The AAA function that verifies a user's identity and proves they are who they claim to be, typically using credentials such as passwords, tokens, or biometrics.

The AAA function that determines what an authenticated user is allowed to do, implemented via permissions, roles, policies, and access control lists.

The AAA function that tracks and records user activities, such as logins and resource access, providing an audit trail for investigations and compliance.

A conceptual framework consisting of Authentication, Authorization, and Accounting, used to control and track access to resources.

The process of recording and tracking user activities, such as logins and resource usage, to provide an audit trail.

A trust relationship between separate identity domains that allows one domain to accept authentication performed by another.

Identity and Access Management: AAA, Multi-Factor Authentication, and Zero Trust Access — CompTIA Security+ (SY0-701) Mastery Course: Complete Exam-Ready Preparation

Q: A security architect is designing policies for a zero trust deployment. Access to a finance application should depend on the user's job role, department, device compliance status, and whether they are connecting from a corporate network during business hours. Which access control model best fits this requirement?

Attribute-based Access Control (ABAC). The scenario includes many attributes: job role, department, device compliance, network location, and time of day. This points to Attribute-based Access Control (ABAC), which evaluates subject, object, action, and environment attributes. RBAC alone focuses on roles and is less expressive for conditions like time and device posture.

Big Picture: IAM, AAA, MFA, and Zero Trust

Where IAM Fits

Identity and Access Management (IAM) controls who can access what, when, and how, and records what they did. It is the preventive counterpart to vulnerability management and monitoring.

Key Building Blocks

You will connect AAA (Authentication, Authorization, Accounting) with IAM processes, multi-factor authentication (MFA), access control models, privileged access management (PAM), and zero trust.

Exam Connection

For SY0-701, expect scenarios like remote admins or SaaS logins. You must map each part of the story to AAA steps and controls like MFA and least privilege.

Guiding Questions

Keep asking: Who is this user? How do we know? What can they do? How do we prove it later? These four questions drive practical IAM design.

AAA Fundamentals: Authentication, Authorization, Accounting

Authentication

Authentication answers: Who are you, and can you prove it? Methods include passwords, MFA, smart cards, biometrics, SSH keys, and tokens from SAML or OpenID Connect.

Authorization

Authorization answers: What are you allowed to do? It is implemented through roles, permissions, policies, and ACLs, using models like RBAC and ABAC.

Accounting

Accounting (auditing) answers: What did you do, and when? It relies on logs such as sign-in logs, VPN logs, and database audit trails that feed into SIEM tools.

AAA in a VPN Login

VPN example: user authenticates with password + OTP, is authorized to certain networks based on group, and all actions are logged for accounting and later review.

Mapping AAA to Real IAM Systems

Environment Overview

Company uses on-prem AD, Azure AD/Entra ID, a VPN, and a cloud HR SaaS app with SAML SSO. Alice is a remote HR analyst accessing payroll from home.

VPN Authentication

Alice authenticates to the VPN with AD username/password plus a push notification. This is authentication with two factors: password and phone-based app.

VPN Authorization

The VPN checks her AD group, then restricts her to a network segment that reaches only HR systems. That network assignment is authorization in action.

SSO and Authorization in SaaS

The HR app uses SAML SSO. The IdP sends a SAML assertion including Alice's HRAnalyst role, which the app uses to authorize payroll report access.

Accounting and Correlation

VPN, IdP, and HR app all log Alice's actions. A SIEM correlates these logs, providing the accounting trail needed for investigations and audits.

Multi-Factor Authentication: Factors, Implementations, and Pitfalls

What MFA Really Is

Multi-factor authentication requires two or more different factor types. It is not just two steps; it must mix categories like knowledge, possession, and inherence.

Factor Types

Know: passwords/PINs. Have: smart cards, tokens, phones. Are: biometrics. Some systems add where you are or something you do as extra signals.

Real Implementations

Common MFA today: authenticator apps, FIDO2/WebAuthn security keys, smart cards, and SMS codes (still used but weaker). These are core Security+ examples.

Common Exam Traps

Two passwords or a password plus PIN is one factor type. Two "have" factors without another type is not true MFA. Watch wording like two-step vs multi-factor.

Thought Exercise: Is This True MFA?

Scenario A: Password + Questions

Password plus security questions: both are something you know, so this is not MFA even though there are two steps.

Scenario B: Smart Card + PIN

Smart card is something you have; PIN is something you know. Two factor types means this scenario is true MFA.

Scenario C: Password + Push

Password plus phone push: knowledge plus possession. This is MFA and common for cloud admin or VPN access.

Scenario D: Fingerprint Only

Just a fingerprint is only something you are. Alone it is not MFA, even if the phone also has hidden device checks.

Federation, SSO, and Identity Providers

What Is Federation?

Federation is a trust relationship where one system (IdP) authenticates users and another (SP) accepts that proof using standards like SAML or OpenID Connect.

IdP and SP Roles

The Identity Provider authenticates and issues tokens. Service Providers or relying parties consume those tokens and make authorization decisions.

SSO in Practice

With SSO, a user signs in once to the IdP and then accesses multiple apps without re-entering credentials, as long as their session and tokens remain valid.

Security and Exam Tips

Centralizing MFA and logging at the IdP improves security. Remember: SSO uses tokens, not shared passwords; that distinction appears in exam questions.

Access Control Models: RBAC vs ABAC (and Others)

DAC and MAC

DAC lets resource owners decide access, common on desktops. MAC uses central labels and clearances, common in military and high-security government systems.

Role-Based Access Control

RBAC assigns permissions to roles, then users to roles. Examples include HRAnalyst or DBAdmin roles, supporting least privilege and separation of duties.

Attribute-Based Access Control

ABAC bases decisions on attributes of user, resource, action, and environment, like role, department, time, and network location, using policy rules.

Choosing RBAC vs ABAC

Job titles and groups point to RBAC. Conditions like time-of-day, device health, or location point to ABAC, especially in zero trust designs.

Privileged Access Management and Just‑In‑Time Access

Why PAM Matters

Privileged accounts like domain admins and cloud owners are prime targets. PAM adds extra controls, monitoring, and auditing around these powerful identities.

Core Principles

PAM emphasizes least privilege, separation of duties, and tightly controlled break-glass accounts reserved for emergencies and heavily logged.

Typical PAM Controls

Password vaults, session recording, just-in-time elevation, and approval workflows reduce constant admin rights and create strong audit trails.

JIT Example

A cloud engineer requests temporary global admin. After manager approval, access is granted for two hours, fully logged, and then automatically revoked.

Zero Trust and How IAM, MFA, and ABAC Fit Together

Zero Trust Defined

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

From Perimeter to Continuous Checks

Instead of trusting everything inside a firewall, zero trust assumes attackers may be inside and uses many small, ongoing checks for every access.

IAM's Role in Zero Trust

MFA strengthens authentication, RBAC and ABAC enforce least privilege, and PAM adds extra controls on admins, all feeding detailed accounting logs.

Zero Trust Scenario

A contractor on an unmanaged device from a new country is forced through MFA and then blocked by ABAC policy, with an alert raised for investigation.

Key IAM and AAA Terms Review

Flip these cards to reinforce core IAM and AAA terminology before you quiz yourself.

Authentication: The AAA function that verifies a user's identity and proves they are who they claim to be, typically using credentials such as passwords, tokens, or biometrics.
Authorization: The AAA function that determines what an authenticated user is allowed to do, implemented via permissions, roles, policies, and access control lists.
Accounting: The AAA function that tracks and records user activities, such as logins and resource access, providing an audit trail for investigations and compliance.
Multi-factor authentication (MFA): An authentication method that requires two or more different factor types (for example, something you know and something you have) to verify a user's identity.
Identity Provider (IdP): A system or service that authenticates users and issues tokens or assertions, which other applications rely on for access decisions.
Role-based access control (RBAC): An access control model where permissions are assigned to roles, and users are assigned to those roles to receive the associated permissions.
Attribute-based access control (ABAC): An access control model that makes decisions based on attributes of users, resources, actions, and environment, using policy rules.
Privileged Access Management (PAM): A set of processes and tools that control, monitor, and audit the use of high-privilege accounts such as administrators and root accounts.
Federation: A trust relationship between separate identity domains that allows one organization or service to accept authentication performed by another.
Single sign-on (SSO): A capability that lets a user authenticate once and then access multiple related systems or applications without re-entering credentials, typically using tokens.

Quiz 1: AAA, MFA, and SSO Basics

Test your understanding of core AAA and MFA concepts before we move to more complex scenarios.

A company uses an identity provider (IdP) for SAML-based SSO to multiple SaaS apps. Users authenticate to the IdP with a password and then receive access tokens for each app without logging in again. Which statement best describes what is happening?

The IdP is providing authorization only, while each SaaS app handles authentication separately.
The IdP is performing authentication once and issuing assertions that SaaS apps use for authorization decisions, enabling single sign-on.
Each SaaS app is sharing the same password database, which is what enables single sign-on.
The IdP is acting as a password vault, sending the user's password to each SaaS app at login time.

Show Answer

Answer: B) The IdP is performing authentication once and issuing assertions that SaaS apps use for authorization decisions, enabling single sign-on.

In SAML-based SSO, the identity provider authenticates the user once and issues SAML assertions (tokens). The service providers (SaaS apps) trust those assertions and use the contained attributes/claims for authorization. This enables single sign-on without sharing password databases or sending passwords to each app.

Quiz 2: Access Control Models and Zero Trust

Check your ability to choose appropriate access control models and relate them to zero trust.

A security architect is designing policies for a zero trust deployment. Access to a finance application should depend on the user's job role, department, device compliance status, and whether they are connecting from a corporate network during business hours. Which access control model best fits this requirement?

Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-based Access Control (RBAC)
Attribute-based Access Control (ABAC)