Identities are one of the most important security layers in modern organizations. This just means well-designed identity and access management architecture and implementation is critical to how organizations work.
The Concept of Identity
Identities are claimed through an authentication process that proves that the identity belongs to the user who is claiming it. That user is then authorized to perform actions based on the rights and privileges associated with their user account.
Identity
Identities are the sets of claims made about a subject. Subjects are typically people, applications, devices, or organizations, but the most common application of identity is to individuals.
Identities are typically linked attributes (to information about the subject), including details like: Name, Age, Location, or Job title or physical attributes like hair and eye color or height. Attributes vs Traits
Attributes are changeable information about the subject (Location, Job Title, Address).
Traits are inherited non-changeable information about the subject (height, eye color, or place of birth)
Ways to Claim an Identity
Usernames: the most commonly used means of claiming an identity. It is important to remember that usernames are associated with an identity and are not an authentication factor themselves. Certificates: Which can be stored on a system or paired with a storage device or security token. Tokens: A physical device that may generate a code, plug in via USB, or connect via Bluetooth or other means to present a certificate or other information. SSH Keys: Which are cryptographic representations of identity that replace a username and password. Smartcards: Use an embedded chip. Both contactless and physical chip reader–capable cards as well as hybrid cards are broadly deployed, and cryptographic smartcards often have the ability to generate key pairs on the card itself. Authentication and Authorization.
When a subject wants to claim an identity, they need to prove that the identity is theirs. That means they need to authenticate.
Authentication technologies like: authentication protocols, servers, and standards all serve to ensure that the subject is who they claim that they are, that the authentication process remains safe and secure, and that capabilities like the ability to use single sign-on (SSO) work.
Authentication verifies who you are; Authorization verifies what you have access to based on who you are. Authentication and Authorization Technologies.
A broad range of authentication and authorization technologies are in current use for authentication and authorization.
Extensible Authentication Protocol (EAP)
EAP is used on encrypted networks to provide a secure way to send identifying information to provide network authentication. Many different implementations exist that use the EAP framework, including vendor-specific and open methods like EAP-TLS, LEAP, and EAP-TTLS. Each of these protocols implements EAP messages using that protocol's messaging standards. Challenge Handshake Authentication Protocol (CHAP)
An authentication protocol designed to provide more security than protocols like PAP, which you will read about later in this section. CHAP uses an encrypted challenge and three-way handshake to send credentials Password Authentication Protocol (PAP)
PAP is a password-centric authentication protocol that was commonly used with the Point-to-Point Protocol (PPP) to authenticate users. Although PAP still appears in the Security+ exam outline, you are not likely to use PAP in modern implementations because it has been supplanted by CHAP and EAP implementation PAP sends unencrypted passwords, making it unsuitable for use in most modern networks. RADIUS (Remote Authorization Dial-In User Service)
RADIUS is one of the most common authentication, authorization, and accounting (AAA) systems for network devices, wireless networks, and other services. RADIUS can operate via TCP or UDP and operates in a client-server model. RADIUS sends passwords that are obfuscated by a shared secret and MD5 hash, meaning that its password security is not very strong. RADIUS traffic between the RADIUS network access server and the RADIUS server is typically encrypted using IPSec tunnels or other protections to protect the traffic. AAA (Authentication, Authorization, and Accounting) system, users must first authenticate, typically with a username and password. The system then allows them to perform actions they are authorized to by policies or permission settings. Accounting tracks resource utilization like time, bandwidth, or CPU utilization. , and accounting (AAA) is a security framework that controls access to computer resources, enforces policies, and audits usage. AAA and its combined processes play a major role in network management and cybersecurity by screening users and keeping track of their activity while they are connected. TACACS+ (Terminal Access Controller Access Control System Plus)
TACACS+ is a Cisco-designed extension to TACACS, the Terminal Access Controller Access Control System. TACACS+ uses TCP traffic to provide authentication, authorization, and accounting services. It provides full-packet encryption as well as granular command controls, allowing individual commands to be secured as needed. Kerberos
Designed to operate on untrusted networks and uses authentication to shield its authentication traffic. Kerberos users are composed of three main elements: the primary, which is typically the username; the instance, which helps to differentiate similar primaries; and realms, which consist of groups of users. Realms are typically separated by trust boundaries and have distinct Kerberos key distribution centers (KDCs) Kerberos Authentication Process When a client wants to use Kerberos to access a service, the client requests an authentication ticket, or ticket-granting ticket (TGT) An authentication server checks the client's credentials and responds with the TGT, which is encrypted using the ticket-granting service's (TGS) secret key. When the client wants to use a service, the client sends the TGT to the TGS (which is usually also the KDC) and includes the name of the resource it wants to use. The TGS sends back a valid session key for the service, and the client presents the key to the service to access it.
Internet-based systems often rely on a number of core technologies to accomplish authentication and authorization. These include the following below.
SAML (Security Assertation Markup Language)
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization information. SAML is often used between identity providers and service providers for web-based applications. Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. Identity Providers will request resources from Service Providers. OpenID
OpenID is an open standard for decentralized authentication. OpenID identity providers can be leveraged for third-party sites using established identities. A common example of this is the “Log in with Google” functionality that many websites provide, but Google is not the only example of a major OpenID identity provider. Microsoft, Amazon, and many other organizations are OpenID identity providers (IdPs). Relying parties (RPs) redirect authentication requests to the IdP, and then receive a response back with an assertion that the user is who they claim to be due to successful authentication, and the user is logged in using the OpenID for that user. OAuth
OAuth is an open standard for authorization used by many websites. OAuth provides a method for users to determine what information to provide to third-party applications and sites without sharing credentials. Facebook Connect
Facebook Connect is a service that allows Facebook users to log into other websites with their Facebook profile, without having to create separate accounts there.
Single Sign-On
Single Sign-On (SSO) systems allow a user to log in with a single identity and then use multiple systems or services without reauthenticating.
SSO requires a trade-off in the number of identity-based security boundaries that are in place. Meaning many organizations end up implementing single sign-on for many systems but may require additional authentication steps or use of an additional privileged account for high-security environments. Single sign-on is commonly implemented using LDAP and Kerberos such as in Windows domains and Linux infrastructures, or via a SAML implementation for web applications and federated services. Federation
Federation allows single sign-on (SSO) without passwords – the federation server knows the username for a Person in each application and presents that application with a token that says," this Person is domain\johndoe or johndoe@example.com".
Instead of maintaining your own database of usernames and passwords, you can use authentication information that’s already contained at a different site. This is called Federation. And it’s a way that you can allow someone to authenticate to your network, using credentials that are stored with a third party.
No password is required for the user to login to each system. Because of the trust between the two systems, the target application accepts this token and authenticates the user.
Directory Services
Directory Services are used in networks to provide information about systems, users, and other information about an organization.
They are normally used to make organizational directories for email and other contact information available to authenticate users. Directory Services contain a significant amount of organizational data and are used to support a range of services like directory-based authentication, so it’s imperative they’re well-protected. Directory services like the Lightweight Directory Access Protocol (LDAP) are commonly deployed as part of an identity management infrastructure and offer hierarchically organized information about the organization. Lightweight Directory Access Protocol (LDAP) is a protocol that helps users find data about organizations, persons, and more. LDAP has two main goals: to store data in the LDAP directory and authenticate users to access the directory Attestation
The act of proving the hardware that a user is connecting with is really the hardware we’re expecting is called Attestation.
Making sure the hardware trying to access your network resources is the original hardware that was originally set up to be authenticated to your network. Easier when one computer is being verified, but it quickly becomes unmanageable when verifying 100+ devices. We need some automated process to be able to confirm, that the hardware that’s connecting into our network, is hardware that’s trusted. Remote Attestation is when a device provides a report to the verification server to authenticate it’s hardware. This attestation report is usually encrypted and digitally signed using keys that are located on the Trusted Platform Module of that remote device. By going through this attestation process, we can be assured that the device that’s on the other end of this communications path, is one that is trusted and is allowed access to our network.
Authentication Methods
Proving the validity of the identity you claim is the core of the authentication process.
MFA (Multifactor Authentication)
MFA is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access.
Using MFA protects your account more than just using a username and password. Adversaries will need to compromise both password factors to gain unauthorized access to your resources. With each new MFA step you add, the percentage of successfully breaching your organization using unauthorized account access decreases. There are 3 Main types of MFA Factors:
Passwords, PINs, or the answer to a security question. Smartcard, USB or Bluetooth token, or another object or item that is in your possession like the Titan security key Relies on a physical characteristic of the person who is authenticating themselves. Fingerprints, retina scans, voice prints, and even your typing speed and patterns are all included as options for this type of factor. Attributes are a continuation to the MFA main types:
Somewhere you are sometimes called a location factor, is based on your current location. GPS, network location, and other data can be used to ensure that only users who are in the location they should be can authenticate Something you can do, which is used in Windows 10's Picture Password feature or gesture passwords on Android phones. This is a type of knowledge factor that requires a different form of interaction Something you exhibit, which could be a behavior pattern or similar characteristic. These are typically a form of the “something you are” factors, like typing speed or similar patterns. Someone you know, which can include trust relationships from others
One-Time Password
A common implementation of a second factor is the use of One-Time Passwords. One-time passwords are an important way to combat password theft and other password-based attacks. As its name implies, a one-time password is usable only once.
An attacker can obtain a one-time password but cannot continue using it, and it means that brute-force attacks will be constantly attempting to identify a constantly changing target. There are two primary models for generation of one-time passwords: Time-based One-Time Passwords (TOTPs)
Applications such as Google Authenticator & DUO mobile generate TOTPs. Uses an algorithm to derive a one-time password using the current time of day as part of the code-generation process. TOTPs typically expire after 30, 60, 120 or 240 seconds. Authentication Applications
The code generated is valid for a set period of time and then moves on to the next time-based code, meaning that even if a code is compromised it will be valid for only a relatively short period of time.
HMAC (Hash-Based Message Authentication Code)
Each time the HOTP is requested and validated, the moving factor is incremented based on a counter. The code that’s generated is valid until you actively request another one and it’s validated by the authentication server.
Each time you press the button and generate a new passcode, the old passcode becomes invalid and is replaced by the newly generated one.
SMS (Short Message Service)
When a user attempts to authenticate, an SMS message is sent to their phone, and they then input that code as an additional factor for the authentication process.
SMS messages may still be accessible to attackers via VoIP or other systems.
OTP Attacks
TOTP passwords can be stolen by either tricking a user into providing them, gaining access to a device like a phone where they are generated, or otherwise having near real-time access to them. One-time passwords sent via SMS can be redirected using a cloned SIM, or if the phone is part of a VoIP network, by compromising the VoIP system or account and redirecting the SMS factor.
Push Notifications
Push Notifications are messages sent to a user to inform them of an event, in this case an authentication attempt. The users will respond to the phone call with the requested validation—typically by pushing a specific button on the keypad—the authentication can proceed.
Phone Push Notifications Issues: Lower speed, which can cause issues with login timeouts; The potential for hijacking of calls via variety of means Additional costs for the implementing organization due to phone call costs.
Phone Call
An automated robot calls you and verbally tells you the number via Phone Call. Instead of having an app, you would use to provide that pseudo-random number, you would have an automated process call you, and tell you the pseudo-random number.
You pick up the phone, and the automated message would say, your code is 1-6-2-5-1-7 and you would type that in along with your username and password, to complete the authentication process. The disadvantages of receiving phone calls for authentication are very similar to the disadvantages of receiving an SMS or text message.
Static Codes
Although one-time passwords that are dynamically generated as they are needed are more common, at times there is a need for a one-time password that does not require a device or connectivity.
Static codes are also algorithmically generated like other one-time passwords but are pre-generated and often printed or stored in a secure location. Risky because the paper they are printed on could be stolen, or if they are stored electronically the file they're stored in could be lost or accessed. Personal Identification Numbers (PIN) codes are an example.
Smart Card Authentication
A Smart Card is a physical device, usually a plastic card with a microprocessor, that can provide personal authentication using certificates stored on the card. Personal authentication means that you can use smart cards in the same way as user passwords.
Authentication based on smart cards is an alternative to passwords. You can store user credentials on a smart card in the form of a private key and a certificate, and special software and hardware is used to access them. A certificate is an electronic document used to identify an individual, a server, a company, or other entity
Biometrics
Biometric factors are an example of the “something you are” factor, and they rely on the unique physiology of the user to validate their identity.
Fingerprints
Checks the unique patterns of ridges and valleys on your fingertips using either optical, ultrasonic, or capacitive scanners. Fingerprint scanning has been broadly deployed within both Windows, using fingerprint scanners on laptops, and with Android and Apple devices that use fingerprint readers. Retina Scanning
Uses the unique patterns of blood vessels in the retina to tell users apart. Iris Recognition
Systems use pattern recognition and infrared imaging to uniquely identify an individual's eyes. Iris recognition can be accomplished from farther away than retina scans, making it preferable in many circumstances. Facial Recognition
Techniques match specific features to an original image in a database. Facial recognition is widely used in Apple iPhone for FaceID, making it a broadly deployed biometric technology. Voice Recognition
Patterns, rhythms, and the sounds of a user's voice itself to recognize the user. Vein Recognition
Uses scanners that can see the pattern of veins, often in a user's finger. Vein scanners do not need to touch the user, unlike fingerprint scanners, making them less likely to be influenced by things like dirt or skin conditions. Gait Analysis
Measures how a person walks to identify them.
Biometric Tech is assessed on Four major measurements
False Rejection Rate (FRR)
Type I errors, or the False Rejection Rate (FRR). False rejection errors mean that a legitimate biometric measure was presented and the system rejected it False Acceptance Rate (FAR)
Type II errors, or false acceptance errors, are measured as the False Acceptance Rate (FAR). These occur when a biometric factor is presented and is accepted when it shouldn't be. Relative Operating Characteristic (ROC)
The Relative Operating Characteristic (ROC) compares the FRR against the FAR of a system, typically as a graph. For most systems, as you decrease the likelihood of false rejection, you will increase the rate of false acceptance, and determining where the accuracy of a system should be set to minimize false acceptance and prevent false rejection is an important element in the configuration of biometric systems.
Crossover Error Rate
The place on this chart where FAR and FRR cross over is called the Crossover Error Rate. The crossover error rate describes the overall accuracy of a system. As the sensitivity of a biometric system increases, FRRs will rise and FARs will drop. Conversely, as the sensitivity is lowered, FRRs will drop and FARs will rise. CER is the point where the two measurements are equal, therefore making the biometric the most accurate.
Cloud vs On-Premises Requirements
There are a number of different ways to provide the authentication process. Some are in the cloud, and some are on-premises.
A Cloud-Based Authentication is often going to involve a third party to manage that platform. We will have that service provided by a Cloud service provider, and we will simply use that service as part of the authentication process. This Cloud-Based Authentication is usually a centralized platform in the Cloud that can be accessed from anywhere in the world. And it might often include an API integration so that we can have applications access this and provide the same authentication to the same centralized database. On-Premises, or On-Prem authentication system would be one in our local data center. This would require our own internal staff to be able to monitor and configure anything associated with this authentication system. If there are users on the outside of our network that still need to authenticate through our internal system, we need to make sure there are processes in place for them to be able to provide that authentication. 
2.4 Summarize authentication and authorization design concepts
