The topic in which I wanted to do a more in-depth analysis on is identity and access management. This was covered during module 7 in the coursework with a chapter in the book, a corresponding PowerPoint presentation, a class we had October 6th with Dr. Cooper, a video on how secure biometric authentication is, a simulation on using a password cracker, a lab for implementing identity and access management, and a quiz. There was also additional simulations within Cengage that were not required but because I chose to explore this topic further, I completed those as well. Those included using a web-based password manager, and using a password manager application.  I didn’t know that these free tools were available before taking this course and they are an excellent option for people looking to have strong passwords for things that they cannot typically remember. It is 100% better than writing the passwords down somewhere.  

The wealth of information throughout this module is great but in order to go a step further and really dig into the topic I needed to do some research.  When it comes to things that are a problem (in this case poor access management) I like seeing analysis as far as how bad something actually is, and how each different solution to a problem fares. I like seeing the numbers. With this in mind, I focused most of my exploration of the topic on statistics of how often people are mishandling authentication credentials as well as what solutions work the best for having better access control. I will showcase that after summarizing the course topic itself.

Summary of the topic / what I learned:
The different authentication credentials are typically one of the following: (the ones in bold are the most commonly used)
Something you know: Passwords, lock combinations, etc.
Something you have: Tokens, security keys, smart cards
Something you are: retinal scanner, fingerprint scanner, a person’s gait / way they walk, a vein-scanning tablet, voice recognition, iris scanner, facial recognition
Somewhere you are: location tracking and the device recognizing that you’re in a particular location.
Someone you know:  validated by someone else – “yes this is William he’s cleared to enter” etc.
Something you exhibit: hair color, or specialized attributes that may only be identified with medical equipment
Something you do: behavioral biometrics like someone’s typing rhythm, or a signature.


All of these can have their own weaknesses to them. Passwords or combinations can be guessed / cracked depending on how complex it is. Or there is a human element to it as well if they write it down and leave it unsecured. Security keys or smart cards can be left unattended. Say for example somebody has a Common Access Card plugged into their computer and instead of pulling it when they get up to go to the bathroom they leave it in the machine. Someone could walk by and do something nefarious in a matter of seconds. Biometrics can sometimes be faked depending how secure the machine is that is reading the biometrics. For example a fingerprint reader, can it tell if you have an object in similar size with someone’s fingerprint embedded onto it?

Some of the best practices in ensuring these authentication credentials can stay secure are never writing down passwords, using a password manager or password key to store passwords, never using default passwords, not reusing them, utilizing password expiration, setting a password age of at least 1, requiring they contain a combination of letters, numbers, symbols, and upper/lowercase. Also not walking away from your security keys / smart cards, and ensuring if you’re in charge of an organization’s information security that you invest in reliable proven biometrics systems. The best way is to use a combination of all of these also known as multi-factor authentication.

The next part of the topic is access control. The different types of access control a system and an organization could establish on their systems are as follows:
Attribute-based access control – uses policies that combine attributes to set permissions. So it considers things like the object, subject, environment attributes, etc. set according to ‘if / then’ statements.
Rule-based access control – roles are automatically set based on a set of rules established by the custodian or system administrator. Usually pertains to if there’s multiple systems.
Role-based access control – permissions are based on the users jobs as people are put into different groups.
Discretionary access control – least restrictive, poses risks because the user can set levels of security / permissions
Mandatory access control – most restrictive, user has no freedom to set permissions, the custodian has to do it.

Access control lists are sets of permissions attached to the objects themselves rather than the users who are accessing the system. This is not as efficient though as setting a control list for every object would be time consuming.

I wanted to see what the prevalence is of passwords being compromised and found an article that highlighted a recent study by Cybernews that found there was over 19 billion newly exposed passwords. 94% of them were reused. (Naprys, 2025).  This shows that there is quite a bit of passwords still being compromised even with stricter password requirements being implemented across many websites.  The study also noted how 42% of the stolen passwords were people using 8 to 10 characters. Which certainly makes sense because most systems don’t even allow passwords to be less than 8. So people are doing the minimum that websites will allow. The article also pointed out something that I mentioned earlier in what I learned about password managers. They said that’s one of the best ways to create strong passwords.

The other thing I really wanted to see was whether there is a certain type of biometric credential that is more accurate or works better than the others. From everything I could find including from Aware Inc. iris scanning seems to be the most secure. “Iris recognition is often considered one of the most secure biometric methods due to the uniqueness and stability of iris patterns. It’s difficult to replicate or forge iris patterns, and the technology is resistant to many common spoofing attacks” (Aware, 2023).

It’s fairly obvious that any organization would benefit from not using just one access credential, but to use multi-factor authentication instead. From my experience, my banking apps will ask for a password and then before letting you login, will send either a code via text message or email and then you have to put that code in as well. Many other sites / systems are starting to do this. I even have to do it for my timesheet for work / to login to ODU’s portal and other websites. When it comes to things at work and for DoD in general they utilize a Common Access Card that you need to login to some sites as well as the computer itself. But when you put the CAC in the reader you still need to put a pin in as well. I was pretty sure the number would be pretty high before I looked it up and when I did I found that according to a Microsoft Report, if you use multifactor authentication, 99.9 % of automated attacks will be stopped (Cimpanu, 2019).