“IAAAA” … Five elements of AAA Service

We have been hearing of AAA services for many years but Have you ever thought a AAA implementation is IAAAA Implementation. Let’s dig into this

  • Identification:
    • Subject professes with an Identity.
    • Identity Your name; username; Swiping a Card; waving a proximity device; speaking a phrase; positioning your face, hand, or finger for a camera or scanning device; ID number; employee number; SSN, etc.
    • e.g., “I am mrcissp” or “I am Gaurav”
  • Authentication:
    • Prove your Claimed Identity.
    • “Prove you are mrcissp.” – Should always be done with single or Multi-factor Authentication!
    • Something you know – Type 1 Authentication (passwords, passphrase, PIN, etc.)
    • Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC, etc.)
    • Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry, etc.)
    • Somewhere you are – Type 4 Authentication (IP/MAC Address).
    • Something you do – Type 5 Authentication (Signature, Pattern unlock).
  • Authorization
    • What are you allowed to do and access – We use Access Control models, what and how we implement depends on the organization and goals. e.g., ACLs
  • Auditing
    • Tracking Subject Action – i.e., what is Subject doing. Something like “Monitoring”
  • Accountability
    • Prove who/what a given action was performed by (non-repudiation).

Case Study: Multi-factor Authentication

Let’s assume a scenario where an Organization wants to use Multi-factor Authentication. As a Risk Consulting adviser; your Job is to find the Best suitable method.
In such a case, we need to focus on two aspects

  1. Something you know i.e. PIN, Password
  2. Something you have i.e. Token
  3. Something you are i.e. Fingerprints & Bio-metrics

So, for Multi-factor authentication – we must ensure two different categories rather than same, i.e., if we select PIN & Password -> Both of them belongs to “Something you know” & if We select PIN and Bio-metrics; it is an intersection of two categories “something you know” & “Something you are”.

Hence, the latter is better.

Advertisements

3 thoughts

    1. Thank you for your highlights Piyush. You are absolutely correct. Token is something you have. Ideally I should have split this statement “Something you know i.e. PIN, Password, Token” into two statements for Integrity reason. It should be Split such that “Something you know i.e. PIN, Password” & Something you have “Token”. However, If you look notes above; same is mentioned. Thank you once again for rectifying the typo.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.