Security+: authentication, authorization, and access control (SY0-401) [DECOMMISSIONED ARTICLE]

December 21, 2017 by

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.

In the realm of information security, authentication, authorization, and access control are the three most important considerations that every system security architect needs always to give the highest priority. The authentication of a user involves the verification of the provided credentials against those present in the database; authorization is the process by which a system determines whether the user possesses substantial enough privileges to access the requested resources or not, and access control is the process by which access to those resources is restricted to a selected number of users. In this article, various authentication, authorization, and access control techniques that have to be studied by potential aspirants of the CompTIA’s security+ exam will be explored.


In information security terms, identification can be defined as the process via which an automated system/server/application can recognize a user. There are many ways to carry out automated user identification; the simplest way is via a username. Over the years, in order to tackle the exponentially increasing number of cyberattacks, various new identification methods have been researched and finally implemented. One modern way to identify a user is using biometric identification, which involves the use of hand geometry or earlobe geometry or the retina and iris patterns or voice waves or DNA or signatures to perform the identification of a user concretely, reducing the chances of counterfeits. Another way to identify a user can be via identity cards; in this case, access will only be provided to people that can present officially designed/printed ID cards.


A rigorous authentication system needs to be in place if a system architect expects to set up an infrastructure that is immune to cyberattacks. In the criminally advanced world of today, single factor authentication can’t be trusted to ward off unwanted intrusion and that makes the presence of a multi-factor authentication model a necessity more than a luxury. Multi-factor authentication (MFA) involves granting access to a requesting user only after receiving different evidences (at-least 2) of the legitimacy and authenticity of a user. Most of the time, at least two of the following factors are assessed: possession (something owned by the user), inherence (something they are), and knowledge (something they know about). An example of two-factor authentication can be a system requesting a user to enter a security code (sent to their mobile phones) after successfully matching the entered login credentials. Time-based one-time password (TBOT) algorithm is an algorithm that is used for computing a common (shared) secret key, a password (to be used once), and the current time. It’s used in a variety of multi-factor authentication systems. HMAC-based one-time (HBOT) password algorithm is another algorithm that can be used in this regard (more information can be retrieved here).

Single sign on (SSO) is an access control property of various independent (but related) systems. Via SSO, a user can log in with a single username and password and gain access to a multitude of connected systems (without needing to enter separate usernames and passwords). SSO authentication provides a unified (centralized) login system that has become a necessity in the world of today.

Some of the most important benefits of SSO can be:

  • Risk mitigation for third-party website access because no usernames or passwords leave the realm of the website).
  • Reduction of password fatigue by eradicating the need for users to remember multiple passwords.
  • Eventual reduction in in IT support costs because of fewer help desk calls about forgotten passwords.

Implicit deny is another authentication scheme in which every entity that hasn’t been provided specific permission to access a resource is considered as suspicious and, as the name indicates, is denied access. For example, a firewall configured to let traffic from only a few IP addresses through while blocking all the rest.

Transitive Trust

Transitive trust authentication is a technique via which a user/entity that has already undergone authentication by one communication network to be able to access resources in another communication network without having to undergo authentication a second time. Even though this technique is very effective, it has to be used with extra care to ensure that there is no sabotage of access. If more information is desired, it can be retrieved here.

Implementing access control is an uphill task but it requires the undivided attention of a security architect because, if you never let any unwanted request through, your system will never be at risk. A rigorous access control system uses sophisticated authentication, authorization, and accounting techniques to mitigate the risks of cyberattacks. Maintaining and periodically updating access control lists (ACLs) serves the purpose supremely; any further information regarding access control can be retrieved here.


Authorization of users within a system is also a process that needs to be rigorously implemented. In essence, authorization involves verification carried out by a system to figure out whether a requesting user is permitted to access to view or edit a resource or not. There are many techniques to implement authorization; one of the frequently used methods is the principle of least privilege (POLP). According to POLP, access should be limited to the lowest level that will not inhibit functioning in any way. For instance, when applied to employees, the principle ensures that people get the least amount of rights that they can possess and still get their jobs done. This helps in reducing the possibility of security breaches by eradicating unneeded privileges that can eventually result in resources getting compromised and networks getting exploited.

Having access control lists is another way to ensure authorization in a system. An ACL consists of access control entities and their specifically allowed, audited, and denied rights. There are two types of ACLs: discretionary access control lists and system access control lists. The former identifies the users that that are allowed or denied resource access, while the latter allows system administrators to log the access requests for particular resources.

Mandatory access control is a type of access control via which the system can limit the ability of an entity to access or perform an action on a resource. With this technique, whenever an entity requests access to a resource, a rule of authorization gets triggered, making the application examine the request parameters and determining whether the access is to be provided or not. Other ways to authorize users are rule-based authorization, where access is granted depending on a set of rules defined by the security enforcer and role-based authorization, where access is granted based on the entity’s role within an organization or system.

Final Word

This article has explored the importance of authentication, authorization, and access control in the realms of cybersecurity and the security+ exam. Passing the exam can be a dream for many cybersecurity professionals, but it can only be done if every aspect of the syllabus has been prepared for substantially. The INFOSEC institute’s dedicated boot-camp has helped many aspirants in acing the exam in the past and can still be attended to gain maximum preparatory advantage over fellow candidates.