JT
JT Exams
Log inStart Free Trial
SecuritySecurity+CISSP

Identity and Access Management (IAM) Explained for Security+

Stolen credentials are involved in the majority of data breaches. Identity and access management is the discipline that controls who can prove who they are, what they are allowed to do with that identity, and under what conditions. Security+ SY0-701 tests authentication factors and MFA, federation protocols like SAML and OAuth, access control models from DAC to ABAC, and privileged access management. The exam scenario questions describe a requirement and ask which technology satisfies it. Password plus PIN is one of the most common wrong answers because people assume two factors means MFA. It does not.

8 min
4 sections · 5 exam key points

Authentication factors and MFA

Authentication proves identity using one or more factors. The three classic factor categories are something you know (password, PIN, security question), something you have (smart card, hardware token, authenticator app, one-time code), and something you are (biometric: fingerprint, facial recognition, retina scan). Two additional categories are sometimes tested: somewhere you are (geolocation, IP range restriction) and something you do (behavioral biometrics like typing rhythm).

Multi-factor authentication requires two or more factors from different categories. A password and a PIN are both something you know: two factors from the same category. This is not MFA. A password and a code from an authenticator app are something you know and something you have: two different categories. This is MFA. The distinction matters on exam questions that describe authentication and ask whether it is MFA.

Phishing-resistant MFA is specifically tested in Security+ SY0-701. Standard SMS codes and time-based OTPs can be intercepted or relayed in real-time phishing attacks. FIDO2/WebAuthn hardware security keys and passkeys are phishing-resistant because the authentication is cryptographically bound to the specific website domain. Even if an attacker tricks you onto a fake site, your hardware key will not authenticate.

Federation, SSO, and protocols

Federation allows users to authenticate with their home identity provider (IdP) and then access resources at a separate service provider (SP) without creating a separate account. Your corporate identity provider authenticates you once, and federated service providers trust that authentication for their own access decisions.

SAML (Security Assertion Markup Language) is an XML-based federation protocol. The IdP sends a signed XML assertion to the SP after the user authenticates. It is the standard for enterprise web SSO with SaaS applications. OAuth 2.0 is an authorization framework, not an authentication protocol. It allows applications to request limited access to a resource on behalf of a user without sharing credentials. OpenID Connect (OIDC) adds an authentication layer on top of OAuth 2.0, adding an ID token (JWT) that contains identity claims.

Single Sign-On lets users authenticate once and access multiple systems without re-authenticating for each one. This reduces password fatigue, decreases the number of credentials that can be stolen, and simplifies the authentication experience.

Access control models and PAM

Discretionary Access Control (DAC) lets resource owners decide who has access. The file owner sets permissions. This is how NTFS permissions work. Flexible but hard to manage at scale because access decisions are decentralized.

Mandatory Access Control (MAC) uses system-enforced labels and clearances. Users cannot override the policy regardless of their ownership or role. Military classification systems work this way: a user cleared for Confidential cannot access Secret documents even if they own the folder.

Role-Based Access Control (RBAC) assigns permissions to roles, then assigns users to roles. Changing what a role can access immediately changes what every user in that role can access. Scalable and auditable. The dominant model in enterprise environments.

Attribute-Based Access Control (ABAC) makes access decisions based on multiple attributes: the user's department, the device's compliance status, the time of day, the data classification, the request location. ABAC can implement the most granular and dynamic access policies and is the foundation of Zero Trust implementations.

Privileged Access Management (PAM) specifically controls high-privilege accounts. PAM provides just-in-time access (elevate privilege only when needed, not permanently), session recording (capture everything a privileged user does), credential vaulting (hide passwords from administrators using service accounts they cannot see directly), and approval workflows.

How to choose the correct answer

MFA: two factors from different categories. Password + PIN = NOT MFA (both knowledge factors).

Protocol mapping: enterprise XML-based SSO = SAML. API access delegation = OAuth 2.0. Authentication on top of OAuth with ID token = OIDC.

Access control model: resource owner controls access = DAC. Clearance labels = MAC. Roles and permissions = RBAC. Multiple attributes including context = ABAC.

Just-in-time elevated access with session recording = PAM.

Access control models

ModelWho controls access?Use case
DACResource ownerStandard file systems (NTFS, Linux permissions)
MACSystem policy (clearance labels)Military, government classified systems
RBACAdministrator via rolesEnterprise environments -- most common
ABACPolicy engine using attributesZero Trust, context-aware access
Rule-basedAdministrator via conditional rulesFirewalls, ACLs, time-based access

Key exam facts — Security+ / CISSP

  • MFA: two or more factors from different categories. Two passwords = NOT MFA.
  • Authentication factors: know, have, are, where you are, what you do.
  • SAML: XML-based enterprise federation and SSO. OAuth: authorization delegation. OIDC: authentication on top of OAuth.
  • DAC: owner controls. MAC: label-based, system enforced. RBAC: roles. ABAC: attributes and context.
  • PAM: just-in-time privilege, session recording, credential vaulting.

Common exam traps

A password and a PIN together constitute multi-factor authentication.

Password and PIN are both knowledge factors (something you know). MFA requires factors from different categories. A password (something you know) combined with a hardware token (something you have) is MFA. Two items from the same category is single-factor authentication with two checks.

OAuth 2.0 is an authentication protocol.

OAuth 2.0 is an authorization framework. It grants applications limited access to resources on behalf of users without sharing credentials. OpenID Connect (OIDC) is the authentication layer built on top of OAuth 2.0. When someone uses 'Sign in with Google,' OIDC is handling authentication while OAuth handles the authorization grant.

RBAC and ABAC are interchangeable for modern environments.

RBAC grants access based on role membership, which is static and predefined. ABAC evaluates multiple dynamic attributes for every access decision: who is asking, from what device, at what time, from where, to what data. ABAC supports the context-aware, Zero Trust style access that RBAC cannot implement.

Practice this topic

Security+practice questions

Test yourself on Identity & Access Mgmt

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Zero Trust

Security+CISSP

Network Security Controls

Security+CISSP

PKI & Certificates

Security+CISSP

Cryptography

Security+CISSP