6.2.1. RBAC, MAC, and DAC
💡 First Principle: Authentication factor categories are defined by the independence of the evidence — if compromise of one factor automatically compromises another, they don't provide genuine multi-factor protection. A second "factor" that's derived from the same source as the first (e.g., two different passwords for the same account) provides no additional security beyond single-factor.
The three factor categories:
| Category | Description | Examples | Primary Attack |
|---|---|---|---|
| Something you know | Knowledge factor | Password, PIN, security question, passphrase | Theft, guessing, phishing, database breach |
| Something you have | Possession factor | Hardware token, smart card, mobile authenticator app, SMS OTP, FIDO2 key | Theft of physical device, SIM swap (SMS), cloning |
| Something you are | Inherence factor | Fingerprint, retina scan, iris scan, facial recognition, voice recognition | Spoofing with fake biometric, template theft |
Additional factors sometimes cited:
- Somewhere you are (location): GPS coordinates, IP geolocation, network location. Supplementary control, not a primary factor.
- Something you do (behavior): Typing cadence, mouse movement patterns (continuous authentication). Emerging; not yet widely deployed as primary factor.
Biometric accuracy metrics:
| Metric | Definition | Tradeoff |
|---|---|---|
| FAR (False Acceptance Rate) | Rate at which unauthorized users are accepted | Lower FAR = fewer unauthorized acceptances |
| FRR (False Rejection Rate) | Rate at which authorized users are rejected | Lower FRR = fewer legitimate user frustrations |
| CER / EER (Crossover Error Rate / Equal Error Rate) | Point where FAR = FRR | Lower CER = better overall accuracy; the standard comparison metric |
FAR and FRR trade off against each other — adjusting the sensitivity threshold reduces one while increasing the other. CER is the balanced operating point and the standard metric for comparing biometric systems. A system with CER of 0.001% is more accurate than one with CER of 0.1%.
MFA strength spectrum:
| MFA Type | Phishing Resistant? | SIM Swap Resistant? | Offline Usable? | Recommendation |
|---|---|---|---|---|
| SMS OTP | ❌ No | ❌ No | No | ⚠️ Avoid for high-value accounts |
| Email OTP | ❌ No (email can be phished) | N/A | No | ⚠️ Better than SMS, still phishable |
| TOTP (Google Auth, Authy) | ❌ No (code can be phished in real-time) | ✅ Yes | Yes (offline) | ✅ Good baseline |
| Push notification | ❌ No (MFA fatigue) | ✅ Yes | No | ✅ Good; add number matching |
| FIDO2 / Passkey | ✅ Yes (domain-bound) | ✅ Yes | Yes | ✅ Best available |
| Smart card (PIV/CAC) | ✅ Yes | ✅ Yes | Yes | ✅ Enterprise/government standard |
MFA fatigue defense: Push notification MFA sends an approval request to the user's phone. Attackers send repeated requests hoping the user approves one to stop the notifications. Defense: require number matching (user must confirm a code displayed in the login screen matches the one in the push notification) — eliminates approval without awareness.
Passwordless authentication: FIDO2/WebAuthn uses asymmetric key pairs: the private key stays on the device (in a hardware security module or TPM), the public key is registered with the service. At authentication, the service sends a challenge; the device signs it with the private key. The signature proves possession of the registered key. No shared secret, no password to steal or phish.
⚠️ Exam Trap: Biometric authentication is the ONLY factor that cannot be changed if compromised. You can change a password, revoke a smart card, and replace an authenticator app. If a biometric template (the stored fingerprint or iris scan) is stolen from a database, the affected users have permanent exposure — their finger hasn't changed. This is why biometric templates should be stored as encrypted, salted one-way transformations rather than raw templates, and why biometrics alone are rarely sufficient for high-security authentication.
Reflection Question: An organization is deploying MFA for 5,000 remote employees. The CISO wants to choose between SMS OTP, TOTP authenticator apps, and FIDO2 hardware keys. Compare the cost, usability, and security tradeoffs of each option, and recommend an approach for two tiers: general employees and the 200 privileged IT administrators.
