🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 13.2 - The AAA Model (Part 3 of 3)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series completes the study of identity and access management from Domain 5, closing out the model with accuracy and reach. It measures biometric performance and extends authentication beyond people to the devices and services that also ask for access.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

How do you measure whether a biometric device is accurate?

You look at the errors it makes. A false rejection happens when the system turns away a valid user, a false negative, measured by the false rejection rate and labeled a Type one error. A false acceptance happens when the system lets in the wrong person, a false positive, measured by the false acceptance rate, a Type two error. Most devices have a sensitivity dial that trades one error for the other.

How do you compare one biometric device against another?

You use the crossover error rate, also called the equal error rate. As you slide the sensitivity, the rejection rate and the acceptance rate move in opposite directions, and the point where they meet is the crossover rate. A lower crossover rate means a more accurate device, so it is the standard yardstick for comparison, even though you rarely run a device at that crossover point in practice.

Why is multi-factor authentication so much stronger?

Because it forces an attacker to win several different fights at once. Multi-factor means using two or more different factors, and the key word is different. Two passwords are not multi-factor, and combining a password with a personal identification number fails the test because both are things you know. But pair a token, a password, and a fingerprint, and an attacker must pull off a physical theft, a password crack, and a biometric forgery all at the same time.

What is passwordless authentication?

It lets users log in without any memorized secret at all. Since static passwords are the weakest link and heavy policies push people toward risky workarounds, the industry is moving away from them. You already see it when a phone unlocks with your face or a tablet with your finger, and an open industry alliance has built standards centered on hardware passkeys you plug in or tap, with nothing to remember and nothing to phish.

What is mutual authentication, and when do you need it?

It is two-way proof, where both ends verify each other before trusting anything. Instead of only the server checking the client, the client also checks the server, usually by exchanging digital certificates. This stops a client from spilling information to an impostor server, so if traffic is steered to a rogue server and the check fails, the session simply never starts and no credentials are handed over.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 13.2 - The AAA Model (Part 3 of 3).