Why is multi-factor authentication so strongly recommended?

Passwords alone are routinely stolen through phishing, reuse, and database breaches. Requiring a second, independent factor (a device or biometric) means a stolen password is not enough to log in, blocking the large majority of account-takeover attacks.

What is the difference between RBAC and ABAC?

Role-based access control grants permissions through roles assigned to users, which is simple to administer. Attribute-based access control makes decisions from attributes of the user, resource, and context (such as time or location), giving finer-grained, dynamic policies at the cost of more complexity.

Authentication and Access Control

Authentication verifies who a party is, and access control decides what that party may do; together they are the gatekeepers that enforce security policy in every multi-user system.

Troba un tema amb PaperMindAviatFind papers & topics

Tools & resources

Baixa les diapositives

Learn & explore

VídeoAviat

Definition

Authentication is the process of establishing confidence in a claimed identity, while access control is the enforcement of rules determining which authenticated subjects may perform which operations on which resources.

Scope

This topic covers identity verification (passwords, multi-factor authentication, biometrics, cryptographic credentials, single sign-on) and the models and mechanisms for authorization (access-control lists, capabilities, role-based and attribute-based access control, the principle of least privilege). It addresses federated identity and protocols such as OAuth and SAML. It excludes the cryptographic primitives underlying credentials and the network-layer controls treated under network security.

Core questions

How can a system reliably verify that a party is who it claims to be?
What are the trade-offs among knowledge, possession, and inherence authentication factors?
How do access-control models (DAC, MAC, RBAC, ABAC) express and enforce policy?
How is the principle of least privilege applied in practice?
How is identity federated across organizations via single sign-on?

Key concepts

authentication factors
multi-factor authentication
passwords and credential storage
biometrics
access-control lists and capabilities
role-based access control (RBAC)
attribute-based access control (ABAC)
least privilege
single sign-on and federated identity

Key theories

Authentication factors and multi-factor authentication: Identity is verified by something you know (password), have (token or phone), or are (biometric); combining independent factors greatly raises the bar against credential theft, since compromising one factor is insufficient.
Access-control models and least privilege: Authorization is structured through models — discretionary and mandatory access control, role-based (RBAC) and attribute-based (ABAC) — that, guided by least privilege, grant each subject only the rights it needs, limiting the damage of compromise.

Mechanisms

Authentication mechanisms verify a factor: comparing a salted password hash, validating a one-time code or hardware-token signature, or matching a biometric template. Cryptographic authentication (public-key certificates, FIDO2/WebAuthn) proves possession of a private key without sending a secret. Authorization then consults a policy: access-control lists attach permissions to resources, capabilities attach them to subjects, and RBAC/ABAC compute decisions from roles or attributes. Federated identity protocols (OAuth, OIDC, SAML) let one provider vouch for a user to many services.

Clinical relevance

Authentication and access control are where most real attacks succeed or fail: stolen or phishable passwords cause the majority of breaches, which is why multi-factor authentication and phishing-resistant passkeys (WebAuthn) are now strongly recommended. RBAC governs permissions in enterprises and cloud platforms, and single sign-on (Google, Microsoft logins) shapes everyday user experience and its security risks.

Evidence & guidelines

NIST SP 800-63 (Digital Identity Guidelines) defines authentication assurance levels and modern password guidance (favoring length and breach-checking over forced complexity). RBAC is standardized as INCITS 359, and FIDO2/WebAuthn provides phishing-resistant authentication. OAuth 2.0 (RFC 6749) and OpenID Connect standardize federated authorization and authentication.

History

Access control dates to early time-sharing systems, with Lampson's access-control matrix and the Bell-LaPadula mandatory model formalizing it in the 1970s. Role-based access control was formalized by Sandhu and colleagues in 1996 and became the enterprise standard. Authentication evolved from passwords through hardware tokens and one-time passwords to today's multi-factor and phishing-resistant passkeys, while federated identity (SAML, then OAuth/OIDC) enabled web-scale single sign-on.

Key figures

Ravi Sandhu
Ross Anderson
Jerome Saltzer
Butler Lampson
Roger Needham

Seminal works

anderson2020
sandhu1996
saltzer1975

Frequently asked questions

Why is multi-factor authentication so strongly recommended?: Passwords alone are routinely stolen through phishing, reuse, and database breaches. Requiring a second, independent factor (a device or biometric) means a stolen password is not enough to log in, blocking the large majority of account-takeover attacks.
What is the difference between RBAC and ABAC?: Role-based access control grants permissions through roles assigned to users, which is simple to administer. Attribute-based access control makes decisions from attributes of the user, resource, and context (such as time or location), giving finer-grained, dynamic policies at the cost of more complexity.