Domain 1 · 1.2 Fundamental Security Concepts

1.2.3 Authentication, Authorization, Accounting (AAA)

17 min

AAA is the classic identity and access model — Authentication, Authorization, and Accounting — answering "Who are you?", "What can you do?", and "What did you do?"

The three steps always run in order: identity is proven first, privileges are granted second, and activity is logged third.

Authentication — prove your identity Authentication verifies that you are who you claim to be, using one or more factor *types*: - Something you know → password, PIN, passphrase - Something you have → smart card, hardware token, mobile authenticator, security key - Something you are → fingerprint, iris, face, voice (biometrics) - Somewhere you are → GPS or network-based location - Something you do → typing rhythm, gait, behavioral biometrics

Multifactor Authentication (MFA) combines at least *two different factor types*: - ✅ Password + fingerprint, or password + smart card - ❌ Password + PIN (both "something you know"), or password + security question

People authenticate with Kerberos, LDAP, Active Directory, biometrics, and FIDO2 keys. Systems and services authenticate with mTLS, API keys, OAuth tokens, and certificates.

Authorization — what may you do? Authorization happens *after* authentication and decides which resources and actions are permitted. - DAC (Discretionary) → the resource owner sets permissions. Common in Windows file systems. - MAC (Mandatory) → access is enforced by classification labels (Top Secret, Secret, Confidential). Used by military and government. - RBAC (Role-Based) → permissions follow a job role (Doctor, Nurse, IT Admin, Finance). - ABAC (Attribute-Based) → dynamic policies evaluate attributes like location, time, device, and risk. Example: *allow only from a managed laptop, on the corporate network, between 08:00 and 17:00.*

Accounting — what did you do? Accounting records user and system activity for later review. - Used for → audit logs, SIEM correlation, compliance, incident response, and forensics. - Example → an admin deletes a database at 14:32; accounting captures who, when, the source IP, and the exact command.

Quick recall - Confidentiality → Who can read it? → Encryption, ACLs, MFA - Integrity → Was it changed? → Hashing, digital signatures - Availability → Is it reachable? → Backups, failover, RAID - Non-repudiation → Can they deny it? → Digital signatures, PKI - Authentication → Who are you? → Password, biometrics, MFA - Authorization → What may you do? → RBAC, ABAC, permissions - Accounting → What did you do? → Logs, audit trails, SIEM - Remember the order: identity → privileges → logging.