UNIT 4

Authentication and
Access Control
There is a growing demand for different types of user
authentication technologies for both online and in physical
systems. The motivation to authenticate users ranges from
access control reasons to business development purposes
like adding e-commerce elements.

► Organizations need to understand that passwords are not

the only way to authenticate users. There is a wide variety
of authentication technologies and an even greater range
of activities that require authentication methods.
What Is User Authentication?

Authentication is the process of identifying users that

request access to a system, network, or device. Access
control often determines user identity according to
credentials like username and password. Other
authentication technologies like biometrics and
authentication apps are also used to authenticate user
identity.
Why Is User Authentication
Important?
► User authentication is a crucial security mechanism used
in digital systems to verify the identity of users before
granting access to sensitive data, applications, or
networks. It ensures that only authorized individuals can
access specific resources, reducing the risk of cyber
threats and unauthorized actions.
► 1. Prevents Unauthorized Access
► 2. Protects Sensitive Data
► 3. Enhances Cybersecurity
► 4. Prevents Identity Theft and Fraud
► 5. Ensures Compliance with Regulations
 Common Authentication Types
1. Password based authentication: Password-based authentication is the most
commonly used method to verify user identity. It requires users to enter a
password, typically a combination of letters, numbers, and special characters.
However, this method has several weaknesses, including vulnerability to phishing
attacks, brute-force hacking, and poor password hygiene. Many users reuse
passwords across multiple accounts or create weak passwords for convenience,
making it easier for attackers to gain unauthorized access.
For example, in an organization, employees use passwords to log into their work
emails, databases, and internal systems. If an employee sets a weak password like
"Company123" and a hacker guesses it using brute-force methods, they can
access sensitive company information. Additionally, if employees fall victim to
phishing emails that trick them into revealing their credentials, the entire system
can be compromised. To enhance security, organizations should implement
multi-factor authentication (MFA), enforce strong password policies, and educate
employees on safe password practices.
2. Multi Factor Authentication: Multi-Factor Authentication (MFA) enhances
security by requiring users to verify their identity through multiple
independent factors, such as a password combined with a fingerprint or
a one-time code sent to their phone. This additional layer of security
makes it harder for attackers to gain unauthorized access, even if they
obtain a user's password. Organizations widely adopt MFA to protect
sensitive data and prevent breaches.
► For example, a financial organization may require employees to log into
their internal systems using both a password and a one-time passcode
(OTP) sent to their registered mobile number. Even if a hacker steals an
employee’s password through phishing, they would still need access to
the employee’s phone to complete the authentication. However, MFA
also has challenges—if an employee loses their phone or SIM card, they
may be locked out of their accounts, causing delays in their work. To
mitigate such risks, organizations should provide backup authentication
options, such as security questions or backup codes.
3. Certificate based Authentication:
Certificate-based authentication is a secure method that verifies the
identity of users, machines, or devices using digital certificates. These
certificates function like digital passports, containing a public key and a
digital signature issued by a trusted certification authority (CA). This
approach eliminates the need for passwords, reducing the risk of phishing
attacks and credential theft.

For example, in a corporate environment, employees accessing a

company’s internal network must present a digital certificate stored on
their device. When they attempt to log in, the server verifies the
certificate’s authenticity by checking the digital signature and ensuring it
was issued by a trusted CA. If valid, the server uses cryptography to
confirm the user’s identity before granting access. This ensures that only
authorized users and devices can connect to the organization's network,
enhancing security and preventing unauthorized access.
4. Biometric Authentication:
► Biometric authentication is a highly secure method of verifying a user’s identity based on
unique biological traits such as fingerprints, facial recognition, voice patterns, or eye
scans. Unlike passwords or PINs, biometric data is nearly impossible to replicate, making it
a powerful tool for preventing unauthorized access. This technology is widely used across
various sectors, including government agencies, financial institutions, airports, and private
corporations, due to its ability to provide security without adding friction to the user
experience. Additionally, biometrics can be integrated into multi-factor authentication
(MFA) to further strengthen security.
► For example, in a corporate environment, fingerprint scanners can be used at office entry
points to ensure that only authorized employees can access sensitive areas. This is more
secure than traditional keycards, which can be lost, stolen, or duplicated. Similarly, voice
recognition can be used in customer service centers to authenticate users before
granting access to confidential account information. Despite its advantages, biometric
authentication is not without challenges—factors such as poor lighting affecting facial
recognition, fingerprint scanner inaccuracies, or voice recognition failures due to
background noise can sometimes cause inconvenience. To mitigate these issues,
organizations often combine biometrics with other authentication methods, such as PIN
codes or security tokens, to ensure both security and reliability.
5. Token based authentication:
► Token-based authentication is a security mechanism that allows users to verify their
identity once and receive a unique, encrypted token instead of repeatedly entering
their credentials. This token acts as proof of authentication and can be used to access
multiple systems or services without requiring users to log in again. Since tokens are
time-limited and encrypted, they provide better security than traditional session-based
authentication. This method is widely used in modern web applications, cloud services,
and APIs.

► For example, in an organization, employees accessing a company’s internal

dashboard via a web application log in once using their credentials. The system then
issues a secure token, which is stored on the user’s device. When the employee
requests access to different parts of the system—such as project management tools or
HR portals—the token is automatically verified, eliminating the need to re-enter
credentials. This improves security while enhancing user convenience. However,
token-based authentication requires proper token management, as stolen or exposed
tokens can be misused if not properly secured or revoked after expiration.
 ACCESS CONTROL MODEL

► An Access Control Model is a framework that defines how users are granted or
restricted access to resources based on policies, rules, roles, or attributes. It ensures
that only authorized users can perform specific actions on a system.
Access control models are used to:
1. Enhance Security – Prevent unauthorized access to sensitive data and systems.
2. Protect Confidentiality & Integrity – Ensure data is accessed only by authorized
individuals.
3. Regulate User Permissions – Assign permissions based on roles, rules, or attributes.
4. Meet Compliance Requirements – Enforce security policies in organizations (e.g.,
GDPR, HIPAA).
5. Reduce Insider Threats – Limit access based on necessity (Principle of Least
Privilege).
This is the access control process:
► identifying a person doing a specific job
► authenticating them by looking at their identification
► granting a person only the key to the door or computer that they need access to
and nothing more

In information security, one would look at this as:

► granting an individual permission to get onto a network via a username and
password
► allowing them access to files, computers, or other hardware or software they need
► ensuring they have the right level of permission to do their job
► So, how does one grant the right level of permission to an individual so that they
can perform their duties? This is where access control models come into the picture.
 The types of Access control models

1. The Mandatory Access Control, or MAC

2. The Role-Based Access Control, or RBAC
3. The Discretionary Access Control, or DAC
 Role based Access control
By implementing a RBAC model, security teams can ensure that all team
members are restricted to predefined areas with little need for
administrative monitoring. For example, management teams will be
granted access to most entry points and databases, specialist workers will
have access to relevant resources and low-level employees will be
restricted to communal areas and low-risk environments.

This means a member of the IT department can use their credentials to

access communal areas and role-specific locations such as server rooms,
while office staff may only be able to access the main entrance of the
building, meeting rooms and the office space itself. This system allows
admins to manage the credentials of large workforces without individually
assessing each staff
 Advantages and Disadvantages
► RBAC systems can provide:

► Reliable security — With permissions granted on a need-to-know basis, admins can be assured
that staff are only able to access locations and resources essential to their roles.
► Simple management — Configuring and adjusting permissions can be reduced to a small
number of roles, requiring less administrative resources to manage large workforces.
► Easily issued credentials — When new employees are hired, or existing staff are promoted,
relevant credentials can be issued immediately without needing to create new profiles.
► Company-wide consistency — Organizations that operate across multiple sites can ensure that
the same role carries identical permissions across the business.
► Some potential drawbacks to the use of RBAC systems include:

► Inflexibility — As role-based permissions are designed to address large numbers of staff with one
policy, credentials cannot be customized to fit individual or dynamic use cases.
► Requires organizational structure — For RBAC models to be effective, there must be a clearly
defined hierarchy, which isn’t always present in start-ups and scaling businesses
 Best practices

Before implementing a role-based access control model, organizations should consider:

• Existing access profiles — Draw up a plan of all building access points and rank required
security levels from lowest to highest. Compare this with a list of employees with access to
high-security areas and ensure that all high-risk locations are linked to an authorized role.
• Create access profiles — Identify which areas and permissions will be required for
employees in each role to perform their duties.
• Publish roles and permissions — Ensure that all employees understand issued permissions
by publicly posting all policies.
• Regularly review the system — Listen to feedback from staff and record any access issues
that can be used to revise the RBAC model over time.
 Mandatory Access control layer
The Mandatory Access Control (MAC) Layer enforces strict security policies where
access permissions are centrally controlled based on security classifications (e.g.,
Confidential, Secret, Top Secret). Users cannot change permissions, and access is
granted based on predefined security labels.
MAC models rely heavily on admins configuring access parameters based on
predetermined rules and organizational roles, providing more security though often
proving time-consuming to implement.
Example of MAC
• Military & Government Systems: Classified information is assigned labels like
"Confidential" or "Top Secret," and users can only access data within their security
clearance level.
• SELinux (Security-Enhanced Linux): Uses MAC to enforce security policies, restricting
processes based on predefined rules.
Advantages and Disadvantages
Pros:
✔ High security, prevents unauthorized access.
✔ Protects sensitive data from insider threats.
✔ Ensures strict regulatory compliance (e.g., government, healthcare).
Cons:
✖ Complex to implement and manage.
✖ Limited flexibility for users and administrators.
✖ Can slow down workflows due to strict security policies.
 Best practices

✔ Classify Data Properly – Define security levels (e.g., Public,

Confidential, Restricted).
✔ Use Strong Authentication – Implement Multi-Factor Authentication
(MFA).
✔ Implement Least Privilege Principle – Grant only necessary access.
✔ Regularly Audit Access Logs – Monitor and review access to detect
anomalies.
✔ Train Employees on Security Policies – Educate users on MAC and its
importance.
Discretionary Access control
DAC models provide users with some individual control over their data, with staff able to
grant permissions at their own discretion. This makes DAC systems incredibly flexible and
scalable. However, as credentials can be shared freely amongst staff, DAC models are
known to present some exploitable security risks.
Example:
• Windows & Linux File Systems: Users can set read, write, or execute permissions for files
and folders.
• Database Management Systems (DBMS): A user with table ownership can grant
SELECT, INSERT, or DELETE privileges to others.
 Pros and cons

Pros:
✔ Easy to implement and manage.
✔ Flexible access control for users.
✔ Suitable for non-restrictive environments.
Cons:
✖ Higher risk of unauthorized access.
✖ Prone to privilege escalation attacks.
✖ Hard to enforce strict security policies.
Best Practices

✔ Use Strong Authentication – Prevent unauthorized

access.
✔ Implement Least Privilege Principle – Grant only
necessary access.
✔ Monitor and Audit Access Logs – Detect and prevent
misuse.
✔ Combine with Other Controls – Use Role-Based Access
Control (RBAC) for additional security.
 Authentication protocols: Kerberos,
RADIUS, TACACS+.
► Network authentication protocols are known as methods that are used
to verify the identity of the users or the devices that are written to
access a particular network. these protocols are used to make sure
that only the authorized users of the devices are granted access while
making sure the unauthorized users are out.
► The authentication protocols have a procedure in which they involve
the exchange of credentials or cryptographic keys between the client
which can be either a user or the device and the authentication server
the main reason behind using a protocol such as the network
authentication protocol is to make sure that we only allow authorized
users to access the server.
Let’s say there is only one administrator who wants to access multiple routers. If
each router uses its own local database for login, the admin would need to
manually create separate user accounts on each device. This is okay if the
username and password are the same everywhere, but if each device has a
different username and password, it becomes a time-consuming and hectic
task.
To solve this problem, we use an Access Control Server (ACS). This server
provides a centralized system to manage all usernames and passwords in
one place. So, instead of storing login info on every device, the devices
contact the ACS for authentication.
There are two common protocols used by ACS and network devices (clients)
for this:
• RADIUS
• TACACS+
These protocols help in centralized authentication, authorization, and
accounting of users across multiple devices.
 AAA
Authentication
Authentication is used to validate user identity before allowing access to network resources. It
occurs when a client passes the appropriate credentials to a security server for validation. This
validation is based on verifying user credentials, which can be any of the following: 1.
Something the user knows. 2. Something the user possesses. 3. Something the user is.
Authorization
Authorization provides the capability to enforce policies for network resources after the user
has been successfully authenticated. In other words, Authorization is used to determine the
actions a user, group, system, or server is allowed to perform. Attribute-value (AV) pairs –
which are described in the next section – that define user rights are associated with the user
to determine the specific rights of the user.
Accounting
Accounting provides the means to capture resource utilization by collecting and sending
information that can be used for billing, auditing, and reporting to the security server. This
information can include user identities (who logged in), session start and stop times, the
command(s) executed, and traffic information such as bytes or packets transmitted.
 Radius Protocol
► Working on the RADIUS protocol is very simple when the other device wants to access the network access
server which is a client of the RADIUS it will simply send an access request as a message to the ACS server in
order to gain matching credentials in return, After this the server provides a message which is known as
access-accept message and this message is only provided if the credentials are valid if the credentials are invalid
then the client receives access-reject as message.

Advantages of RADIUS Protocol

Now that we have understood the working of the RADIUS protocol let’s also understand the advantages of the
RADIUS protocol:

• it is an open standard, it can be used between the other devices as well.

• This protocol has better accounting support than the TACACS+

• The RADIUS protocol provides centralized authentication and authorization.

• Radias provides flexible user management.

• The RADIUS protocol is known to be highly scalable which means that it can support large networks which have
many devices and many users.
Disadvantages of RADIUS Protocol

Now that we have looked at some of the benefits or advantages of using the RADIUS protocol
let’s also look at some of the disadvantages which we may face if we are going to use the
RADIUS protocol:

• The RADIUS protocol uses udp which makes it less reliable than TACACS+

• In this protocol no explicit command authorization can be implemented in any way.

• The RADIUS protocol only encrypts the password which means that it cannot protect other
data such as the usernames.

• This protocol is very vulnerable to other types of attacks such as spoofing as well as
dictionary attacks.
 TACACS+ Protocol
The full form of the TACACS+ stands for terminal access controller access control server, it is a
protocol which has similarities to the RADIUS protocol, which means that it is a security
protocol and it is also used in the AAA framework, it is used to to provide centralized
authorization to various types of users who need to gain access of the network.
► The Cisco company has developed the protocol for AAA framework which means that it can be
used between the Cisco device and Cisco ACS server, This protocol uses tcp as transmission
protocol and it uses the TCP port 49.

Working of TACACS+ Protocol

The client of the TACACS+ protocol is called the network access device (NAD) it is also called
network access server (NAS) the network access device contacts the TACACS+ server in order to
obtain prompt of the username and it does this using the CONTINUE message.
► After this the user simply enters a user name and then the network access device makes a
contact to the protocol server again in order to obtain the password prompt after this the user
simply enters the password and then the password is sent to the protocol’s server.
Advantages of TACACS+ Protocol

Now that we have understood the basics about this protocol, let’s look at some of the advantages
that this protocol offers:

• It provides better control then the RADIUS protocol because it allows the network administrator
to easily define what commands a user can run.

• All the AAA packets are more encrypted rather than just being passwords.

• TACACS+ protocol uses the TCP connection instead of the UDP connection and the TCP
guarantees the communication between both the client and the server.

Disadvantages of TACACS+ Protocol

• As we discussed that it is a cisco proprietary which means that it can only be used in the Cisco
devices.

• This protocol has less support for the accounting as compared to RADIUS.
 Kerberos

Kerberos is a network authentication protocol that uses secret-key

cryptography to securely verify the identity of users and services in a
network. It avoids sending passwords over the network.
► It is widely used in Windows Active Directory and other enterprise
environments.
 Working
Login

•User logs in and sends a request to the Authentication Server (AS).

•The AS verifies the user and sends back a Ticket Granting Ticket (TGT).

Request Service Ticket

•The user sends the TGT to the Ticket Granting Server (TGS) and asks for access to a specific
service.

Service Ticket Issued

•TGS checks the TGT and issues a Service Ticket.

Access Service
•The user presents the Service Ticket to the Service Server (SS).
•If valid, access is granted.
Advantages of Kerberos
• No password sent over network – reduces the risk of password theft.
• Single Sign-On (SSO) – login once to access multiple services.
• Strong security – based on symmetric encryption and time-based tickets.
• Mutual authentication – both user and server verify each other.

Disadvantages of Kerberos
• Complex setup – requires careful configuration of time, encryption keys, and
tickets.
• Time-sensitive – all devices must be time-synchronized (clock skew can cause
failures).
• Single point of failure – if the Key Distribution Center (KDC) is down, authentication
fails.
• Initial trust required – users and services must initially trust the KDC.