Authentication vs Authorization - Shon Harris book
In the AIO 6th edition of the Shon Harris book page 203, on the paragraph about Authorization seems that there is an error. The paragraph ends with "Access criteria are the crux of authentication" shouldn't the word "authentication" actually be "authorization"? Or am i missing something here?
Comments
-
OfWolfAndMan Member Posts: 923 ■■■■□□□□□□In the Infosec world, those words are two different things.
Authentication: Who are you, and how can you prove you're that person? (Username/Password, PKI, or other forms of authentication)
Authorization: What do you have access to as that user (i.e. customer = minimal rights, sys admin = access to remote desktop and remote server administration, network admin = access to network equipment, firewalls, load balancers)?:study:Reading: Lab Books, Ansible Documentation, Python Cookbook 2018 Goals: More Ansible/Python work for Automation, IPSpace Automation Course [X], Build Jenkins Framework for Network Automation [] -
voodoo26 Member Posts: 56 ■■□□□□□□□□Authentication is the validation of your identity that user claim
Authorization is the access rights and resources that user is allowed to access and use2014 Goals CISSP COLOR=#008000]Passed[/COLOR, 2015 Goals CISM COLOR=#ff0000]June[/COLOR -
TheFORCE Member Posts: 2,297 ■■■■■■■■□□I understand what authorization and what authentication is, my issue is with the sentence... "Access criteria are the crux of authentication" where i think it should be "Access criteria are the crux of authorization" instead. Correct?
-
broli720 Member Posts: 394 ■■■■□□□□□□I see where you may have issues with this. Definitely a tricky sentence.
-
aftereffector Member Posts: 525 ■■■■□□□□□□I think you're right. Authorization makes more sense in that sentence.CCIE Security - this one might take a while...
-
TheFORCE Member Posts: 2,297 ■■■■■■■■□□5502george wrote: »Access criteria can be used for both...So yes and no.
How can access criteria be used for both? In order to access something, you need to be authenticated first. Also, just because you are authenticated to something, that automatically does not give you authorization aka access permissions to every resource in a system. Besides that, the entire paragraph is about authorization but the last sentence ends with authentication. I believe that might be an error in the book. -
Spin Lock Member Posts: 142"Access criteria are the crux of authentication" shouldn't the word "authentication" actually be "authorization"? Or am i missing something here?
No, you're not missing anything. I think you correctly caught a typo/error in AIO. Access criteria is exclusively related to authorization. I'm trying to think of a scenario where access criteria could be used during the authentication process, but I can't think of one nor could I find any information that describes such a link. -
Cyberscum Member Posts: 795 ■■■■■□□□□□How can access criteria be used for both? In order to access something, you need to be authenticated first. Also, just because you are authenticated to something, that automatically does not give you authorization aka access permissions to every resource in a system. Besides that, the entire paragraph is about authorization but the last sentence ends with authentication. I believe that might be an error in the book.
An NFC token can be used for access control and can also be used for authen. -
Spin Lock Member Posts: 1425502george wrote: »^Location is an access criteria and can also be used to authenticate.
Ah, yes. That makes sense. Thanks for pointing this out.
This is why I like folks posting technical questions on this forum - the discussions make you think in ways you might not have otherwise considered. -
5502george Member Posts: 264Ah, yes. That makes sense. Thanks for pointing this out.
This is why I like folks posting technical questions on this forum - the discussions make you think in ways you might not have otherwise considered.
I agree, but I think people studying for the test might get confused reading contradicting info. But there are always some interesting perspectives out there.
theFORCE: For the test the lines are very defined. In real life, and basically anything in IT, the lines are always blurred at best. -
TheFORCE Member Posts: 2,297 ■■■■■■■■□□An NFC token can be used for access control and can also be used for authen.
-
Cyberscum Member Posts: 795 ■■■■■□□□□□^^Here something you can read and a "real world example" of how to implement BOTH authorization and authentication with one access criteria.
http://www.atgi.com/dist/Implementing%20Smart%20Card%20Authentication%20and%20Authorization%20with%20ASP.NET.pdf
...As far as your comment, well... try learning about location based authentication before saying its not secure. -
JDMurray Admin Posts: 13,101 AdminAuthentication is the verification of claimed identity factors, which are:
1. Something you know (e.g., password, PIN, pattern)
2. Something you have (e.g., badge, key, smartphone)
3. Something you are (e.g., biometrics)
4. Something you do (e.g., speaking, typing, handwriting, walking gait)
5. Someplace place you are (e.g., logging in from a specific terminal or GPS coordinates)
Once the identification credentials are verified to be authentic, authorization assigns access privileges to the identity based on:
1. The user's preferences (Discretionary Access Control)
2. The administrator's preferences (Mandatory Access Control)
3. The user's group preferences (Role Based Access Control)
4. Other access control factors (e.g., time of day, physical location)