1. AAA
   1. Authentication:
      1. The process that determines whether a principal (an entity to be authenticated) is a legitimate system user.
   2. Authorization:
      1. The process that determines what an authenticated principal is privileged to do on the network.
   3. Accounting:
      1. The process of monitoring and recording (logging) a principal's use of the network.
   4. AAA also refers to a family of three protocols used to perform remote authentication services:
      1. RADIUS
      2. Diameter
      3. TACACS+
2. Authentication Models
   1. Identity Proofing
      1. Also known as Identity Management
      2. The processes used to establish the uniqueness and validity of an individual's identity, to facilitate the provision of an entitlement or service.
      3. This process may rely upon factors such as identity documents, biographic information, biometric information, and knowledge of personally relevant information or events.
   2. Factor-Based Authentication Methods
      1. Authentication by Knowledge:
         1. Something the user knows
         2. Examples
            1. Password
            2. PIN
            3. Security Question
         3. Associated with Knowledge Factor authentication methods.
         4. Considered the weakest (least secure).
      2. Authentication by Ownership:
         1. Something the user owns
         2. Examples
            1. Security Token
            2. Dongle
            3. Security Card
            4. RFID Chip
         3. Associated with Possession Factor authentication methods.
      3. Authentication by Characteristic:
         1. Something the user is or does
         2. Examples
            1. Retina Scan
            2. Fingerprint
            3. Voice
            4. Written Signature
            5. Keystroke Pattern
         3. Associated with Inheritance Factor authentication methods.
      4. Multifactor Authentication (MFA):
         1. An authentication model that requires two or more independent factors to verify an identity.
         2. Multifactor authentication includes at least two of the following three factors:
            1. Knowledge Factor Authentication
            2. Possession Factor Authentication
            3. Inheritance Factor Authentication
   3. Derived (Dependent) Authentication Methods
      1. Transaction Authentication:
         1. An authentication model that seeks out reasonable mistakes when comparing known data about a user with the details of a current transaction.
         2. This information could include:
            1. Unfamiliar IP Address
            2. Large Purchases
            3. Unfamiliar Purchase History
            4. Multiple Incorrect PIN Attempts
      2. Context-Based Authentication or Context-Aware Authentication:
         1. An authentication model that balances trust against risk by letting you implement simple policies to allow (or deny) access to web applications based on contextual information - such as user role, group membership, device usage, location (IP address) and geographical location.
         2. Context-based authentication dynamically adapts to context changes to:
            1. Restrict access to high-risk applications that contain sensitive data to known office locations or to specific IP addresses (in the case of remote users)
            2. Limit access to applications to approved or trusted devices
            3. Require users to authenticate using 2-factor authentication (2FA) to access certain applications
      3. Mutual Authentication or Out-of-Band (OOB) Authentication:
         1. An authentication model that requires multiple channels to authenticate.
         2. For example, a large money transfer would generate a phone call, text, email, or app notification that must receive a response within a certain window of time, or else the transaction is denied and all current sessions are logged out.
   4. SSO
      1. Single Sign-On (SSO):
         1. An authentication method in which a user authenticates to an authentication server, also called an SSO server.
         2. The SSO server provides proof of authentication, which can be used to access other systems within the organization without the need to authenticate again.
         3. Kerberos is a protocol used to implement SSO, that uses the notion of a ticket to contain the proof of authentication.
      2. Federated SSO:
         1. Extends the concept of SSO to multiple organizations.
         2. A user can authenticate with an SSO server within one organization, and the proof of authentication will be valid to authenticate on a system within a different organization.
         3. Security Assertion Markup Language (SAML), OAuth, and OpenID Connect are known frameworks used to implement federated SSO.
      3. Federated Identity Management:
         1. An arrangement that can be made between multiple enterprises to let subscribers use the same identification data to obtain access to the networks of all the enterprises in the group.
         2. Shibboleth is an example of an SSO system that allows people to sign in with a single digital identity and connect to various systems run by federations of different organizations.
3. Transitive Trust
   1. The Transitive Property:
      1. A mathematical or logical axiom which states:
         1. If A = B, and B = C, then A = C
   2. When permissions are incorrectly defined, this leads to a condition known as transitive trust.
      1. A host (target) authenticates to, and is trusted by, a server. An attacker authenticates, and is trusted by, the same server.
      2. Because of their shared relationship with the server, the server may allow lateral privilege escalation. To prevent this, configure explicit user permissions.