| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 13.2 - The AAA Model (Part 2 of 3)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the study of identity and access management from Domain 5, digging deeper into the specific factors and secrets you use to prove identity. It gets concrete about the tools of authentication and the strengths and weak spots that shape every real-world login choice.
What this episode covers
- Location as a security signal — somewhere you are ties a login to a place, and context-aware checks weigh location, time, and device together.
- Something you know — static passwords are the weakest factor, exposed by sniffing, cleartext storage, and brute-force or credential-stuffing attacks.
- Passphrases and PINs — a longer, personally meaningful string resists cracking, and personal identification numbers live in this same factor.
- Strong password policy — maximum age, complexity, length, minimum age, and history work together to keep memorized secrets sound.
- Standards guidance — the national standards institute favors flexible, hashed passwords, while the payment card standard is stricter.
- Something you have — smartcards and authenticator tokens produce one-time passwords, though text-message codes have lost favor.
- Something you are — biometrics measure physiological traits like fingerprints, faces, retinas, irises, palm veins, and voice.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How can location itself become a security signal?
Location adds attributes that back up the main factors. Somewhere you are ties a login to a specific place, an IP address, or a phone number from caller identification. If a user normally signs in from one region and a login suddenly appears from overseas, the system can block it even with the right password. It is not perfect, though, since an attacker can route through a virtual private network to fake the source.
What is the something you know factor, and why are passwords so weak?
The classic example is the password, a static string you memorize, and it is the weakest form of authentication. Easy ones are simple to guess, hard ones get written down, and users share or forget them. Attackers steal them by watching, sniffing networks, or dumping databases, especially when passwords travel in cleartext, and they fall to brute-force guessing, dictionaries, password spraying, and credential stuffing.
What makes a strong password policy?
Organizations write a password policy and enforce it with technical settings. Maximum age forces a periodic change, complexity sets how many character types are required, and length sets the minimum number of characters, where longer is always harder to crack. Minimum age blocks changing a password again too soon, and history remembers past passwords, so together minimum age and history stop someone from rotating straight back to the original.
What is the something you have factor?
This factor is a physical object you carry, and it shines when paired with another factor for multi-factor authentication. A smartcard is a badge-sized card with an embedded chip, often holding a microprocessor and certificates used for encryption or digital signatures. It is tamper-resistant, but because cards can be swapped or shared, you usually add a personal identification number or password alongside it.
How does the something you are factor use biometrics?
Biometrics measure physical traits and can serve as identification, authentication, or both, though they never provide authorization or accountability. Used for identification, the system searches your offered pattern against a whole database of enrolled users. Used for authentication, it does a one-to-one match against the single stored pattern for the identity you claim. So one mode asks who is this, and the other asks are you really who you say.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 13.2 - The AAA Model (Part 2 of 3).