Few concepts I learned about Identity and Access Management
Identity and Access Management or IAM for short, includes the processes related to creating, managing digital user identities, authentication of users, managing user rights and permissions related to protected resources. This post summarizes a few IAM concepts and terms I have learned recently after joining the WSO2 IAM team as an intern.
User provisioning includes the processes of creating, managing and deleting digital identities of users in a domain and setting up rights of these identities.
Centralized Access Management
In centralized access management, user accounts and actions related to their authentication are managed in a central place instead of at each application. Centralized access management is carried out by using a resident/local Identity Provider(IdP) , that manages and authenticates digital identities of users in an organization. Using centralized access management is desirable because of many reasons,
- It reduces development effort required
- It helps developers focus on the important and innovative aspects of development
- It reduces user information duplication
- It improves user experience because of consistency and because it allows single sign on
These are only few of the many reasons concerning developers and end users. It is impossible to write down all the advantages of using a centralized access management system.
The main disadvantages of using a centralized access management system is that it can be a single point of failure — therefore it should be configured to be robust to natural failures and Denial of Service attacks. It also might be unnecessary to use a centralized access management system if the application is a small scale application with a small number of users that does not require the facilities provided by a centralized access management system.
Multi Factor Authentication
Authentication is basically ensuring a user is the person who they are claiming to be. Authentication can be performed by using three factors,
- Using something you know
- Using something you have
- Using something you are
Something you know is a secret that only you know. Examples for things you know, used for authentication are passphrases and security questions. Examples for the usage of something you have for authentication include using an ATM card or using the TOTP generated by an app installed in your phone. Examples for the usage of something you are used for authentication include using fingerprint scanning, iris scanning or facial recognition for authentication.
While at least one of these is necessary for authentication by using more than one we can increase the security. We can use any number of different options available under each of these three categories for stronger authentication. This usage of multiple factors for authentication of users is the idea behind multi factor authentication. 2FA or two factor authentication is a subset of multi -factor authentication where only two factors are used. 2FA is popularly used as it gives an attractive compromise between security and usability.
Although it is secure, using multi factor authentication drastically reduces user experience and can even encourage users to use weaker settings on some of the authentication steps. Therefore, adaptive authentication can be used to bolster security without burdening the user with unnecessary multiple authentication steps. In adaptive authentication, the number of challenges and/or the combination of challenges presented to users are configured to depend on several factors. These factors include how much of a risk the compromise of the user possesses, the behavior of the user and information related to users authentication attempts.
Single Sign On
Single sign on allows users to access many different services by logging in only once. The advantage of single sign on is obviously improved user experience. The disadvantage is that if an attacker gets access to the users login credentials they can access all the services as well.
In web applications Single Sign On is implemented using OpenID Connect (OIDC), Security Assertion Markup Language (SAML) and Web Services Federation standards. OIDC is a newer and a lightweight weight protocol compared to the other two. It is built on top of the OAuth 2.0 protocol.
Identity federation is the action of authenticating a user with the help of a trusted external identity provider. Social login with Facebook, Google etc. which is popularly used by many mobile and web apps are examples for identity federation.
Identity federation is great for both end users and developers. It’s great for users because they don’t need to remember multiple login credentials or go through multiple login processes. It’s great for developers because they have less work to do.
While Single Sign On and Federated Identity seems like the same thing, they are not. Single Sign On is used to provide access for systems within an organization using a single credential. Identity federation facilitates access to different applications by different organizations.
These are summaries of some of the concepts I learned about the IAM domain.