Multi-Factor Authentication (39.2.9)
As we’ve touched upon earlier, multi-factor authentication uses at least two methods of verification—such as a password and something you have, for example, a security key fob. This can be taken a step further by adding something you are, such as a fingerprint scan.
Multi-factor authentication can reduce the incidence of online identity theft because it means knowing a password will not give cybercriminals access to a user’s account.
For example, an online banking website might require a password and a one-off PIN that the user receives on his or her smartphone. In this case, your first factor is your password, and your second factor the temporary PIN, because it proves you have access to what is registered as your phone.
Withdrawing cash from an ATM is another, simple example of multi-factor authentication as the user must have the bank card as well as know the PIN before the ATM will dispense cash.
Note that two-factor authentication (2FA) is a method of multi-factor authentication that entails two factors in particular, but the two terms are often used interchangeably.
Authorization controls what a user can and cannot do on the network after successful authentication. After a user proves their identity, the system checks to see what network resources the user can access and what they can do with the resources.
When to Implement Authorization
Authorization uses a set of attributes that describes the user’s access to the network, to answer the question, “What read, copy, edit, create, and delete privileges does this user have with each resource they can access?” It can also specify the day and time that a user can access these resources.
The system compares these attributes to the information contained within the authentication database, determines a set of restrictions for that user, and delivers it to the local device where the user is connected.
Authorization is automatic and does not require users to perform additional steps after authentication. System administrators have set the network up to implement authorization immediately after the user authenticates.
How to Implement Authorization
Defining authorization rules is the first step in controlling access. An authorization policy establishes these rules.
A group membership policy defines authorization based on users’ membership in a specific group. All employees of an organization may have a swipe card, for example, which provides access to the premises, but it might not allow access to a server room. It may be that only senior-level employees and IT team members may access the server room with their swipe cards.
An authority-level policy defines access permissions based on an employee’s position within the organization.
Accounting traces an action back to a person or process. Accounting then collects this information and reports the usage data. The organization can use this data for such purposes as auditing or billing. The collected data might include the login time for a user, whether the user login was a success or failure, and what network resources the user accessed. This allows an organization to trace actions, errors, and mistakes during an audit or investigation.
Implementing accounting includes technologies, policies, procedures, and education. Log files provide detailed information based on the parameters chosen. For example, an organization may look at the log for login failures and successes. Login failures can indicate that a criminal tried to hack an account, and login successes tell an organization which users are using what resources and when.
The organization’s policies and procedures spell out what actions should be recorded and how the log files are generated, reviewed, and stored.
Data retention, media disposal, and compliance requirements all provide accounting. Many laws require the implementation of measures to secure different data types. These laws guide an organization on the right way to handle, store, and dispose of data. User education and awareness of an organization’s policies, procedures, and related laws can also contribute to accounting.