We have been hearing of AAA services for many years but Have you ever thought a AAA implementation is IAAAA Implementation. Let’s dig into this
- Subject professes with an Identity.
- Identity Your name; username; Swiping a Card; waving a proximity device; speaking a phrase; positioning your face, hand, or finger for a camera or scanning device; ID number; employee number; SSN, etc.
- e.g., “I am mrcissp” or “I am Gaurav”
- Prove your Claimed Identity.
- “Prove you are mrcissp.” – Should always be done with single or Multi-factor Authentication!
- Something you know – Type 1 Authentication (passwords, passphrase, PIN, etc.)
- Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC, etc.)
- Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry, etc.)
- Somewhere you are – Type 4 Authentication (IP/MAC Address).
- Something you do – Type 5 Authentication (Signature, Pattern unlock).
- What are you allowed to do and access – We use Access Control models, what and how we implement depends on the organization and goals. e.g., ACLs
- Tracking Subject Action – i.e., what is Subject doing. Something like “Monitoring”
- Prove who/what a given action was performed by (non-repudiation).
Case Study: Multi-factor Authentication
Let’s assume a scenario where an Organization wants to use Multi-factor Authentication. As a Risk Consulting adviser; your Job is to find the Best suitable method.
In such a case, we need to focus on two aspects
- Something you know i.e. PIN, Password
- Something you have i.e. Token
- Something you are i.e. Fingerprints & Bio-metrics
So, for Multi-factor authentication – we must ensure two different categories rather than same, i.e., if we select PIN & Password -> Both of them belongs to “Something you know” & if We select PIN and Bio-metrics; it is an intersection of two categories “something you know” & “Something you are”.
Hence, the latter is better.