Identity & Access — Logical Learning

Visual Explainers — Read, then collapse and test yourself

🔑

Authentication Factors & MFA

Something you know · have · are · somewhere · do

▼

Authentication proves you are who you claim to be. The exam categorizes auth into five factor types — know each category and its examples cold (National Institute of Standards and Technology [NIST], 2017; CompTIA, 2023).

🧠

Knowledge

Something You Know

Password, PIN, security questions, passphrase

📱

Possession

Something You Have

Smart card, hardware token (YubiKey), OTP app (Google Authenticator), badge

👁️

Inherence

Something You Are

Fingerprint, retina scan, facial recognition, voice print, vein pattern

📍

Location

Somewhere You Are

IP geolocation, GPS coordinates, country restriction, network zone check

🖱️

Behavior

Something You Do

Typing cadence, signature dynamics, mouse movement patterns

MFA requires at least two factors from different categories (NIST, 2017). Password + PIN is NOT MFA (both are "something you know"). Password + OTP app is MFA. Behavioral factors such as typing cadence and signature dynamics represent an emerging category of continuous authentication (Stallings & Brown, 2018).

TOTPHOTPPush NotificationHardware TokenBiometric

Exam Trap

Password + security question = NOT MFA. Both are knowledge factors. MFA requires different factor categories. Common wrong-answer trap on the exam.

🔗

SSO & Federation

SAML · OAuth 2.0 · OpenID Connect · Kerberos · SSO flow

▼

Single Sign-On (SSO) lets users authenticate once and access multiple systems without re-entering credentials (NIST, 2017). The key is understanding which protocol does what.

Protocol	Purpose	Used For	Exam Clue
SAML 2.0	Authentication + Authorization assertions (XML)	Enterprise SSO, cross-domain federation	"XML tokens" or "federated identity"
OAuth 2.0	Authorization delegation (not authentication)	"Login with Google" — grants access without sharing password	"Delegate access" — NOT authentication by itself
OIDC	Identity layer on top of OAuth 2.0	Authentication via JWT ID token	"OAuth + identity" — adds the who
Kerberos	Ticket-based auth in Active Directory	Internal Windows/AD environments	"TGT / TGS tickets" or "KDC"

User

→

Identity Provider (IdP)

→

Token / Assertion

→

Service Provider (SP)

Federation: different organizations trust the same IdP. User logs in with Company A credentials to access Company B's app (OASIS, 2005). The OAuth 2.0 framework enables authorization delegation without credential sharing (Hardt, 2012), while OpenID Connect adds an identity layer using JSON Web Tokens (Jones et al., 2015). Kerberos provides ticket-based mutual authentication in Active Directory environments (Neuman et al., 2005).

Key Distinction

OAuth = authorization (what you can do). OIDC = OAuth + authentication (who you are). SAML = enterprise federation with XML. These three are exam favorites.

🛡️

Zero Trust Architecture

Never trust, always verify · Microsegmentation · Least privilege

▼

Zero Trust rejects the concept of a trusted internal network. Every access request is authenticated, authorized, and continuously validated — regardless of source (Rose et al., 2020). Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (Rose et al., 2020).

Never Trust, Always Verify

No implicit trust based on network location. Being inside the corporate LAN grants no automatic access (Rose et al., 2020).

Least Privilege Access

Users and systems receive only the minimum access needed for their task. No standing elevated permissions (Joint Task Force, 2020).

Microsegmentation

Network divided into small zones. Lateral movement is blocked — compromise of one zone doesn't mean access to others (Rose et al., 2020).

Continuous Validation

Authentication isn't one-time. Device posture, user behavior, and session context are checked continuously.

Assume Breach

Design as if attackers are already inside. Focus on containment, detection, and minimizing blast radius.

	Traditional Perimeter	Zero Trust
Trust model	Trust inside network	Trust no one by default
Lateral movement	Possible once inside	Blocked by microsegmentation
Auth frequency	One-time at login	Continuous re-validation
Remote work	VPN extends perimeter	Identity-based, device posture-aware

Memory Hook

Zero trust = Zap the perimeter, Zone everything, Zero assumptions. Key terms: microsegmentation, least privilege, assume breach, continuous validation.

🔓

PAM — Privileged Access Management

Just-in-time · Password vaulting · Session recording · Least privilege

▼

PAM controls, monitors, and audits access for privileged accounts (admins, root, service accounts). These accounts are high-value targets — PAM reduces the attack surface around them (Joint Task Force, 2020; CyberArk, 2023). Just-in-time provisioning eliminates standing privileges by granting elevated rights only when needed and for a limited time (CompTIA, 2023).

PAM Feature	What It Does	Why It Matters
Password Vaulting	Stores and rotates privileged credentials centrally	No one knows the actual password — vault grants access on demand
Just-in-Time (JIT) Access	Grants elevated rights only when needed, for a limited time	Eliminates standing privileges — access expires automatically
Session Recording	Records and logs every privileged session	Provides forensic audit trail; deters insider abuse
Multi-Factor Auth	Requires MFA for privileged account access	Stolen password alone cannot elevate access
Least Privilege Enforcement	Grants only the permissions required for the task	Limits blast radius if account is compromised

CyberArkBeyondTrustHashiCorp VaultService AccountsRoot Accounts

Exam Clue

If the question mentions admin accounts, root access, or credential rotation → think PAM. If it mentions temporary elevated access → think Just-in-Time provisioning.

🗂️

Access Control Models

DAC · MAC · RBAC · ABAC · Rule-Based

▼

Access control models define who decides what a subject can access. This is one of the highest-tested IAM topics — know every model's distinguishing characteristic (Stallings & Brown, 2018; CompTIA, 2023).

DAC

Discretionary AC
Owner decides who gets access

File owner sets permissions (e.g., Windows NTFS, Linux chmod). Most flexible — least secure. User can share their own files freely (Stallings & Brown, 2018).

MAC

Mandatory AC
System enforces based on labels

OS assigns sensitivity labels (Top Secret, Secret, Unclassified). Users cannot override. Used in government/military. SELinux is a MAC implementation (Bell & LaPadula, 1973; Joint Task Force, 2020).

RBAC

Role-Based AC
Access assigned to roles, not individuals

User assigned to role (Admin, HR, Sales). Role has permissions. Most common enterprise model. Easy to manage at scale — change role, change access (Ferraiolo et al., 2001).

ABAC

Attribute-Based AC
Access based on multiple attributes

Evaluates user attributes (dept, clearance, time, device) dynamically. Most flexible and granular — "HR managers on corporate devices during business hours." Used in Zero Trust environments (Hu et al., 2014; Rose et al., 2020).

Rule-Based

Rule-Based AC
Access based on predefined rules

Access granted based on conditions (time of day, IP range). Firewall ACLs are a common example. Often confused with RBAC — Rule-Based uses conditions, RBAC uses roles.

Quick Recall

Discretionary = Decide yourself (owner). Mandatory = Military labels. Role-Based = Role gets access. Attribute = Anything goes (most granular). "DMRA" — Department of Military Role Attributes.

📁

Directory Services

LDAP · Active Directory · Kerberos · RADIUS · TACACS+

▼

Directory services store and manage user identities and access policies. The exam expects you to match protocols to use cases and key ports (CompTIA, 2023; Stallings & Brown, 2018).

LDAP

Lightweight Directory Access Protocol. Query and modify directory entries (users, groups, OUs). Port 389 (plain), 636 (LDAPS — encrypted) (Sermersheim, 2006).

Port 389 / 636

Active Directory

Microsoft's directory service using LDAP + Kerberos + DNS. Organizes objects in Domains → Trees → Forests. The standard enterprise identity store (Microsoft, 2025).

Windows Enterprise

Kerberos

Ticket-based auth protocol. User gets Ticket-Granting Ticket (TGT) from KDC, exchanges for service tickets. Mutual auth — both sides verify identity. Port 88 (Neuman et al., 2005).

Port 88 · TGT / TGS

RADIUS

Remote Authentication Dial-In User Service. Centralized AAA (Authentication, Authorization, Accounting) for network access. Used for VPN, Wi-Fi, dial-up. UDP 1812/1813 (Joint Task Force, 2020; CompTIA, 2023).

UDP 1812/1813

TACACS+

Cisco's AAA protocol. Separates Authentication, Authorization, and Accounting into independent processes. TCP 49. More granular command-level authorization than RADIUS.

TCP 49 · Cisco AAA

802.1X

Port-based NAC (Network Access Control). Authenticates devices before granting network access. Uses EAP over LAN (EAPOL). Supplicant → Authenticator → Auth Server (RADIUS).

NAC · EAPOL

RADIUS vs TACACS+

RADIUS: UDP, combines AuthN + AuthZ, used for network access (VPN, Wi-Fi). TACACS+: TCP, separates all three AAA, used for device administration (Cisco routers/switches). This distinction is a guaranteed exam topic.

APA 7

References

All sources cited throughout this module, formatted per APA 7th edition

Bell, D. E., & LaPadula, L. J. (1973). Secure computer systems: Mathematical foundations (MITRE Technical Report 2547, Vol. I). The MITRE Corporation. http://www-personal.umich.edu/~cja/LPS12b/refs/belllapadula1.pdf
CompTIA. (2023). CompTIA Security+ SY0-701 certification exam objectives (Version 5.0). CompTIA, Inc. https://assets.ctfassets.net/82ripq7fjls2/6TYWUym0Nudqa8nGEnegjG/0f9b974d3b1837fe85ab8e6553f4d623/CompTIA-Security-Plus-SY0-701-Exam-Objectives.pdf
CyberArk. (2023). CyberArk 2023 identity security threat landscape report. CyberArk Software Ltd. https://www.cyberark.com/resources/ebooks/cyberark-2023-identity-security-threat-landscape-report
Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., & Chandramouli, R. (2001). Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security, 4(3), 224–274. https://doi.org/10.1145/501978.501980
Hardt, D. (Ed.). (2012). The OAuth 2.0 authorization framework (RFC 6749). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc6749
Hu, V. C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., & Scarfone, K. (2014). Guide to attribute based access control (ABAC) definition and considerations (NIST Special Publication 800-162). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-162
Joint Task Force. (2020). Security and privacy controls for information systems and organizations (NIST Special Publication 800-53 Rev. 5). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-53r5
Jones, M., Bradley, J., & Sakimura, N. (2015). JSON web token (JWT) (RFC 7519). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc7519
Microsoft. (2025). Active Directory Domain Services overview. Microsoft Learn. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview
National Institute of Standards and Technology. (2017). Digital identity guidelines (NIST Special Publication 800-63-3). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-63-3
Neuman, C., Yu, T., Hartman, S., & Raeburn, K. (2005). The Kerberos network authentication service (V5) (RFC 4120). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc4120
OASIS. (2005). Assertions and protocols for the OASIS security assertion markup language (SAML) V2.0 (Document ID saml-core-2.0-os). OASIS Security Services Technical Committee. https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture (NIST Special Publication 800-207). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-207
Sermersheim, J. (Ed.). (2006). Lightweight directory access protocol (LDAP): The protocol (RFC 4511). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc4511
Stallings, W., & Brown, L. (2018). Computer security: Principles and practice (4th ed.). Pearson Education. https://www.pearson.com/en-us/subject-catalog/p/computer-security-principles-and-practice/P200000003452