Authentication, Authorization, Accountability, and Non-Repudiation
Key Takeaways
- Identification claims an identity; authentication proves it with evidence such as a password, token, biometric, or certificate.
- Authorization determines what an authenticated subject is allowed to do and should follow least privilege.
- Multifactor authentication combines DIFFERENT factor types; two passwords are still single-factor because both are something you know.
- Accountability depends on unique accounts, protected logs, synchronized time, and reviewable records.
- Non-repudiation provides evidence (such as a digital signature) that a party performed an action and cannot credibly deny it later.
Identity Concepts in Order
Access decisions get easier when you keep four ideas separate: identification, authentication, authorization, and accountability. They happen together in one login flow but do different jobs.
Identification is the claim of identity. A username, employee ID, email address, or badge number says who the subject claims to be. Identification proves nothing on its own.
Authentication proves that claim using one or more of five factor categories. Memorize them, because the CC exam tests them directly:
| Factor type | Examples |
|---|---|
| Something you know | Password, PIN, security question |
| Something you have | Hardware token, smart card, authenticator app code |
| Something you are | Fingerprint, face scan, iris pattern |
| Somewhere you are | GPS location, IP-based geofence |
| Something you do | Signature dynamics, typing rhythm |
Multifactor authentication (MFA) combines factors from DIFFERENT categories. A password plus an authenticator app code is true MFA. Two passwords, or a password plus a security question, are both "something you know" and therefore still single-factor. This is the most common MFA trap on the exam.
Authorization and Accountability
Authorization happens after identity is established. It answers "what is this user, service, or device allowed to do?" A payroll clerk may authenticate successfully yet still must not administer firewalls. Authorization should follow least privilege (grant only what the role needs), use role-based access control (RBAC) where appropriate, and be reviewed periodically. A key principle is separation of duties: a system administrator should not approve their own privileged-access request.
Accountability means actions can be traced to the responsible subject. It rests on four pillars: unique user accounts, comprehensive logging, accurate and synchronized timestamps, and a review process. Synchronized time matters because logs from different systems must line up during an investigation; the Network Time Protocol (NTP) keeps clocks aligned. Shared administrator accounts destroy accountability because no one can prove who acted.
Non-repudiation provides evidence that an action or message truly came from a specific party and was not altered, so the party cannot credibly deny it. A digital signature is the classic example: a user signs a transaction with their private key, and anyone can validate it with the matching public key. Note the exam distinction: logs support accountability, but non-repudiation needs cryptographic strength tied to a unique identity. "We have logs" is weaker than "we have a validated digital signature."
Scenario: The Shared Admin Password
A small company keeps one administrator password in a notebook, and the whole IT team uses it during outages. It feels efficient but breaks several principles at once.
| Problem | Concept it violates |
|---|---|
| Anyone holding the notebook can log in | Weak authentication handling |
| Every admin gets identical full power | Poor least privilege / authorization |
| Changes cannot be tied to one person | Weak accountability |
| A user can deny making a change | Weak non-repudiation |
The better recommendation: use named administrative accounts, grant only needed privileges, require MFA, log privileged actions, and protect emergency access through a controlled break-glass process (a sealed, monitored, single-use credential).
Access Decision Examples
| Request | Best beginner response |
|---|---|
| New hire needs the ticketing system | Verify approved role, provision least-privilege access |
| Contractor asks to borrow an employee login | Deny shared-account use; follow contractor onboarding |
| Manager wants direct database admin rights | Require formal approval and a documented business need |
| User lost their MFA device | Verify identity through approved recovery before re-enrollment |
The CC exam uses ordinary workplace requests to test identity control. The fastest answer is rarely the best. The best answer proves identity, limits permissions to need, and leaves a reviewable record. When two options both "work," pick the one that preserves unique accountability.
AAA, Provisioning, and Common Traps
The industry often bundles three of these ideas as AAA: Authentication, Authorization, and Accounting (accounting is the logging side of accountability). The CC exam expects you to keep the boundaries crisp.
| Term | Question it answers | Example evidence |
|---|---|---|
| Identification | Who do you claim to be? | Username, badge ID |
| Authentication | Can you prove it? | Password + token |
| Authorization | What may you do? | RBAC role, file permissions |
| Accountability | What did you do? | Time-synced audit log |
Provisioning identities has a lifecycle the exam references: an account is provisioned on hire, modified when a role changes, and deprovisioned promptly on termination. A frequent trap is the forgotten account, when an employee transfers departments but keeps old permissions, building up privilege creep that violates least privilege. Periodic access reviews catch this.
Two more distinctions worth memorizing. First, authentication is not the same as encryption: a password proves identity but does not by itself protect data in transit. Second, biometrics are convenient but probabilistic; they have false acceptance and false rejection rates, so they are best used as one factor in MFA, not as a sole gate to high-risk systems. When a scenario offers "add a second different factor" versus "make the password longer," the second-factor answer is stronger because it changes the factor category rather than hardening one already-compromised category.
Order these access concepts as they normally occur in a login and access flow.
Arrange the items in the correct order
Why are shared administrator accounts a poor security practice?
Which examples are authentication factors? Select all that apply.
Select all that apply
A login requires a password and the answer to a security question. Why is this NOT considered multifactor authentication?