Security News

Identity and Access Management: Policies, Tools, and Procedures for User Authentication

{This is the second installment of a mini-series on Identity and Access Management (IAM). In the first installment, we introduced the basic elements comprising an IAM framework and provide some historical background. In this article, we’ll explore the policies, procedures, and technological tools required to verify a user’s identity as part of a comprehensive IAM policy.}

IAM Policies

An Identity and Access Management policy describes the high-level considerations an organization has regarding who should have access to what information. The size and complexity of the organization, as well as the sensitivity of the data owned and managed by the organization, will drive the policies controlling access to that data. The policies will then drive the need to deploy specific technological tools and procedures.

User Authentication Tools

Authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be. There are many different technological tools that can be used to authenticate users within the framework of an IAM policy.

Password Protection

Password protection is the oldest technological tool used to electronically identify a user. To access a system, a user must enter a username and password. There are a number of potential problems with password protection:

  • Easy to crack passwords. Sometimes users use very simple passwords, such as 123456, or the word “password,” which can be hacked in minutes.
  • Vulnerability to brute force attacks. As computing power increases, passwords need to be longer and more complex to be able to resist brute force attacks (i.e., simply trying every possible combination).
  • Recycled passwords. Many users have trouble remembering or keeping track of all the passwords they have to deal with, so they reuse the same password for multiple services and websites. If the password is compromised on one site, the hackers may be able to gain access to other sites and services as well.

There are things that can be done to make password protection more secure, such as requiring long and complex passwords, requiring users to change their passwords periodically, and implementing Single Sign-On (SSO) technology where possible to minimize the number of passwords each user has to keep track of. But even with good password hygiene, many IT managers feel passwords alone are no longer good enough.

Biometric Identification

Biometric identification as we know it today first appeared in Hollywood movies. In the 1960s, Star Trek made use of retina scans, voice ID, and facial recognition. The 1971 James Bond movie Diamonds are Forever showed Bond foiling a fingerprint scanner (with a scheme that wouldn’t work on modern fingerprint scanners). No longer the stuff of science fiction, everyday people are now used to biometric identification as a means of unlocking their smartphones – both touch ID (fingerprints) and facial recognition are supported by the iPhone. Biometric identification has many advantages over passwords. Biometric identification is not foolproof – it is possible to defeat at least some types of biometric identification, but it’s not easy.

Sometimes biometric identification can be used as an alternative to a password. For example, the Starbucks app will allow a user to recharge their card using the iPhone’s facial recognition, thereby bypassing the need to enter a password.

Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA)

Multi-factor authentication provides a substantial step up in security when it comes to identifying a person. MFA requires more than one means of validating a user’s identity. MFA is a more generic term than two-factor authentication, as it includes using more than two factors.

MFA is based on using a combination of factors to identify someone. These might include:

  • Something the user knows – such as PIN code or password. “Security questions” such as “what was your first pet’s name” are another knowledge factor, but they are considered relatively weak.
  • Something the user has – for example a cell phone. Proof the user has it can come from sending a verification code by text message, or by requiring the user to login to an authentication app.
  • Something the user is – see Biometric Identification above.

MFA is becoming increasingly popular as a means of securing sensitive information. Common examples include:

  • Getting cash using a debit card – it combines something you have (the card) with something you know (the PIN)
  • Websites that send an authentication code by text message to your phone (something you have) AFTER you login using a username and password (something you know)
  • Corporate networks that require a user to login with both a password (something you know) and a one-time code from a token generator (something you have)
  • Many apps now rely on a combination of a password (something you know) with biometric validation (something you are) from a user’s phone.

The main drawback to MFA is that adding an extra step takes longer and is less convenient for the user than single factor authorization. The security benefits, however, are substantial.


Tools that help identify a user, such as those described above, are only one part of an overall IAM policy. Within the overall IAM framework, contextual factors such as the device or IP address a user normally uses, or even the login time, might also come into play. By tracking such contextual factors, algorithms can determine if higher degree of interrogation is called for –a practice commonly referred to as Risk-Based Authentication (RBA).

For example, you may have noticed that if you log on to some accounts from the home computer you typically use, all you have to provide is your password. However, if you log in to the same account from a new device, you may be presented with your security challenges, or be asked to respond with a code sent to your phone, as an additional level of security.

Our next article will focus on the “A” in IAM: Access. Specifically, this next installment will outline the policies, procedures, and tools used to control the what, when and how of managing user access to sensitive data.


Nick Kael

Nick Kael

CTO | Ericom
A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.