← Identity & Access Management – CompTIA Security+

CompTIA Security+ Certification Study Guide

Key concepts, definitions, and exam tips organized by topic.

28 cards covered

Identity & Access Management – CompTIA Security+ Study Guide


Overview

Identity and Access Management (IAM) is a foundational domain of the CompTIA Security+ exam covering how organizations verify who users are, control what they can access, and manage credentials and privileges. This guide covers authentication factors, access control models, identity management, federation protocols, and account security practices. Mastery of these concepts is essential for both the exam and real-world security operations.


---


Authentication Concepts


Summary

Authentication is the process of proving an identity is valid. It builds upon identification and relies on one or more factors of proof. Biometric systems introduce statistical error rates that measure accuracy, and modern authentication technologies like passkeys and OTPs have evolved to reduce reliance on static passwords.


The Three Factors of Authentication


| Factor | Category | Examples |

|--------|----------|---------|

| Something you know | Knowledge | Password, PIN, security question |

| Something you have | Possession | Smart card, hardware token, phone |

| Something you are | Inherence | Fingerprint, retina scan, facial recognition |


> Multi-Factor Authentication (MFA) requires at least two different factor types. Using two passwords is NOT MFA — it is two-step verification within the same factor.


Identification vs. Authentication

  • Identification — Claiming an identity (e.g., typing a username)
  • Authentication — Proving that claimed identity is valid (e.g., entering the correct password)
  • Authorization — Determining what the authenticated user is permitted to do

    • > Think: Identify → Authenticate → Authorize (IAA flow)


    Biometric Error Rates


    | Term | Definition | Security Implication |

    |------|-----------|---------------------|

    | False Acceptance Rate (FAR) | Rate at which an unauthorized user is incorrectly accepted | Lower FAR = more secure against impostors |

    | False Rejection Rate (FRR) | Rate at which an authorized user is incorrectly rejected | Lower FRR = more convenient for legitimate users |

    | Crossover Error Rate (CER) | Point where FAR = FRR | Lower CER = more accurate system overall |


    > There is an inherent trade-off: tightening a biometric system to lower FAR will raise FRR, and vice versa. CER is the equalizing benchmark.


    One-Time Password (OTP) Types


    | Type | Basis | Validity |

    |------|-------|---------|

    | TOTP (Time-based OTP) | Current time + shared secret | Expires after a short window (e.g., 30 seconds) |

    | HOTP (HMAC-based OTP) | Counter + shared secret | Valid until it is used (counter increments on use) |


    Modern Authentication Methods

  • Passkey (FIDO2/WebAuthn) — Uses public-key cryptography; the private key never leaves the user's device. Resistant to phishing and eliminates password reuse risks.
  • Knowledge-Based Authentication (KBA) — Uses personal security questions. Primary weakness: answers are often discoverable via social media or social engineering.

    • Key Terms

  • MFA – Multi-Factor Authentication
  • FIDO2 – Fast IDentity Online standard underpinning passkeys
  • TOTP / HOTP – Time-based / HMAC-based One-Time Passwords
  • KBA – Knowledge-Based Authentication
  • FAR / FRR / CER – Biometric error rate metrics

    • ⚠️ Watch Out For

  • • Using two knowledge factors (e.g., password + PIN) is not MFA — it's single-factor authentication with two inputs
  • • CER does not mean a system with equal errors is good — a lower CER number is always better
  • • TOTP codes expire by time; HOTP codes expire by use, not time — don't confuse them on scenario questions

    • ---


    Access Control Models


    Summary

    Access control models define the rules by which subjects (users) are granted access to objects (resources). Each model has different administrative characteristics, flexibility, and appropriate use cases. The Security+ exam frequently tests your ability to identify the correct model from a scenario.


    The Four Core Models


    | Model | Who Controls Access | Key Characteristic |

    |-------|--------------------|--------------------|

    | MAC (Mandatory Access Control) | OS / Security Admin | Labels & clearance levels; users cannot override |

    | DAC (Discretionary Access Control) | Resource Owner | Owner decides permissions; flexible but risky |

    | RBAC (Role-Based Access Control) | Admin assigns roles | Permissions tied to job roles, not individuals |

    | ABAC (Attribute-Based Access Control) | Policy engine | Access based on multiple attributes (user, resource, environment) |


    Model Deep Dives


    #### Mandatory Access Control (MAC)

  • • Access decisions enforced by the OS or security policy
  • • Uses security labels (e.g., Top Secret, Secret, Unclassified) and clearance levels
  • • Users and resource owners cannot override the system policy
  • • Common in government and military environments

    • #### Discretionary Access Control (DAC)

  • • The resource owner decides who gets access and what permissions they receive
  • • Flexible and easy to manage, but relies on users making good security decisions
  • • Most common in standard operating systems (Windows NTFS permissions)

    • #### Role-Based Access Control (RBAC)

  • • Permissions are assigned to roles (e.g., HR Manager, Network Admin)
  • • Users inherit permissions by being assigned to a role
  • • Greatly simplifies administration in large organizations
  • • Does not consider context (time of day, location, device type)

    • #### Attribute-Based Access Control (ABAC)

  • • Access granted based on a combination of attributes: user department, resource classification, time of day, location, device posture
  • • More granular and context-aware than RBAC
  • • More complex to configure and administer
  • • Common in cloud environments and zero trust architectures

    • Supporting Principles


    #### Principle of Least Privilege

    > Users should be granted only the minimum access required to perform their job functions.

  • • Limits blast radius of compromised accounts
  • • Limits damage from insider threats and accidents

    • #### Privilege Creep

  • Definition: A user accumulates access rights over time beyond what their current role requires, often after role changes or transfers
  • Remediation: Periodic access reviews and recertification campaigns where managers validate current access is still appropriate

    • Key Terms

  • MAC – Mandatory Access Control
  • DAC – Discretionary Access Control
  • RBAC – Role-Based Access Control
  • ABAC – Attribute-Based Access Control
  • Least Privilege – Minimum necessary access principle
  • Privilege Creep – Accumulation of excess permissions over time
  • Access Recertification – Periodic review to validate and revoke unneeded access

    • ⚠️ Watch Out For

  • MAC is the most restrictive model — even the resource owner cannot override it
  • RBAC vs. ABAC: If a scenario involves time-of-day, location, or device type as access criteria, it is ABAC, not RBAC
  • DAC is the most common in everyday OS environments but is the least secure model
  • • Privilege creep is a process failure, not a technical attack — it requires a process solution (recertification)

    • ---


    Identity Management


    Summary

    Identity management encompasses the tools, processes, and policies used to create, maintain, and retire digital identities across an organization. This includes directory services, account types, onboarding procedures, and the specialized management of privileged accounts.


    Directory Services

  • Directory Service (e.g., Microsoft Active Directory) — Stores and manages identity objects (users, groups, computers, devices)
  • • Provides centralized authentication and authorization for network resources
  • • Enables administrators to apply policies uniformly across the organization
  • • Uses LDAP (Lightweight Directory Access Protocol) for querying and modifying directory entries

    • Account Types


    | Account Type | Description | Key Consideration |

    |-------------|-------------|-------------------|

    | User Account | Assigned to a human; used for interactive login | Subject to password policies and MFA |

    | Service Account | Non-interactive; used by applications/services | Should have limited privileges; often targeted by attackers |

    | Administrator/Root | Elevated privileges for system management | Should be used only when necessary |

    | Guest Account | Limited access for temporary users | Should be disabled when not needed |


    Identity Proofing

  • Definition: Verifying a person is who they claim to be before issuing credentials
  • • Used during onboarding and account recovery
  • • Establishes initial trust in the identity lifecycle
  • • May involve government ID verification, in-person appearance, or video call verification

    • Privileged Account Security


    #### Privileged Access Workstation (PAW)

  • • A dedicated, hardened workstation used exclusively for administrative tasks
  • • Isolated from general internet browsing, email, and standard user activity
  • • Reduces risk of credential theft through drive-by downloads or phishing on admin accounts

    • #### Privileged Access Management (PAM)

  • • A system that controls, monitors, and audits privileged account usage
  • Key feature: Credential Vaulting — stores and automatically rotates privileged passwords so administrators request access without knowing the password directly
  • • Provides session recording and just-in-time access capabilities
  • • Creates a complete audit trail of all privileged activity

    • Key Terms

  • Active Directory (AD) – Microsoft's directory service
  • LDAP – Lightweight Directory Access Protocol
  • Service Account – Non-human account used by applications
  • Identity Proofing – Pre-issuance identity verification
  • PAW – Privileged Access Workstation
  • PAM – Privileged Access Management
  • Credential Vaulting – Secure storage and rotation of privileged passwords

    • ⚠️ Watch Out For

  • Service accounts are a major attack target because they often have elevated privileges and weak or non-rotating passwords — PAM solutions specifically address this
  • • A PAW is about physical/logical isolation of admin tasks, not just using a VPN
  • Identity proofing is a separate step from authentication — it happens before credentials are issued, not during login

    • ---


    Federation & Single Sign-On (SSO)


    Summary

    Federation and SSO allow users to authenticate once and access multiple systems or partner organizations without re-authenticating. This section covers the major protocols — SAML, OAuth 2.0, OIDC, and Kerberos — and associated attack techniques. Understanding which protocol does what is critical for the exam.


    Federated Identity Management

  • • Allows users to authenticate with their home organization (IdP) and access partner organization resources (SP) without re-authenticating
  • • Based on trusted relationships and shared identity standards
  • • Eliminates the need for separate accounts at every partner organization

    • Key Roles in Federation


    | Role | Full Name | Function |

    |------|-----------|---------|

    | IdP | Identity Provider | Authenticates the user; issues security assertions/tokens |

    | SP | Service Provider | Trusts the IdP assertion; grants access to its resources |


    Protocol Comparison


    | Protocol | Purpose | Format/Transport | Key Notes |

    |----------|---------|-----------------|-----------|

    | SAML 2.0 | Authentication & Authorization | XML assertions over HTTP redirects | Common for enterprise/web SSO; IdP-to-SP federation |

    | OAuth 2.0 | Authorization (delegated access) | JSON tokens over HTTPS | Allows apps to access resources on behalf of a user; does NOT authenticate |

    | OIDC | Authentication (built on OAuth 2.0) | JWT (ID Token) | Adds identity layer to OAuth 2.0; provides user claims |

    | Kerberos | Network Authentication | Symmetric-key tickets | Used in Windows AD environments; KDC issues TGTs |


    SAML Deep Dive

  • SAML = Security Assertion Markup Language
  • • Exchanges data as XML-formatted assertions
  • • Typical flow: User → SP → Redirect to IdP → Authenticate → Assertion returned to SP → Access granted
  • • Primary use case: Enterprise SSO between web applications

    • OAuth 2.0 vs. OpenID Connect (OIDC)

  • OAuth 2.0 answers: "What can this app access?" (Authorization)

    • - Issues an access token to access resources

    - Does NOT verify who the user is

  • OIDC answers: "Who is this user?" (Authentication)

    • - Adds an ID token (JWT) on top of OAuth 2.0

    - Contains user identity claims (name, email, etc.)


    > Memory aid: OAuth = Access (car keys); OIDC = Identity (driver's license)


    Kerberos

  • • A network authentication protocol using symmetric key cryptography and tickets
  • • Operates within a Windows Active Directory environment
  • Key components:

    • - KDC (Key Distribution Center) — Central authentication server

    - AS (Authentication Server) — Issues the TGT (Ticket Granting Ticket) after initial login

    - TGS (Ticket Granting Service) — Issues service tickets using the TGT

    - Service Ticket — Presented to a specific resource server for access


    #### Kerberos Authentication Flow

    ```

    User → AS: Request TGT (with credentials)

    AS → User: Issues TGT (encrypted)

    User → TGS: Request Service Ticket (using TGT)

    TGS → User: Issues Service Ticket

    User → Resource: Presents Service Ticket → Access Granted

    ```


    Kerberoasting Attack

  • Definition: An attacker with valid domain credentials requests Kerberos service tickets for accounts with SPNs (Service Principal Names)
  • • The encrypted ticket can be taken offline and cracked to recover the plaintext service account password
  • Targets: Service accounts with weak passwords and registered SPNs
  • Defenses: Use strong, long passwords for service accounts; use Managed Service Accounts (MSA); monitor for unusual TGS requests

    • Key Terms

  • SSO – Single Sign-On
  • IdP – Identity Provider
  • SP – Service Provider
  • SAML – Security Assertion Markup Language
  • OAuth 2.0 – Authorization framework (delegated access)
  • OIDC – OpenID Connect (authentication layer on OAuth 2.0)
  • JWT – JSON Web Token (used by OIDC)
  • Kerberos – Ticket-based network authentication protocol
  • KDC – Key Distribution Center
  • TGT – Ticket Granting Ticket
  • SPN – Service Principal Name
  • Kerberoasting – Offline cracking attack against Kerberos service tickets

    • ⚠️ Watch Out For

  • OAuth 2.0 is NOT an authentication protocol — it is authorization only. If a question asks about authenticating users across systems, the answer is OIDC or SAML, not OAuth 2.0
  • SAML uses XML; OIDC uses JWT — the format matters for exam questions
  • • In Kerberos, the AS issues the TGT, not the TGS — these two components are different parts of the KDC
  • Kerberoasting does not require elevated privileges to execute — any valid domain account can request service tickets

    • ---


    Account & Credential Management


    Summary

    Proper account and credential management policies are the operational backbone of IAM. This section covers the policies and tools used to protect credentials, prevent unauthorized access, and maintain the integrity of the account lifecycle.


    Authentication vs. Authorization (Revisited)


    | Concept | Question Answered | Example |

    |---------|------------------|---------|

    | Authentication | Who are you? | Logging in with username + password + MFA |

    | Authorization | What can you do? | Reading files but not deleting them |


    > These two concepts are frequently tested together. Authentication always precedes authorization.


    Account Lockout Policies

  • Purpose: Automatically disable an account after a specified number of failed login attempts
  • Protects against: Brute-force attacks and password-spraying attacks
  • Key settings:

    • - Lockout threshold — Number of failed attempts before lockout (e.g., 5)

    - Lockout duration — How long the account remains locked

    - Observation window — Time period during which failed attempts are counted


    Password Attack Comparison


    | Attack Type | Method | Target | Avoids Lockout? |

    |------------|--------|--------|----------------|

    | Brute Force | Tries many passwords against one account | Single account | No — triggers lockout |

    | Password Spraying | Tries a few common passwords against many accounts | Many accounts | Yes — stays below lockout threshold per account |

    | Credential Stuffing | Uses breached username/password pairs | Multiple accounts | Depends on

    📝

    Take a Practice Test

    Test yourself with multiple choice questions
    📇

    Study with Flashcards

    Flip through all 28 cards

    Want more study tools?

    Subscribe for $7.99/mo and turn your own notes into personalized flashcards and study guides.

    View Pricing