Requirement 8: Identify Users and Authenticate Access to System Components
Two fundamental principles of identifying and authenticating users are to 1) establish the identity of an individual or process on a computer
system, and 2) prove or verify the user associated with the identity is who the user claims to be.
Identification of an individual or process on a computer system is conducted by associating an identity with a person or process through an
identifier, such as a user, system, or application ID. These IDs (also referred to as “accounts”) fundamentally establish the identity of an
individual or process by assigning unique identification to each person or process to distinguish one user or process from another. When each
user or process can be uniquely identified, it ensures there is accountability for actions performed by that identity. When such accountability is in
place, actions taken can be traced to known and authorized users and processes.
The element used to prove or verify the identity is known as the authentication factor. Authentication factors are 1) something you know, such
as a password or passphrase, 2) something you have, such as a token device or smart card, or 3) something you are, such as a biometric
element.
The ID and the authentication factor together are considered authentication credentials and are used to gain access to the rights and privileges
associated with a user, application, system, or service accounts.
Go on to Requirement 9 - Physical Access.
Go back to Requirement 7 - Restricting Access.