6.2. Authorization Models
💡 First Principle: Authentication answers "are you who you claim to be?" It verifies the claimed identity against evidence — something you know, something you have, or something you are. The strength of authentication is determined by the quality of that evidence and how many independent factors are required. Single-factor authentication can be compromised with a single credential theft; multi-factor authentication requires an attacker to simultaneously compromise independent evidence from different categories.
Authentication is the control most frequently targeted by attackers because it is the gateway to all other access. Credential theft, phishing, MFA fatigue attacks, and session hijacking are all attacks on the authentication layer. The CISSP tests both the mechanisms themselves and their failure modes.
Why this matters: Authentication scenario questions are common. "Which authentication mechanism best resists phishing?" (FIDO2/passkeys). "Which addresses the risk of shared knowledge factors?" (MFA). "Which protects against replay attacks?" (challenge-response, OTP, Kerberos timestamps). Know the threat model for each mechanism.
⚠️ Common Misconception: "MFA is unbreakable." MFA significantly raises the bar, but specific MFA implementations have specific weaknesses. SMS-based OTP is vulnerable to SIM swapping and SS7 attacks. Push notification MFA is vulnerable to MFA fatigue (attacker floods user with approval requests until they approve one). TOTP apps are vulnerable to phishing when combined with real-time proxy attacks. Hardware security keys (FIDO2) with domain binding are the most phishing-resistant MFA, but not zero-risk.
