Security+ Flashcards: Identity and Access Management, MFA, SSO, Directory Services

Multi-factor authentication, or MFA, requires users to present at least two different types of evidence to verify their identity. The three factor categories are something you know like a password or PIN, something you have like a smart card, hardware token, or phone with authenticator app, and something you are like a fingerprint, face scan, or iris pattern. True MFA uses factors from different categories. Two passwords are not MFA because both are something you know. A password plus a push notification to a registered phone is MFA.

Remote Authentication Dial-In User Service, or RADIUS, and Terminal Access Controller Access Control System Plus, or TACACS+, are both protocols for centralized authentication, authorization, and accounting. RADIUS combines authentication and authorization into a single process and encrypts only the password in transit, using UDP ports 1812 and 1813. TACACS+ separates authentication, authorization, and accounting into independent processes and encrypts the entire packet body, using TCP port 49.

Lightweight Directory Access Protocol, or LDAP, is a protocol for accessing and managing directory services that store user accounts, groups, and organizational information in a hierarchical structure. Active Directory from Microsoft is the most common LDAP-based directory. LDAP enables centralized authentication where applications verify credentials against a single directory rather than maintaining separate user databases. It operates on TCP port 389 for unencrypted connections and port 636 for LDAPS, which adds TLS encryption.

Federation is an identity management model where multiple organizations agree to trust each other's authentication, allowing users to access resources across organizational boundaries using their home credentials. A user authenticated by their employer can access a partner organization's application without creating a separate account. Federation relies on protocols like Security Assertion Markup Language, or SAML, OpenID Connect, and OAuth. The identity provider authenticates the user and issues assertions that the service provider trusts.

Security Assertion Markup Language, or SAML, is an XML-based framework for exchanging authentication and authorization data between an identity provider and a service provider, primarily used for enterprise single sign-on. OAuth 2.0 is an authorization framework that grants third-party applications limited access to user resources without sharing passwords, using access tokens. OpenID Connect, or OIDC, is an identity layer built on top of OAuth 2.0 that adds authentication, providing user identity information through ID tokens.

Role-based access control, or RBAC, assigns permissions to defined roles rather than to individual users, then assigns users to roles matching their job functions. For example, the "accountant" role receives access to financial systems, and all accountants are assigned this role. When an employee changes positions, administrators simply change their role assignment rather than modifying individual permissions.

Privileged access management protects administrative and root-level accounts that have elevated system access. Best practices include using separate accounts for administrative and daily tasks, implementing just-in-time access that grants privileges only when needed and revokes them after, requiring multi-factor authentication for all privileged access, logging and monitoring all privileged sessions, rotating privileged credentials regularly, storing privileged passwords in a password vault, implementing the principle of least privilege, and conducting regular access reviews. ---