1. Authentication & Authorization Models
Authentication and authorization form the foundation of modern access control systems. Although these concepts are often discussed together, they serve fundamentally different purposes within a security architecture. Authentication asks, “Who are you?”, whereas authorization follows with, “What are you allowed to do?”. In high-security environments, enterprise networks, cloud ecosystems, IoT frameworks, and mobile infrastructures, both must work in coordinated layers to prevent unauthorized access, privilege abuse, and account compromise.
Understanding these models is essential for designing resilient identity systems that balance usability, scalability, and risk reduction.
NIST Special Publication 800-63, commonly known as the Digital Identity Guidelines, standardizes how identity proofing, authenticator strength, and federation should be architected in modern systems.
The recommendations emphasize assurance levels, multifactor authentication (MFA), credential lifecycle management, and secure federation. Combined with practical security literature such as Applied Cryptography (Schneier) and application-focused references like The Web Application Hacker’s Handbook, practitioners gain insight into both defensive principles and common pitfalls.
Foundations of Identity and Access Control
Authentication and authorization exist within broader access control frameworks. These frameworks determine how identities are established, governed, and revoked. They also define how systems evaluate trust. Three key components structure any identity and access ecosystem:
Identification
This is the initial step where a subject declares its identity, e.g., entering a username, scanning an ID badge, or presenting a certificate. Identification itself does not prove legitimacy; it simply tells the system which identity is attempting access.
Authentication
Authentication mechanisms verify the legitimacy of the declared identity. Authentication factors fall into three classical categories:
- Something you know (passwords, passphrases, PINs)
- Something you have (smart cards, hardware tokens, cryptographic keys)
- Something you are (biometrics: fingerprints, facial recognition)
NIST SP 800-63 describes authenticator assurance levels (AAL1–AAL3), which define the required strength and security of authentication mechanisms based on risk.
Authorization
After authentication succeeds, authorization determines which resources the user can access. Authorization is typically governed by policies, roles, attributes, and contextual conditions. Classic authorization models, RBAC, ABAC, and MAC, structure how permissions are evaluated.
Modern Authentication Mechanisms
Password-Based Authentication
Passwords remain the most ubiquitous authentication method. Despite their simplicity, they also represent the weakest link when poorly managed. Best practices (long, unique passwords, hashing using modern algorithms, password managers, and MFA pairing) help reduce risks. Schneier famously described passwords as “security’s last line of defense,” and even today, modern systems must treat them carefully with proper hashing, key stretching, and rate limiting.
Multifactor Authentication (MFA)
MFA significantly strengthens security by requiring multiple independent factors. Common MFA examples include:
- TOTP apps (e.g., authenticator apps generating time-based codes)
- Hardware security keys (FIDO2/U2F)
- SMS codes (least secure but still common)
- Biometric checks (device-level or server-verified)
NIST 800-63 strongly discourages SMS as a sole second factor due to interception risks but acknowledges its continued presence in legacy systems.
Certificate-Based Authentication
X.509 certificates enable strong cryptographic authentication. Devices or users present certificates signed by a trusted certificate authority (CA). This method is widely used for:
- VPN connections
- Wireless authentication (e.g., WPA2-Enterprise)
- Server authentication via TLS
NIST SP 800-153, which focuses on wireless security, emphasizes certificate-based authentication for enterprise WLANs to mitigate credential theft and rogue AP threats.
Federated Authentication
Federation allows identity to be verified by a trusted third party. Common protocols:
- SAML (enterprise Single Sign-On)
- OAuth 2.0 (delegated authorization)
- OpenID Connect (authentication built on top of OAuth 2.0)
Federation reduces password sprawl and improves identity lifecycle control, especially in multi-cloud and hybrid work environments.
Biometric Authentication
Biometrics are increasingly used across mobile, desktop, and IoT systems. Proper implementation requires careful handling of:
- Template protection
- Privacy concerns
- False acceptance/false rejection rates
- Spoofing resistance
The MASTG (Mobile App Security Testing Guide) highlights the importance of using secure device-level biometric APIs rather than storing biometric templates in application memory.
Authorization Models: From Legacy to Modern Approaches
Discretionary Access Control (DAC)
DAC places control in the hands of resource owners. Unix file permissions (user/group/other) are a classic example. While flexible, DAC can lead to inconsistent policies and accidental exposure.
Mandatory Access Control (MAC)
MAC enforces system-wide policies regardless of user preference. Used in military, government, and high-assurance environments, MAC assigns security labels (e.g., Top Secret, Secret, Confidential) and restricts information flow. SELinux and AppArmor are modern OS-level implementations.
Role-Based Access Control (RBAC)
RBAC assigns permissions to roles, and roles to users. This vastly simplifies privilege management in large organizations. Variants include:
- Hierarchical RBAC
- Constrained RBAC
- Task-based RBAC
RBAC is dominant in enterprise identity management systems, cloud IAM (e.g., Azure AD roles), and privileged access management platforms.
Attribute-Based Access Control (ABAC)
ABAC uses policies evaluated through attributes:
- User attributes (department, clearance)
- Resource attributes (classification level)
- Environment attributes (time of day, location)
- Action attributes (read, modify, delete)
ABAC is highly expressive and suitable for dynamic environments, zero trust architectures, and microservices.
Policy-Based Access Control (PBAC)
PBAC extends ABAC with structured policy engines such as:
- XACML
- OPA (Open Policy Agent)
These enable centralized, machine-readable policies that can be enforced across distributed systems.
Privilege Management and Governance
Principle of Least Privilege (PoLP)
Users and processes should have only the minimum permissions required to perform their tasks. PoLP reduces lateral movement risk, limits blast radius, and lowers exploitation potential.
Privileged Access Management (PAM)
PAM solutions provide tight control over high-privilege accounts, such as administrators and system operators. Capabilities include:
- Session recording
- Credential vaulting
- Just-in-time access
- Approval workflows
Segregation of Duties (SoD)
SoD ensures no single user can perform sensitive actions end-to-end, reducing the risk of fraud or accidental misuse.
Contextual and Adaptive Access Control
Risk-Based Authentication (RBA)
RBA enhances security by adjusting authentication requirements dynamically based on observed behavior. Factors include:
- Device reputation
- Geolocation anomalies
- IP behavior patterns
- Unusual time-of-access
Zero Trust Access Control
Zero trust principles assume that no user or device is inherently trusted, even inside the network. Identity becomes the first perimeter. Key principles:
- Verify explicitly
- Enforce least privilege
- Assume breach
Zero trust architectures integrate continuous authentication, network segmentation, and contextual authorization checks.
Access Control in Wireless and Mobile Environments
Wireless Security Considerations (NIST SP 800-153)
Wireless networks require strong protections due to risks like eavesdropping, rogue access points, and credential interception. Recommended practices:
- Use WPA3-Enterprise with certificate-based authentication
- Avoid pre-shared keys for large environments
- Implement wireless intrusion detection and monitoring
Mobile Authentication Challenges
Mobile devices present unique constraints such as limited hardware resources, enhanced privacy expectations, and frequent network roaming. MASTG outlines key requirements:
- Use platform-provided secure biometric APIs
- Protect authentication tokens using secure storage (Android Keystore, iOS Secure Enclave)
- Avoid insecure local authentication logic
Cryptography’s Role in Authentication and Authorization
Authentication relies deeply on cryptographic primitives:
- Hashing (password storage)
- HMAC (TOTP generation)
- Digital signatures (certificate authentication)
- Public key cryptography (SSH, TLS)
Schneier’s Applied Cryptography emphasizes the importance of using well-vetted algorithms and avoiding custom cryptography.
Pitfalls in Authentication & Authorization Systems
Even robust models can fail if misconfigured. Typical mistakes include:
- Using outdated hashing algorithms (e.g., SHA-1, MD5)
- Improper MFA implementation (e.g., bypasses via fallback methods)
- Over-privileged accounts
- Hardcoded API keys
- Missing access revocation workflows
- Authorization enforced only client-side (as often exposed in web/mobile pentesting literature)
Authentication and authorization are pillars of secure system design. The evolution from simple password checks toward adaptive, cryptographically-backed, context-aware identity systems reflects the modern threat landscape’s complexity. As organizations transition into cloud, mobile, and zero trust ecosystems, a deep understanding of access control models is essential. By mastering these foundations, supported by authoritative references such as NIST SP 800-63, SP 800-153, Schneier’s cryptographic analysis, and application security best practices, security practitioners can design identity architectures that are both resilient and adaptable to emerging challenges.