Chapter-3:

Authentication and Access Control

12/14/2024 1
 Outline

▪ Authentication

▪ Authorization

▪ Authentication factors

▪ Authentication techniques

▪ Access control elements

▪ Access control models

12/14/2024 2
 Authentication
▪ Authentication is the process of identifying someone's identity by
assuring that the person is the same as what he is claiming for.

▪ It is used by both server and client.

▪ The server uses authentication when someone wants to access the

information, and the server needs to know who is accessing the
information.

▪ The client uses it when he wants to know that it is the same server that
it claims to be.

12/14/2024 3
 Authentication…
▪ The authentication by the server is done mostly by using the username
and password.

▪ Other ways of authentication by the server can also be done using

cards, retina scans, voice recognition, and fingerprints.

▪ Authentication does not ensure what tasks under a process one person
can do, what files he can view, read, or update.

▪ It mostly identifies who the person or system is actually.

12/14/2024 4
 Authentication…

Authentication Factors:

▪ As per the security levels and the type of application, there are

different types of Authentication factors:

▪ Single-Factor Authentication

▪ Two-Factor Authentication

▪ Multi-Factor Authentication

12/14/2024 5
 Authentication…
1. Single-Factor Authentication

▪ Single-factor authentication is the simplest way of authentication.

▪ It just needs a username and password to allows a user to access a

system.

12/14/2024 6
 Authentication…
2.Two-factor Authentication

▪ As per the name, it is two-level security; hence it needs two-step

verification to authenticate a user.

▪ It does not require only a username and password but also needs the
unique information that only the particular user knows, such as first
school name, a favorite destination.

▪ Apart from this, it can also verify the user by sending the OTP or a
unique link on the user's registered number or email address.

12/14/2024 7
 Authentication…
3. Multi-factor Authentication

▪ This is the most secure and advanced level of authorization.

▪ It requires two or more than two levels of security from different and
independent categories.

▪ This type of authentication is usually used in financial organizations,

banks, and law enforcement agencies.

▪ This ensures to eliminate any data exposer from the third party or
hackers.

12/14/2024 8
 Authentication…
Famous Authentication techniques

1. Password-based authentication

▪ It is the simplest way of authentication.

▪ It requires the password for the particular username.

▪ If the password matches with the username and both details match the
system's database, the user will be successfully authenticated.

12/14/2024 9
 Authentication…
Famous Authentication techniques…

2. Passwordless authentication

▪ In this technique, the user doesn't need any password; instead, he gets
an OTP (One-time password) or link on his registered mobile number
or phone number.

▪ It can also be said OTP-based authentication.

12/14/2024 10
 Authentication…
Famous Authentication techniques…

3. 2FA/MFA

▪ 2FA/MFA or 2-factor authentication/Multi-factor authentication is the

higher level of authentication.

▪ It requires additional PIN or security questions so that it can

authenticate the user.

12/14/2024 11
 Authentication…
Famous Authentication techniques…

4. Single Sign-on

▪ Single Sign-on or SSO is a way to enable access to multiple applications

with a single set of credentials.

▪ It allows the user to sign-in once, and it will automatically be signed in

to all other web apps from the same centralized directory.

12/14/2024 12
 Authentication…
Famous Authentication techniques…

5. Social Authentication

▪ Social authentication does not require additional security; instead, it

verifies the user with the existing credentials for the available social
network.

▪ Also known as social login – allows login using social media accounts

12/14/2024 13
 Authentication…

• An authentication process consists of two steps:

• Identification step: Presenting an identifier to the security system. (Identifiers
should be assigned carefully, because authenticated identities are the basis for other
security services, such as access control service.)
• Verification step: Presenting or generating authentication information that
corroborates/verifies the binding between the entity and the identifier.

• Identification is the means by which a user provides a claimed identity

to the system; user authentication is the means of establishing the
validity of the claim.
Electronic user authentication

• It is the process of establishing confidence in user identities that are presented

electronically to an information system. [NIST SP 800-63-2]

• Four general means of authenticating a user’s identity:

• Something the individual knows, e.g. password, PIN, answers to questions

• Something the individual possesses, e.g. key cards, smart cards, physical keys

• Something the individual is (static biometrics), e.g. fingerprint, retina, face

• Something the individual does (dynamic biometrics), e.g. voice, handwriting
Password-based authentication

• Widely used line of defense against intruders

• Virtually all multiuser systems, network-based servers, Web-based e-commerce sites,
and other similar services require that a user provide not only a name or identifier (ID)
but also a password.
• The password serves to authenticate the ID of the individual logging on to the system.
In turn, the ID provides security in the following ways:
• Determining whether the user is authorized to gain access to a system
• Determining the privileges accorded to the user
• Used in discretionary access control
 Password-based authentication
• Vulnerability of passwords
Attack Attack strategy Countermeasure
Offline dictionary Bypassing AC to system’s password file Prevent unauthorized access, IDS
Specific account attack Submitting multiple password guesses Account lockout
Popular password attack Trying popular pwd against many IDs Inhibit common pwds, IP scanning
Password guessing against Using knowledge of user and system pwd Training, password policies
single user policies

Workstation hijacking Using unattended logged-in workstation Automatic logout when inactive , IDS
Exploiting user mistakes Storing preconfigured pwd, social eng. Training, IDS, additional authent.
Exploiting multiple password Different devices sharing similar password Policies
use

Electronic monitoring Eavesdropping during pwd exchange Strong encryption

 Password-based authentication

▪ Password cracking of user-chosen passwords – developing and trying

dictionary of possible passwords, plus brute force; password generation
algorithms; studying structure of leaked passwords (e.g. RockYou2024)

▪ Password file access control – deny access to it; protection policies

▪ Password selection strategies – e.g. larger password universe, 8 randomly

selected printable characters; avoid guessable but memorable passwords

12/14/2024 18
Token-based authentication
▪ Tokens – objects that a user possesses for the purpose of user authentication
▪ Types of cards used as tokens:

▪ Electronic ID cards – can be used as user auth. Or substitute govt IDs

Biometric authentication
▪ Authentication based on individual’s unique physical characteristics; e.g. fingerprints, hand
geometry, facial characteristics, and retinal and iris patterns; voice print, signature

12/14/2024 19
Remote authentication

▪ More complex than local authentication; takes place over the Internet, a
network, or a communications link.
▪ Raises additional security threats, such as an eavesdropper being able to capture
a password, or an adversary replaying an authentication sequence that has been
observed.
▪ Counter threats – challenge-response protocols (e.g Kerberos)
▪ This scheme defends against several forms of attack (e.g. intrusion). The host
stores not the pass word but a hash code of the password.
▪ Example protocols: password protocol, token protocol, biometric protocol

12/14/2024 20
 Security issues on user authentication
Principal attacks on
user authentication,
broken down by type
of authenticator.

12/14/2024 21
 Authorization
▪ Authorization is the process of granting someone to do something.

▪ It means it a way to check if the user has permission to use a resource or not.

▪ It defines what data and information one user can access.

▪ The authorization usually works with authentication so that the system could
know who is accessing the information.

▪ Authorization is not always necessary to access information available over the

internet.

12/14/2024 22
 Authentication vs Authorization
Authentication Authorization
Authentication is the process of identifying a user Authorization is the process of giving permission to access
to provide access to a system. the resources.
In this, the user or client and server are verified. In this, it is verified that if the user is allowed through the
defined policies and rules.
It is usually performed before the authorization. It is usually done once the user is successfully
authenticated.
It requires the login details of the user, such as It requires the user's privilege or security level.
user name & password, etc.
Data is provided through the Token Ids. Data is provided through the access tokens.
Example: Entering Login details is necessary for Example: After employees successfully authenticate
the employees to authenticate themselves to access themselves, they can access and work on certain functions
the organizational emails or software. only as per their roles and profiles.
Authentication credentials can be partially changed Authorization permissions cannot be changed by the user.
by the user as per the requirement. The permissions are given to a user by the
owner/manager of the system, and he can only change it.
 Access Control
▪ Access Control is the prevention of unauthorized use of a resource
(including the prevention of use of a resource in an unauthorized
manner).

▪ It is the central element of computer security.

▪ Used for boundary protection

▪ Access control permits users and groups:

▪ to authenticate to system
▪ to be assigned access rights to certain resources in the system i.e.
authorized
12/14/2024 24
 Access Control Elements
▪ Subject - entity that can access objects
▪ a process representing user/application
▪ often have 3 classes: owner, group, world

▪ Object - access controlled resource

▪ e.g. files, directories, records, programs etc
▪ number/type depend on environment

▪ Access right - way in which subject accesses an object

▪ e.g. read, write, execute, delete, create, search

12/14/2024 25
 Access Control Categories

▪ There are two basic categories of access control:

▪ Physical access control limits access to campuses, buildings,

rooms and physical IT assets.

▪ Logical access control limits connections to computer

networks, system files and data.

12/14/2024 26
 Access Control…
▪ To secure a facility, organizations use electronic access control systems
that rely on user credentials, access card readers, auditing and reports
to track employee access to restricted business locations and
proprietary areas, such as data centers.

▪ Some of these systems incorporate access control panels to restrict

entry to rooms and buildings, as well as alarms and lockdown
capabilities, to prevent unauthorized access or operations.

12/14/2024 27
 Why is Access Control Important

▪ The goal of access control is to minimize the security risk of

unauthorized access to physical and logical systems.

▪ Access control is a fundamental component of security compliance

programs that ensures security technology and access control policies
are in place to protect confidential information, such as customer data.

▪ Most organizations have infrastructure and procedures that limit access

to networks, computer systems, applications, files and sensitive data,
such as personally identifiable information and intellectual property.

12/14/2024 28
 Why is Access Control Important…

▪ Access control systems are complex and can be challenging to manage

in dynamic IT environments that involve on-premises systems and

cloud services.

▪ After high-profile breaches, technology vendors have shifted away from

single sign-on systems to unified access management, which offers

access controls for on-premises and cloud environments.

12/14/2024 29
 How Access Control Works

▪ Access controls identify an individual or entity, verify the person or

application is, who or what it claims to be, and authorizes the access level
and set of actions associated with the username or IP address.
▪ Directory services and protocols, including Lightweight Directory Access
Protocol and Security Assertion Markup Language, provide access
controls for authenticating and authorizing users and entities and enabling
them to connect to computer resources, such as distributed applications
and web servers.
▪ Organizations use different access control models depending on their
compliance requirements and the security levels of IT they are trying to
protect.

12/14/2024 30
 Access Control Models

▪ The main models of access control are the following:

✓ Mandatory access control (MAC).

✓ Discretionary access control (DAC).

✓ Role-based access control (RoBAC).

✓ Rule-based access control (RuBAC).

✓ Attribute-based access control.

12/14/2024 31
 Access Control Models…
1. Mandatory Access Control

▪ The operating system in MAC will provide access to the user based on
their identities and data.

▪ For gaining access, the user has to submit their personal information.

▪ It is very secure because the rules and restrictions are imposed by the
admin and will be strictly followed.

▪ MAC settings and policy management will be established in a secure

network and are limited to system administrators.

12/14/2024 32
 Access Control Models…
Attributes of MAC

▪ It has tighter security because only the administrator can access or alter
controls. And also it can help to reduce system errors.

▪ MAC has an enforced operating system that can label and delineate
incoming application data.

▪ Maintenance will be difficult because only the administrator can have

access to the database.

▪ Ex: Access level of windows for ordinary users, admins, and guests are
some of the examples of MAC.
12/14/2024 33
 Access Control Models…
2. Discretionary Access Control (DAC)

▪ DAC is identity-based access control.

▪ DAC mechanisms will be controlled by user identification such as

username and password.

▪ DAC is discretionary because the owners can transfer objects or any

authenticated information to other users.

▪ In simple words, the owner can determine the access privileges.

12/14/2024 34
 Access Control Models…
Attributes of DAC

▪ Users can transfer their object ownership to another user.

▪ The access type of other users can be determined by the user.

▪ Authorization failure can restrict the user access after several failed
attempts.

▪ Unauthorized users will be blind to object characteristics called file

size, directory path, and file name.

▪ Ex: Permitting the Linux file operating system is an example of DAC.

12/14/2024 35
 Access Control Models…
3. Role-based access control (RBAC)

▪ This is a widely used access control mechanism that restricts access to

computer resources based on individuals or groups with defined
business functions.

▪ Ex: executive level, engineer level 1, etc. -- rather than the identities of
individual users.

▪ The role-based security model relies on a complex structure of role

assignments, role authorizations and role permissions developed using
role engineering to regulate employee access to systems.
12/14/2024 36
 Access Control Models…
4. Rule-based access control

▪ This is a security model in which the system administrator defines the

rules that govern access to resource objects.

▪ These rules are often based on conditions, such as time of day or

location.

▪ It is not uncommon to use some form of both rule-based access control

and RBAC to enforce access policies and procedures.

12/14/2024 37
 Access Control Models…
5. Attribute-based access control

▪ This is a methodology that manages access rights by evaluating a set of rules,

policies and relationships using the attributes of users, systems and
environmental conditions. (i.e. based on attributes of user, resource, envt)

12/14/2024 38
 Implementing Access Control
▪ Access control is integrated into an organization's IT environment.

▪ It can involve identity management and access management systems.

▪ These systems provide access control software, a user database and

management tools for access control policies, auditing and
enforcement.

▪ When a user is added to an access management system, system

administrators use an automated provisioning system to set up
permissions based on access control frameworks, job responsibilities
and workflows.
12/14/2024 39
 Implementing Access Control…
▪ The best practice of least privilege restricts access to only resources
that employees require to perform their immediate job functions.

12/14/2024 40
 Challenges of Access Control…
▪ Many of the challenges of access control rise from the highly
distributed nature of modern IT.

▪ It is difficult to keep track of constantly evolving assets because they are

spread out both physically and logically.

12/14/2024 41
 Challenges of Access Control…
▪ Specific examples of challenges include the following:
▪ Dynamically managing distributed IT environments;

▪ Password fatigue /also called identity chaos/;

▪ Compliance visibility through consistent reporting;

▪ Centralizing user directories and avoiding application-specific

classification; and

▪ Data governance and visibility through consistent reporting.

12/14/2024 42
 Access Control Software

▪ Many types of access control software and technology exist, and

multiple components are often used together as part of a larger identity

and access management (IAM) strategy.

▪ Software tools may be deployed on premises, in the cloud or both.

▪ They may focus primarily on a company's internal access management

or outwardly on access management for customers.

12/14/2024 43
 Access Control Software…
▪ Types of access management software tools include the following:
▪ Reporting and monitoring applications /e.g. Nagios/
▪ Password management tools /e.g. NordPress/

▪ Provisioning tools /e.g. Microsoft Entra ID/

▪ Identity repositories /e.g. iDenfy/
▪ Security policy enforcement tools /e.g. AWS Firewall Manager/
▪ Microsoft Active Directory is one example of software that includes most of
the tools listed above in a single offering.

12/14/2024 44
 Thank You

12/14/2024 45