Class 4: Identity Access Management, Authentication, Authorization

Identity and access management (IAM)

IAM is the process of creating, managing, authenticating, authorizing, reviewing, and removing identities and their access to systems, applications, data, and services.

Example: An organization creates an employee account, assigns job-based access, reviews the permissions, and disables the account when the employee leaves.

Memory trick: IAM = manage identities from start to finish.

Trick question tip: If the question mentions accounts, identities, authentication, permissions, provisioning, or deprovisioning, think IAM.

Identification, authentication, authorization, and accounting

Identification is claiming an identity, authentication proves it, authorization determines allowed actions, and accounting records activity.

Example: A username identifies, a security key authenticates, a role authorizes file access, and logs record the actions.

Memory trick: Claim, prove, permit, record.

Trick question tip: Username means identification; credentials mean authentication; rights mean authorization; logs mean accounting.

Supplicant, authenticator, and authentication server

The supplicant or claimant requests access, the authenticator controls access to the network or service, and the authentication server validates the credentials.

Example: A laptop presents credentials through a network device, which sends them to a central server for verification.

Memory trick: Supplicant asks, authenticator passes, server checks.

Trick question tip: The device presenting credentials is the supplicant; the system verifying them is the authentication server.

Credential

A credential is evidence used to prove an identity, such as a password, certificate, smart card, security key, token, or biometric template.

Example: A user presents a password and a hardware key to prove control of an account.

Memory trick: Credential = login proof.

Trick question tip: A username identifies an account but is not usually the secret credential.

Authentication factors

Authentication factors include something you know, something you have, something you are, somewhere you are, and something you do.

Example: A password is knowledge, a security key is possession, a fingerprint is inherence, a location is somewhere you are, and typing rhythm is behavior.

Memory trick: Know, have, are, where, do.

Trick question tip: Multifactor authentication requires different factor categories, not merely two credentials.

Something you know

Something you know is a knowledge factor based on memorized information, such as a password, passphrase, or PIN.

Example: A user enters a passphrase known only to the account holder.

Memory trick: Know = secret in your head.

Trick question tip: A password plus a PIN is still one factor category and is not true MFA.

Password versus passphrase versus device PIN

A password is a memorized secret, a passphrase is a longer multiword secret, and a modern device PIN is often locally tied to one specific device.

Example: A device PIN unlocks a local cryptographic credential, while an account password may work across several devices.

Memory trick: Phrase is longer; PIN is often device-local.

Trick question tip: If the clue says valid only on one device, choose device PIN rather than a reusable account password.

Modern password guidance

Modern password guidance favors sufficient length, memorable passphrases, screening against compromised passwords, and changing passwords when compromise is suspected rather than forcing frequent arbitrary changes.

Example: A company permits long passphrases and blocks known breached passwords instead of requiring predictable monthly changes.

Memory trick: Long and unique beats short and constantly changed.

Trick question tip: Frequent forced rotation, password hints, and overly rigid complexity rules may cause weaker user behavior.

Password length and complexity

Password length measures the number of characters, while complexity rules require different character types. Length generally increases the search space more reliably than predictable substitutions.

Example: A long unique passphrase is harder to guess than a short password with one added symbol.

Memory trick: Length adds space; complexity adds variety.

Trick question tip: When choosing between a longer passphrase and a short complex password, the longer unique option is often stronger.

Password history and minimum password age

Password history blocks reuse of previous passwords, and minimum password age prevents users from rapidly changing passwords until an old favorite becomes allowed again.

Example: The system remembers previous passwords and prevents several immediate password changes.

Memory trick: History remembers; minimum age stops cycling.

Trick question tip: Rapidly changing passwords to defeat history is password cycling.

Password aging versus expiration

Password aging may require a change after authentication, while password expiration can prevent use of the old password until it is reset through an approved process.

Example: One policy allows a final login and forces a change; another blocks login entirely.

Memory trick: Aging means change it; expiration means it no longer works.

Trick question tip: Read whether the user can still authenticate before being forced to change the password.

System-enforced versus soft password policy

A system-enforced policy technically applies rules such as length, history, or lockout, while a soft policy relies on instructions and user behavior.

Example: A system can block a short password but may only train users not to reuse a work password on personal services.

Memory trick: Hard rule blocks; soft rule teaches.

Trick question tip: If the organization cannot technically enforce behavior outside its systems, the control is policy and training.

Password manager

A password manager generates and stores strong unique credentials in an encrypted vault protected by a strong master credential and preferably MFA.

Example: The user remembers one strong master passphrase while the manager stores a different random password for each account.

Memory trick: One protected vault, many unique passwords.

Trick question tip: Password managers reduce reuse but create concentration risk if the master credential or vault is compromised.

Password manager risks and protections

Password-manager risks include a weak master password, compromised endpoint or provider, malicious extensions, and autofill on a spoofed site. Protections include MFA, site matching, updates, and a strong unique master passphrase.

Example: The manager verifies the saved service identity before offering to fill credentials.

Memory trick: Protect the vault and verify the destination.

Trick question tip: Autofill is helpful but should occur only when the site identity matches the saved entry.

Password attack lockout controls

Account lockout thresholds, observation windows, and lockout duration limit repeated authentication attempts but must balance security against denial-of-service and help-desk impact.

Example: An account is temporarily locked after several failed attempts within a defined time window.

Memory trick: Threshold counts, window watches, duration locks.

Trick question tip: An overly aggressive lockout policy can let an attacker deliberately lock legitimate users out.

Something you have

Something you have is a possession factor such as a smart card, hardware security key, phone, key fob, or hardware OTP token.

Example: A user must physically possess a security key to complete authentication.

Memory trick: Have = object you possess.

Trick question tip: A code delivered through a compromised channel may be weaker than a cryptographic hardware possession factor.

Something you are

Something you are is an inherence factor based on a physiological or behavioral biometric characteristic.

Example: Fingerprint, face, iris, voice pattern, gait, or typing rhythm can support authentication.

Memory trick: Are = body or behavior.

Trick question tip: Fingerprint and face are physiological; gait and typing rhythm are behavioral.

Biometric template and enrollment

Biometric enrollment creates a stored mathematical template that later scans are compared against; the original body characteristic should not be stored as a simple reusable image.

Example: A fingerprint scan is converted into a reference template for future matching.

Memory trick: Enroll once, compare later.

Trick question tip: Biometric systems compare a live sample with a stored template.

Biometric false acceptance and false rejection

False acceptance occurs when an unauthorized person is accepted, while false rejection occurs when an authorized person is denied. The crossover error rate is where the two rates are equal.

Example: Tightening sensitivity may reduce false acceptance but increase false rejection.

Memory trick: FAR lets the wrong person in; FRR keeps the right person out.

Trick question tip: Security prioritizes a low FAR, while usability is harmed by a high FRR.

Somewhere you are

Somewhere you are uses physical or logical location as an authentication or access signal, including geolocation, IP address, network segment, VLAN, wireless network, or physical port.

Example: A login from an unexpected country triggers additional verification.

Memory trick: Where = location signal.

Trick question tip: Location is often a contextual signal rather than a strong standalone authenticator.

Impossible travel

Impossible travel is a risk signal generated when the same identity appears in distant locations within a period too short for legitimate travel.

Example: An account authenticates from two far-apart regions only minutes apart.

Memory trick: Too far, too fast.

Trick question tip: Impossible travel commonly triggers denial, step-up authentication, or investigation.

Continuous and adaptive authentication

Continuous authentication reevaluates identity and risk during a session, while adaptive authentication changes requirements based on context such as device health, behavior, location, or sensitivity.

Example: A session requires additional proof when the user attempts a sensitive action from an unusual device.

Memory trick: Keep checking and adapt to risk.

Trick question tip: Additional proof prompted by increased risk is step-up authentication.

Single-factor, two-factor, and multifactor authentication

Single-factor uses one factor category, 2FA uses exactly two different categories, and MFA uses two or more different categories.

Example: A smart card plus PIN is 2FA and MFA; a password plus PIN is not MFA because both are knowledge factors.

Memory trick: Different factor families matter.

Trick question tip: Count categories, not the number of prompts or pieces of information.

MFA fatigue and push-bombing

MFA fatigue attacks repeatedly send approval requests until a user accepts one through annoyance, confusion, or social engineering.

Example: A user receives many unexpected login prompts and eventually approves one.

Memory trick: Repeated pushes pressure the user.

Trick question tip: Number matching, user education, rate limiting, and phishing-resistant authentication reduce push-bombing risk.

One-time password (OTP)

An OTP is a temporary authentication code intended for one use. TOTP derives codes from time, while HOTP advances using a counter; both rely on a shared secret.

Example: An authenticator app displays a code that changes at regular intervals.

Memory trick: TOTP = time; HOTP = counter.

Trick question tip: A stolen shared secret can let an attacker generate valid OTPs.

Hardware token versus software token

A hardware token generates or stores authentication proof in a dedicated physical device, while a software token runs in an app or is delivered through a communication channel.

Example: A key fob displays a code, while an authenticator app generates one on a phone.

Memory trick: Hard token is a device; soft token is software.

Trick question tip: Dedicated hardware generally offers stronger isolation than a token stored on a general-purpose endpoint.

SMS and email OTP weaknesses

SMS and email codes can be intercepted through account takeover, message forwarding, number transfer fraud, or compromised devices, so they are weaker than phishing-resistant cryptographic authenticators.

Example: An attacker takes control of a phone number and receives the victim's authentication code.

Memory trick: A delivered code can be redirected.

Trick question tip: SMS is better than password-only authentication but is not the strongest MFA option.

Smart card

A smart card is a possession factor that can securely store a certificate and private key and is commonly activated with a PIN.

Example: The user inserts or taps a card and enters a PIN to authenticate.

Memory trick: Card you have plus PIN you know.

Trick question tip: Smart card plus PIN is multifactor because the categories are possession and knowledge.

Static token, replay, and cloning

A static token presents the same value repeatedly, making it vulnerable to capture, replay, or cloning. Dynamic cryptographic tokens reduce this risk.

Example: An attacker copies a fixed access-card value and presents it later.

Memory trick: Same code can be copied and replayed.

Trick question tip: A captured valid credential used again is a replay attack; duplicating the credential is cloning.

Certificate-based authentication

Certificate-based authentication proves possession of a private key associated with a trusted digital certificate; the verifier checks the signature with the public key.

Example: A smart card signs an authentication challenge using its protected private key.

Memory trick: Private key signs; public key verifies.

Trick question tip: Certificate authentication is strong but requires PKI issuance, renewal, protection, and revocation.

FIDO and phishing-resistant authentication

FIDO authentication uses public-key cryptography so a private key remains on the authenticator and a unique public key is registered with each service.

Example: A hardware security key signs a challenge only for the legitimate registered service.

Memory trick: Private key stays; service-specific public key verifies.

Trick question tip: FIDO resists phishing because credentials are bound to the legitimate relying party and no reusable password is sent.

U2F, FIDO2, and WebAuthn

U2F was designed mainly as a second factor, while FIDO2 combines WebAuthn and authenticator protocols to support strong MFA and passwordless authentication.

Example: A browser uses WebAuthn to request a signed challenge from a platform or roaming authenticator.

Memory trick: U2F adds a factor; FIDO2 can replace the password.

Trick question tip: WebAuthn is the web-facing standard used by browsers and relying parties.

Platform versus roaming authenticator

A platform authenticator is built into a device, while a roaming authenticator is portable and can be used across devices.

Example: A laptop biometric sensor is platform-based; a portable security key is roaming.

Memory trick: Platform stays; roaming travels.

Trick question tip: Built-in TPM-backed or biometric login points to platform authentication; USB or NFC security key points to roaming.

Passwordless authentication

Passwordless authentication uses a cryptographic authenticator, biometric, or possession factor without sending or validating a reusable password.

Example: A device verifies the user locally and signs a server challenge with a private key.

Memory trick: No shared password to steal.

Trick question tip: Passwordless does not mean no authentication; it means authentication without a reusable password.

Attestation and root of trust

Attestation provides signed evidence about an authenticator or device, while a hardware root of trust protects the keys and measurements used to create that evidence.

Example: A service verifies that authentication came from an approved hardware model.

Memory trick: Root protects; attestation proves.

Trick question tip: Attestation validates the authenticator or device, not the user's identity by itself.

Access control model

An access control model defines how permissions are assigned and enforced. Common models include DAC, MAC, RBAC, ABAC, and rule-based access control.

Example: An organization chooses roles for most business access and attributes for sensitive contextual decisions.

Memory trick: Model = method used to decide access.

Trick question tip: Owner means DAC, labels mean MAC, job role means RBAC, attributes mean ABAC, and system conditions mean rule-based.

Discretionary access control (DAC)

DAC allows the resource owner to decide who receives access and which permissions are granted.

Example: A file owner shares a document with selected coworkers using an ACL.

Memory trick: DAC = decided by the owner.

Trick question tip: DAC is flexible but can lead to oversharing and inconsistent permissions.

Mandatory access control (MAC)

MAC uses centrally enforced classification labels, clearance levels, compartments, and need-to-know rules that users cannot freely change.

Example: A user with the required clearance accesses labeled information only when authorized for the relevant compartment.

Memory trick: MAC = mandatory labels and clearance.

Trick question tip: Classified, secret, top secret, clearance, and strict central policy point to MAC.

Bell-LaPadula confidentiality rules

Bell-LaPadula protects confidentiality using no read up and no write down, allowing authorized users to read at or below their level and write at or above it.

Example: A user cleared for a confidential level cannot read more highly classified data or write confidential data into a lower public level.

Memory trick: Read down, write up.

Trick question tip: Bell-LaPadula focuses on confidentiality, not integrity.

Role-based access control (RBAC)

RBAC assigns permissions to job roles or security groups and then assigns users or service accounts to those roles.

Example: A new employee receives approved accounting permissions by joining the accounting role.

Memory trick: RBAC = role decides access.

Trick question tip: Job function, department, role, group membership, and scalable administration point to RBAC.

Attribute-based access control (ABAC)

ABAC evaluates attributes of the subject, resource, action, device, and environment to make fine-grained contextual decisions.

Example: A manager can view sensitive data only from a compliant device during approved hours in an allowed location.

Memory trick: ABAC = access based on attributes.

Trick question tip: Multiple conditions such as location, device health, time, and data classification point to ABAC.

Rule-based and conditional access

Rule-based access applies predefined conditions, while conditional access evaluates signals such as user risk, device health, location, application, and requested action to allow, block, or require more proof.

Example: A risky login is allowed only after phishing-resistant MFA.

Memory trick: Rules decide; risk can step access up or down.

Trick question tip: Do not confuse rule-based access with RBAC: rule-based uses conditions, while RBAC uses job roles.

Least privilege

Least privilege grants only the minimum permissions needed for a task and only for the necessary time.

Example: An administrator uses a standard account for daily work and elevates privileges only for an approved maintenance action.

Memory trick: Minimum power, minimum time.

Trick question tip: Least privilege reduces the impact of compromised accounts and user mistakes.

Separation of duties and M-of-N control

Separation of duties divides a sensitive process among multiple people, and M-of-N control requires a defined number of authorized participants to approve an action.

Example: Two of three designated administrators must approve a critical key-recovery operation.

Memory trick: No one person controls the whole risky process.

Trick question tip: Dual control, split knowledge, and multiple approvals point to separation of duties or M-of-N.

Effective permissions

Effective permissions are the final rights a subject receives after direct assignments, group or role memberships, inheritance, and deny rules are evaluated.

Example: A user receives access through one group but is blocked by a more specific deny rule.

Memory trick: Effective = what actually applies in the end.

Trick question tip: The apparent permission on one group may not equal the user's final effective access.

Authorization creep

Authorization creep occurs when users accumulate unneeded permissions through transfers, temporary projects, direct assignments, or group memberships that are not removed.

Example: An employee changes departments but keeps access from the previous role.

Memory trick: Old permissions follow the user.

Trick question tip: Periodic access reviews, recertification, and removal of obsolete group membership mitigate authorization creep.

User Account Control and sudo

User Account Control and sudo allow temporary privilege elevation instead of requiring constant use of a privileged account.

Example: A standard user confirms or authenticates before performing an administrative task.

Memory trick: Elevate for the task, then return to normal.

Trick question tip: Temporary elevation supports least privilege but does not eliminate the need to protect administrator credentials.

Provisioning

Provisioning creates an identity, verifies it as required, issues credentials and assets, assigns roles and permissions, and provides security training.

Example: A new employee receives an account, MFA token, approved device, and job-based access.

Memory trick: Provisioning = securely set the user up.

Trick question tip: Identity proofing occurs before credentials and access are issued.

Identity proofing

Identity proofing verifies that a person is who they claim to be before an identity is enrolled or credentials are issued.

Example: An organization validates approved documents and employment information before creating an account.

Memory trick: Prove the person before provisioning the account.

Trick question tip: Identity proofing establishes the real-world identity; authentication later proves control of the enrolled account.

Deprovisioning and offboarding

Deprovisioning promptly removes or disables accounts, sessions, tokens, keys, devices, group memberships, and application access when they are no longer needed.

Example: A departing contractor's account is disabled immediately and deleted after retention requirements are satisfied.

Memory trick: Offboarding closes every door.

Trick question tip: Disable first when records or data must be retained; immediate deletion may remove evidence or ownership information.

Joiner, mover, and leaver lifecycle

Joiner, mover, and leaver processes manage access when a person enters the organization, changes roles, or leaves.

Example: A transferred employee loses old permissions and receives only those required for the new role.

Memory trick: Join, change, leave.

Trick question tip: The mover stage is a major source of permission creep if old access is not removed.

Account types

Common account types include standard user, privileged or administrator, service, shared, guest, emergency, and contractor accounts, each requiring appropriate restrictions and monitoring.

Example: A service account runs an application and should not be used for normal interactive login.

Memory trick: Different account purpose, different control.

Trick question tip: Service and shared privileged accounts need especially strong ownership, rotation, monitoring, and restrictions.

Service account

A service account is used by an application, process, or automated task and should receive only required permissions, have a documented owner, and use managed credentials when possible.

Example: A database service runs under a noninteractive account limited to required resources.

Memory trick: Service account works for software, not a person.

Trick question tip: Disable interactive login and avoid unmanaged static passwords for service accounts.

Account restrictions

Account restrictions limit where, when, how, and for how long an identity can authenticate or use privileges.

Example: A contractor can sign in only during approved hours from managed devices and loses access after the contract end date.

Memory trick: Restrict place, time, device, and duration.

Trick question tip: Time-of-day, geolocation, network segment, device compliance, and expiration are common restriction signals.

Privileged access management (PAM)

PAM discovers, controls, protects, monitors, and audits privileged accounts, credentials, sessions, and elevation requests.

Example: An administrator checks out a credential from a vault for an approved task while the session is recorded.

Memory trick: PAM guards powerful access.

Trick question tip: Vaulting, credential rotation, session recording, approval workflows, and administrator checkout point to PAM.

Privileged account protections

Privileged accounts should use separate administrator identities, phishing-resistant MFA, designated secure workstations, restricted login locations, strong monitoring, and no routine web or email use.

Example: An administrator performs sensitive work only from a hardened administrative workstation.

Memory trick: Powerful account, tightly controlled environment.

Trick question tip: Do not use one privileged account for ordinary daily tasks.

Standing privilege versus just-in-time access

Standing privilege remains continuously available, while just-in-time access grants temporary elevation only when approved and removes it afterward. Zero standing privilege aims to eliminate permanent privileged access.

Example: An engineer receives administrator rights for a thirty-minute maintenance window.

Memory trick: JIT = privilege only when needed.

Trick question tip: Temporary elevation, expiring group membership, and ephemeral credentials point to JIT or zero standing privilege.

Password vaulting and brokering

Vaulting stores privileged credentials securely, while brokering allows a user to access a target without revealing the actual password.

Example: PAM opens an administrative session and rotates the secret after use without showing it to the administrator.

Memory trick: Vault stores; broker connects.

Trick question tip: If the administrator never sees the credential, the PAM system is brokering access.

Directory service

A directory service centrally stores and organizes identities, devices, groups, applications, and attributes so they can be searched and used for authentication and authorization.

Example: An enterprise directory stores user accounts, department attributes, and security-group memberships.

Memory trick: Directory = searchable identity database.

Trick question tip: Central identity objects, schema, attributes, and hierarchical naming point to a directory service.

LDAP

LDAP is a protocol used to query and modify directory services organized as objects with attributes and distinguished names.

Example: An application looks up a user and group membership in an enterprise directory.

Memory trick: LDAP = directory access protocol.

Trick question tip: LDAP is a protocol, while the directory is the data service it accesses.

Distinguished name and relative distinguished name

A distinguished name uniquely identifies an object through its full directory path, while a relative distinguished name identifies the object within its immediate parent container.

Example: The full path contains a common name, organizational units, and domain components.

Memory trick: DN = full path; RDN = local name.

Trick question tip: Common name, organizational unit, organization, country, and domain component are directory naming attributes.

Active Directory and Group Policy

Active Directory is a centralized identity and directory service, and Group Policy applies configurations and security settings to users and computers based on sites, domains, and organizational units.

Example: A policy linked to an organizational unit applies security settings to all computers inside it.

Memory trick: Directory stores identities; Group Policy applies settings.

Trick question tip: Organizational units group objects for administration and policy; they are not the same as security groups.

Local versus network authentication

Local authentication validates credentials using information stored on the device, while network authentication relies on a central directory or authentication authority.

Example: A standalone account is checked locally, while an enterprise account is verified by a domain service.

Memory trick: Local checks here; network checks centrally.

Trick question tip: Central authentication improves consistency but creates dependence on network and directory availability.

Windows local and domain authentication

Windows local accounts are validated through local security components and credential storage, while domain accounts commonly use a domain controller and Kerberos, with NTLM retained for some compatibility cases.

Example: A domain-connected workstation obtains authentication tickets from a central domain service.

Memory trick: Local account checks the device; domain account checks the domain.

Trick question tip: Kerberos is preferred for modern domain authentication; NTLM is older and less desirable.

Linux authentication and PAM modules

Linux can authenticate local accounts using protected password hashes or use Pluggable Authentication Modules to connect applications with methods such as directory, smart-card, and network authentication.

Example: A remote shell service uses a PAM configuration to validate a directory account.

Memory trick: Linux PAM plugs authentication methods into applications.

Trick question tip: Do not confuse Linux PAM modules with privileged access management; the acronym is shared.

SSH key authentication

SSH key authentication uses a public and private key pair to authenticate remote access without sending a reusable password.

Example: The server stores the authorized public key while the client proves possession of the protected private key.

Memory trick: Server has public; user protects private.

Trick question tip: Protect private keys with permissions, encryption, rotation, and removal when access ends.

RADIUS, TACACS+, and Diameter

RADIUS commonly provides centralized authentication, authorization, and accounting for network access; TACACS+ separates AAA functions and encrypts more of the exchange; Diameter is a modern successor used in some carrier and mobile environments.

Example: Network devices send administrator authentication requests to a central AAA server.

Memory trick: RADIUS for network access; TACACS+ for device administration.

Trick question tip: TACACS+ commonly uses TCP and encrypts the full payload, while RADIUS commonly uses UDP and historically protects mainly the password field.

IEEE 802.1X

IEEE 802.1X provides port-based network access control using a supplicant, an authenticator such as a switch or access point, and an authentication server.

Example: A laptop must authenticate before a switch port allows normal network traffic.

Memory trick: 802.1X authenticates before network access.

Trick question tip: Supplicant, switch or access point, and RADIUS server strongly indicate 802.1X.

EAP

Extensible Authentication Protocol is a framework that supports multiple authentication methods, often inside 802.1X or remote-access solutions.

Example: An organization selects a certificate-based EAP method for enterprise wireless authentication.

Memory trick: EAP carries the authentication method.

Trick question tip: EAP is a framework, not one single credential type.

Single sign-on (SSO)

SSO lets a user authenticate once and access multiple trusted applications without repeatedly entering credentials.

Example: An employee signs in to the organization and then opens several approved business applications.

Memory trick: Sign in once, use many services.

Trick question tip: SSO improves usability but increases the impact of a compromised central identity or active session.

Kerberos

Kerberos is a ticket-based network authentication protocol that uses a trusted Key Distribution Center, timestamps, and symmetric cryptography to provide SSO and mutual authentication.

Example: A domain user obtains a ticket-granting ticket and then requests service tickets for applications.

Memory trick: Kerberos = tickets from a trusted center.

Trick question tip: Ticket-granting ticket, service ticket, KDC, timestamp, and mutual authentication point to Kerberos.

Kerberos KDC, AS, and TGS

The Key Distribution Center contains the Authentication Service, which issues a ticket-granting ticket, and the Ticket Granting Service, which exchanges that TGT for service tickets.

Example: The user first authenticates to the AS and later presents the TGT to the TGS for application access.

Memory trick: AS gives TGT; TGS gives service ticket.

Trick question tip: The client cannot normally read the encrypted TGT; it forwards it to the TGS.

Kerberos service ticket and mutual authentication

A Kerberos service ticket contains authorization information and a session key encrypted for the target service, allowing the service to authenticate the user and optionally prove its own identity.

Example: The application decrypts the service ticket and validates a timestamped authenticator.

Memory trick: Service ticket opens one service.

Trick question tip: Kerberos uses timestamps to reduce replay attacks, so synchronized clocks are important.

Kerberos limitations

Kerberos depends on the availability and security of the KDC and accurate time synchronization; compromise of central ticket services or excessive clock drift can disrupt authentication.

Example: Multiple domain controllers provide redundancy for central authentication.

Memory trick: Protect the ticket office and keep clocks aligned.

Trick question tip: KDC outage is a central dependency, while backup KDCs or domain controllers improve availability.

Federation

Federation establishes trust between separate identity domains so one organization can accept authentication performed by another without creating and managing a full local credential for every external user.

Example: A partner employee uses the partner identity provider to access an approved hosted application.

Memory trick: Separate organizations trust identities across a boundary.

Trick question tip: Federation reduces duplicate account management but requires compatible standards and a trusted relationship.

Identity provider, service provider, and relying party

The identity provider authenticates the principal and issues signed identity information; the service provider or relying party validates it and decides what access to grant.

Example: A hosted application redirects a user to an identity provider and accepts the returned signed assertion.

Memory trick: IdP proves; SP relies and permits.

Trick question tip: Authentication occurs at the IdP, while authorization to the application occurs at the SP.

Claims-based identity

Claims-based identity represents information about a principal as signed claims such as identifier, role, department, or authentication status.

Example: An identity provider sends a signed role claim that a service uses to map permissions.

Memory trick: Claim = signed statement about the identity.

Trick question tip: The relying party must validate the issuer, signature, audience, conditions, and expiration before trusting claims.

SAML

Security Assertion Markup Language is an XML-based federation standard commonly used for browser-based enterprise SSO between an identity provider and a service provider.

Example: A user authenticates to the IdP and presents a signed SAML response to a hosted business application.

Memory trick: SAML = enterprise SSO assertions in XML.

Trick question tip: Browser SSO, XML assertion, IdP, and service provider point to SAML.

SAML assertion contents

A SAML assertion can include the subject, issuer, audience, validity conditions, authentication statement, and attribute statements, protected by a digital signature.

Example: The service checks that the assertion was issued by a trusted IdP and intended for that specific application.

Memory trick: Who, from whom, for whom, until when, and with what attributes.

Trick question tip: Audience restriction prevents an assertion intended for one service from being accepted by another.

OAuth

OAuth is a delegated authorization framework that lets a user authorize a client application to access selected resources without giving the client the user's password.

Example: A user permits one application to read limited data from another service through an access token.

Memory trick: OAuth = authorize an app, not prove the user by itself.

Trick question tip: OAuth is primarily authorization, not authentication.

OAuth roles and flow

The resource owner grants permission, the client requests authorization, the authorization server issues an access token, and the resource server validates that token before providing the protected resource.

Example: A user approves limited access and the client receives a scoped, expiring token.

Memory trick: Owner approves, server issues, resource validates.

Trick question tip: Redirect URIs, client identifiers, scopes, grant types, and access tokens point to OAuth.

Access token, scope, and refresh token

An access token grants limited access according to its scope and lifetime, while a refresh token can request a new access token without repeating the full authorization flow.

Example: A client receives permission to read data but not modify it, and the token expires after a limited period.

Memory trick: Scope says what; expiration says how long; refresh gets another.

Trick question tip: Refresh tokens are longer-lived and therefore require stronger protection.

OpenID Connect

OpenID Connect adds an identity layer to OAuth so a client can authenticate the user and receive identity information through an ID token.

Example: A hosted application uses an identity provider for sign-in and receives a signed identity token.

Memory trick: OAuth authorizes; OpenID Connect authenticates on top of OAuth.

Trick question tip: If the scenario asks for federated login using OAuth-style flows, look for OpenID Connect.

JSON Web Token (JWT)

A JWT is a compact token containing encoded header, claim, and signature sections. It can carry identity or authorization claims and must be validated before use.

Example: An application verifies the token signature, issuer, audience, and expiration before accepting its role claim.

Memory trick: JWT = compact signed claims.

Trick question tip: Base64 encoding is not encryption; JWT contents may be readable even when the signature protects integrity.

SAML versus OAuth versus OpenID Connect

SAML commonly provides XML-based enterprise browser SSO, OAuth delegates authorization to resources, and OpenID Connect adds user authentication and identity claims to OAuth.

Example: A workforce application uses SAML SSO, a client receives OAuth API access, and a consumer application uses OpenID Connect for sign-in.

Memory trick: SAML signs in enterprises; OAuth authorizes apps; OIDC identifies users.

Trick question tip: Do not choose OAuth alone when the primary requirement is authenticating the user.

Legacy authentication risk

Legacy authentication methods may lack MFA support, modern cryptographic protections, contextual policies, or strong resistance to replay and credential theft.

Example: An older application accepts reusable credentials without modern conditional-access checks.

Memory trick: Old login methods miss modern defenses.

Trick question tip: Disabling legacy protocols and requiring modern authentication reduces password-spraying and bypass risk.

Authentication versus authorization failure

Authentication failure means identity proof was rejected, while authorization failure means the identity was accepted but lacks permission for the requested resource or action.

Example: An incorrect security key fails authentication; a valid employee denied access to payroll data fails authorization.

Memory trick: Cannot prove who you are versus not allowed to do that.

Trick question tip: Successful login followed by access denied is an authorization issue.

Zero Trust and identity

Zero Trust treats identity, device posture, context, and resource sensitivity as continuous access signals and does not grant broad trust merely because a user is inside a network.

Example: A verified employee must still use a compliant device and receive only least-privilege access to the requested application.

Memory trick: Verify explicitly, limit access, keep checking.

Trick question tip: Never trust automatically, continuous verification, conditional access, and least privilege point to Zero Trust.