Authentication vs Authorization - Shon Harris book
In the AIO 6th edition of the Shon Harris book page 203, on the paragraph about Authorization seems that there is an error. The paragraph ends with "Access criteria are the crux of authentication" shouldn't the word "authentication" actually be "authorization"? Or am i missing something here?
Comments
Authentication: Who are you, and how can you prove you're that person? (Username/Password, PKI, or other forms of authentication)
Authorization: What do you have access to as that user (i.e. customer = minimal rights, sys admin = access to remote desktop and remote server administration, network admin = access to network equipment, firewalls, load balancers)?
Authorization is the access rights and resources that user is allowed to access and use
How can access criteria be used for both? In order to access something, you need to be authenticated first. Also, just because you are authenticated to something, that automatically does not give you authorization aka access permissions to every resource in a system. Besides that, the entire paragraph is about authorization but the last sentence ends with authentication. I believe that might be an error in the book.
No, you're not missing anything. I think you correctly caught a typo/error in AIO. Access criteria is exclusively related to authorization. I'm trying to think of a scenario where access criteria could be used during the authentication process, but I can't think of one nor could I find any information that describes such a link.
An NFC token can be used for access control and can also be used for authen.
Ah, yes. That makes sense. Thanks for pointing this out.
This is why I like folks posting technical questions on this forum - the discussions make you think in ways you might not have otherwise considered.
I agree, but I think people studying for the test might get confused reading contradicting info. But there are always some interesting perspectives out there.
theFORCE: For the test the lines are very defined. In real life, and basically anything in IT, the lines are always blurred at best.
http://www.atgi.com/dist/Implementing%20Smart%20Card%20Authentication%20and%20Authorization%20with%20ASP.NET.pdf
...As far as your comment, well... try learning about location based authentication before saying its not secure.
1. Something you know (e.g., password, PIN, pattern)
2. Something you have (e.g., badge, key, smartphone)
3. Something you are (e.g., biometrics)
4. Something you do (e.g., speaking, typing, handwriting, walking gait)
5. Someplace place you are (e.g., logging in from a specific terminal or GPS coordinates)
Once the identification credentials are verified to be authentic, authorization assigns access privileges to the identity based on:
1. The user's preferences (Discretionary Access Control)
2. The administrator's preferences (Mandatory Access Control)
3. The user's group preferences (Role Based Access Control)
4. Other access control factors (e.g., time of day, physical location)
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray