Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 127

Authentication is the process of verifying that the factors or identity credentials presented by a subject actually match with what the identity management system has already established and approved. (Later sections in this chapter will address how these different functions—identity management, authentication, authorization, and accounting—can be hosted in different server architectures to meet the organization's needs in a cost-effective way.) When the identity management function provisions a newly created identity, it also creates or initializes the set of identity credentials, such as username and password, for that subject to use once the identity itself is provisioned across the systems that the subject has been granted use of.

Note that in common practice, the username is by definition the identity by which that subject is known within the system; the rest of the information created and provisioned by the identity management process, which is then used during access authentication and authorization, is known as the credentials. Some credentials, such as passwords, may also become factors and are presented as part of access authentication.

As with any process, authentication can be prone to errors. Type 1 errors, also called false negative errors, occur when an otherwise legitimate subject is denied access; this is an incorrect or false rejection of the subject. Type 2 errors, also called false positive errors, give the “green light” to a subject to proceed in their attempt to access the system or object in question. These false acceptances are the greater security worry, as they potentially are allowing an intruder into your systems. You'll look at these errors and how to manage their rate of occurrence several times in this chapter. Note that many IT professionals refer to these directly as false rejection or false acceptance errors and avoid the possible confusion of types, positive and negative.