Identity and Access Management

Identity and Access Management (IAM) controls who can access what resources and under what conditions. It is one of the most important security domains — a compromised identity is the most common entry point for attackers.

---

Core Concepts

Concept	Definition
Identity	Who you are (user, service, device)
Authentication (AuthN)	Proving your identity
Authorisation (AuthZ)	What you are allowed to do
Accounting	Logging what you did

These three concepts — Authentication, Authorisation, and Accounting — form the AAA framework used throughout security.

---

Authentication Factors

Authentication verifies identity using one or more factors:

Factor	Category	Example
Password	Something you know	Passphrase, PIN
Security token	Something you have	Hardware key (YubiKey), authenticator app
Biometric	Something you are	Fingerprint, face recognition, iris scan
Location	Somewhere you are	GPS, IP-based geolocation
Behaviour	Something you do	Typing patterns, mouse movements

---

Multi-Factor Authentication (MFA)

MFA requires two or more authentication factors from different categories:

Factor 1: Password (something you know)
    +
Factor 2: Authenticator app TOTP code (something you have)
    =
Strong authentication

MFA Methods

Method	Security Level	User Experience
SMS OTP	Low (vulnerable to SIM swapping)	Easy
Email OTP	Low (email may be compromised)	Easy
TOTP (authenticator app)	Medium	Good
Push notification	Medium	Good
FIDO2 / WebAuthn	High (phishing-resistant)	Good
Hardware security key	Highest (phishing-resistant)	Requires physical device

Tip: SMS-based MFA is better than no MFA, but FIDO2/WebAuthn and hardware security keys are the gold standard because they are phishing-resistant.

---

Authentication Protocols

OAuth 2.0

OAuth 2.0 is an authorisation framework (not authentication) that grants limited access to resources:

User ──▶ Client App ──▶ Authorisation Server ──▶ Resource Server
                              │
                         Access Token

Grant types:

• Authorisation Code — most common for web apps
• Client Credentials — machine-to-machine
• Device Code — for devices without a browser (smart TVs, CLI tools)

OpenID Connect (OIDC)

OIDC adds an authentication layer on top of OAuth 2.0:

• Returns an ID Token (JWT) with user identity claims
• Used for single sign-on (SSO)
• Providers: Google, Microsoft, Okta, Auth0

SAML 2.0

Security Assertion Markup Language — an older SSO standard:

• XML-based
• Used primarily in enterprise environments
• Exchanges assertions between Identity Provider (IdP) and Service Provider (SP)

Kerberos

Network authentication protocol used in Windows Active Directory: