user. During the authentication process, the user provides some way of proving their identity to assert that the user is who they are claiming to be. The information provided by the user to authenticate is a secret known to the user only. Once authenticated, trust is established between user and system.
Authorization and the CISSP
Authorization is the final step in the process, and it allocates appropriate controls, privileges based on the identity in the system. This is where in big organizations users are divided into roles and groups to manage access, privileges smoothly. So, authorization is the process of defining what resources a user needs and type of access to those resources.
Identification and authentication methods
Let’s look into the most common Identification and Authentication Methods:
- User Id: It is the most standard form of identification and is used most often by organizations as a mode of identification to distinguish a user amongst others. Whenever user supplies user id during identification process, the user is telling the system that it wants to be recognized by that user id and after that the process of authenticating the user, granting appropriate resources to user starts.
- MAC address: All computers have a 48-bit number assigned called a media access control (MAC) address to identify themselves uniquely. Earlier MAC address was embedded into the hardware of the device and could not be changed by the end user. Thus, it was a safe Identifier but nowadays most of the network devices have the MAC installed into the software and thus can be changed by the user. So, it is not considered now to be that unique and secure identification
- IP address: MAC address helps in identifying the physical location of a computer whereas an IP address would help in identifying the logical location of a system. It is allocated to all systems using the TCP/IP network protocol. IP addresses are a range of pool of IP address and thus can be subdivided to form subnets. Different systems in different subnets can have the same IP address, but it must be unique in the device’s same subnet. It can be easily changed by the user, so it is also not a strong identifier.
- Personal Identification Number(PIN): PIN is given to the user to identify whether the user has the right to perform any action on an identity. It is most coming seen in banking transactions and is the second form of user identification.
- Identification Badges: Identification can not only be logical but can also be physical. Thus organizations must have some badges to identify their employees since the badge is supposed to hold the username with their photo. It is made to deter any possible activity that can arouse from a non-employee at the very entry point within an organization. Sounds an efficient identification method but it is most often not properly used by the employees and security guards also make mistakes while comparing a person to that in the badge photo.
- Email Address: In recent years a new form of identification known as an email address has started to serve also as a unique identifier. However, they are unique only by convention and should not be used as a trusted factor only as an email address can be easily spoofed and organizations must use other authentication controls to tie an email address to a user.
As we have seen above, there are some important things that organizations must ensure before creating identities. For instance, identities should be short and should not reveal too much information about the user. Identities should be unique and must be used with multiple additional security controls to verify the identity. Some IDs should be made so that they cannot be changed, such as username root.
Authentication mechanisms
Now let’s look at authentication mechanisms.
As mentioned above, authentication is when the user provides a credential to the system to prove the identity. Authentication factors can be of the following types:
- Something you know: A secret or a PIN
- Something you have: Smart card or token
- Something you are: Facial Recognition, Biometrics
Single-factor authentication uses one of the types mentioned above as their authentication mechanism for example use of a password which is covered something users know.
Since single-factor authentication can be defeated, multi-factor authentication is used.Multi-factor authentication covers combination or all from above three mentioned. For example, nowadays banking systems use 2-factor authentication for transactions in the form of username-password (something the user knows) and grid information printed on the debit card back side (something the user has).
Organizations must also be aware of the cons of these using together, for example, using biometrics as a form of authentication, it totally depends on the acceptance rate set under the policy.
Types of failure
There are two types of failures under biometrics identification:
Earn your CISSP, guaranteed!
- False Acceptance: False recognition by accepting an imposter as a legitimate user.
- False Rejection: Rejecting an authorized and legitimate user access to the system/premises.
There are various types of biometrics recognition ways like fingerprint recognition, signature dynamics, vascular patterns, retina scanning, hand geometry, iris recognition, voice recognition, facial image, etc.
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- Identification and authentication in the CISSP
- CISSP certification - The ultimate guide [updated 2021]
- The CISSP domains and CBK: An overview
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- Due care vs. due diligence and the CISSP
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Data security controls and the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
