Authentication, Authorization, Accountability, and Non-Repudiation
Key Takeaways
- Identification claims an identity, while authentication proves that identity with evidence such as a password, token, biometric, or certificate.
- Authorization determines what an authenticated subject is allowed to do.
- Accountability depends on unique accounts, logging, time synchronization, and reviewable records.
- Non-repudiation provides evidence that a party performed an action and cannot credibly deny it later.
- Shared accounts weaken accountability and often make beginner scenario answers less secure.
Identity Concepts in Order
Security access decisions become much easier when you keep four ideas separate: identification, authentication, authorization, and accountability. They often happen together in a login flow, but they do different jobs.
Identification is the claim of identity. A username, employee ID, email address, badge number, or account name says who the subject claims to be. Identification alone does not prove anything. If someone types a username into a login page, they have identified an account; they have not proven they own it.
Authentication proves the identity claim. Common authentication factors are something you know, something you have, something you are, somewhere you are, and something you do. A password is something you know. A hardware token, smart card, or authenticator app is something you have. A fingerprint or face scan is something you are. Multifactor authentication is stronger because it combines different factor types. Two passwords are not true multifactor because they are both knowledge factors.
Authorization happens after identity is established. It answers, "What is this user, service, or device allowed to do?" A payroll clerk may authenticate successfully but still should not administer firewalls. A system administrator may manage servers but should not approve their own privileged access request. Authorization should follow least privilege, role-based access where appropriate, and periodic review.
Accountability means actions can be traced to the responsible subject. Unique user accounts, logging, accurate timestamps, protected logs, and review processes support accountability. Shared administrator accounts weaken accountability because investigators cannot easily determine who performed an action. On the CC exam, an answer that preserves individual accounts and audit trails is usually better than one that uses a shared password for convenience.
Non-repudiation provides evidence that an action or communication came from a particular party and has not been altered. Digital signatures are a common example. If a user signs a transaction with a private key and the signature validates with the corresponding public key, that evidence supports integrity and non-repudiation. Non-repudiation is not just "logging exists." Logs help accountability, but they must be protected, time-aligned, and tied to strong identity to be persuasive.
Scenario: The Shared Admin Password
A small company has one administrator password written in a notebook. Everyone on the IT team uses it during outages. This may seem efficient, but it creates several problems.
| Problem | Security concept |
|---|---|
| Anyone with the notebook can use the account | Weak authentication handling |
| All administrators receive the same power | Poor authorization and least privilege |
| Changes cannot be tied to one person | Weak accountability |
| A user can deny making a change | Weak non-repudiation support |
The better beginner recommendation is to use named administrative accounts, grant only needed privileges, require MFA where appropriate, log privileged actions, and protect emergency access through a controlled break-glass process.
Access Decision Examples
| Request | Best beginner response |
|---|---|
| New hire needs access to a ticketing system | Verify approved role and provision least-privilege access |
| Contractor asks to borrow an employee login | Deny shared account use and follow contractor access process |
| Manager asks for direct database admin rights | Require formal approval and a business need |
| User lost MFA device | Verify identity through approved recovery before re-enrollment |
The CC exam often uses ordinary workplace requests to test whether you understand identity control. The fastest answer is not always the best answer. The best answer preserves proof of identity, limits permissions, and creates records that can be reviewed later.
Order these access concepts as they normally occur in a login and access flow.
Arrange the items in the correct order
Why are shared administrator accounts a poor security practice?
Which examples are authentication factors? Select all that apply.
Select all that apply