Chapter 11: Identity & Access Management (IAM)

Identity & Access Management (IAM).

This is the chapter where we talk about the front door of every system—who you are, how we prove it, and what you’re allowed to do once inside. In January 2026 (right here in Airoli at 3:41 PM IST, with the afternoon sun coming through the window), identity is the #1 attack vector in almost every major breach. CERT-In and global reports show that credential theft/phishing/MFA bypass is involved in 70–80% of successful attacks in India—especially targeting UPI-linked accounts, corporate Azure AD/Entra ID, Google Workspace, banking apps, and government portals.

If attackers get your identity, they don’t need fancy exploits—they just walk in as you. That’s why modern IAM is no longer “just passwords”; it’s layered, contextual, and increasingly passwordless.

Let’s break it down step by step, with real Indian examples and practical 2026 realities.

1. Authentication Factors (Something You Know / Have / Are)

Authentication = proving you are who you claim to be. We use three classic factor categories (the “something” model):

• Something you know Knowledge-based: password, PIN, security question answer, pattern lock. Pros: Easy to implement, no extra hardware. Cons: Easy to steal (phishing, keylogger, shoulder surfing), reuse across sites, weak ones cracked via brute-force/dictionary. 2026 reality: Still the most common, but considered weak alone. DPDP Act pushes orgs to move beyond single passwords.
• Something you have Possession-based: physical token, smartphone (auth app, SMS OTP), hardware key (YubiKey, Google Titan), smart card. Pros: Harder to steal remotely (attacker needs physical access). Cons: Can be lost/stolen, SMS vulnerable to SIM-swapping (very common in India). Example: Google Authenticator or Microsoft Authenticator app generating TOTP (Time-based One-Time Password) every 30 seconds.
• Something you are Inherent/biometric: fingerprint, face recognition, iris scan, voice, behavioral (keystroke dynamics, mouse movement). Pros: Hard to fake (in theory), convenient. Cons: Can be spoofed (photo for face unlock, lifted fingerprints), privacy concerns, not 100% accurate (false positives/negatives). 2026 India example: Many Android phones use fingerprint + face unlock (Windows Hello Face on laptops), Aadhaar-based e-KYC uses iris/fingerprint for high-assurance auth.

Golden rule (still true in 2026): Use at least two different factors (2FA/MFA) — never two from the same category (e.g., password + PIN = both “know”).

2. Multi-Factor Authentication (MFA), Passwordless

• MFA / 2FA — Require two or more factors. Common combos:

  • Password (know) + TOTP app (have)
  • Password + push notification to phone (have)
  • Password + biometric (are)

  2026 best practices:

  • Prefer TOTP / authenticator apps over SMS (SMS vulnerable to SIM swap, number porting frauds in India).
  • Use push-based MFA (Microsoft, Google, Okta Verify) — approve/deny on phone.
  • Phishing-resistant MFA: Hardware security keys (FIDO2/WebAuthn) — YubiKey, Titan Key, Apple Passkeys. These are phish-proof because private key never leaves device.

• Passwordless Authentication — Eliminate passwords entirely (fastest-growing trend in 2026). Types:

  • FIDO2 / WebAuthn + Passkeys (synced across devices via iCloud, Google Password Manager, Microsoft).
  • Biometric + device (Windows Hello, Face ID + TPM).
  • Certificate-based (smart cards, device certs).
  • Magic links / email OTP (weaker, but better than password alone).

  Example (very common in India 2026): You log into your HDFC/ SBI banking app → no password → phone prompts Face ID / fingerprint + approves login. Behind the scenes: Passkey or FIDO2 challenge-response. Google, Microsoft, Apple all push Passkeys hard—by 2026 many Indian fintechs (PhonePe, Paytm, Cred) support them.

Why passwordless matters: Password reuse + credential stuffing attacks drop dramatically. DPDP Act indirectly encourages it by requiring “strong authentication” for sensitive personal data.

3. Single Sign-On (SSO), Federated Identity

• Single Sign-On (SSO) — Log in once, access multiple apps without re-authenticating. How it works: Central identity provider (IdP) authenticates you → issues token/assertion → apps trust it. Protocols: SAML 2.0 (enterprise), OpenID Connect (OIDC) on top of OAuth 2.0 (modern web/mobile).
• Federated Identity — Use identity from one provider (Google, Microsoft, Okta, GitHub) to log into other services (“Login with Google”). Benefits: Fewer passwords, centralized management, easier MFA enforcement. Risks: If IdP is compromised, all federated apps are at risk (but mitigated with strong IdP security + monitoring).

Real example (Airoli office worker): Company uses Microsoft Entra ID (Azure AD) as IdP → SSO for Office 365, Salesforce, Zoho, internal HR portal, and even canteen app. You log in once with Entra ID + MFA → seamless access everywhere. If you use “Login with Google” on a freelance site → federated via OpenID Connect.

2026 trend: Almost every Indian enterprise uses SSO (Okta, Entra ID, OneLogin, Google Cloud Identity). Government portals (DigiLocker, e-Office) increasingly support federated login via Aadhaar/e-Pramaan.

4. Privileged Access Management (PAM)

PAM = special controls for high-risk accounts (admins, service accounts, root, DBA, DevOps keys).

Why PAM is critical: One compromised admin account = full domain takeover (Golden Ticket, DCSync attacks).

Core features (2026 standard tools: CyberArk, BeyondTrust, Delinea, Microsoft Privileged Identity Management):

• Just-in-Time (JIT) / Just-Enough-Access — Elevate privileges only when needed, for limited time.
• Credential vaulting — Store admin passwords/keys in encrypted vault, rotate automatically.
• Session monitoring & recording — Record every admin session (video + keystrokes).
• MFA for privilege elevation.
• Zero standing privileges — No permanent admin rights.

Example (Indian IT company in Navi Mumbai): DevOps engineer needs to access production AWS console → requests via PAM tool → gets temporary elevated role for 2 hours → session recorded → credentials auto-rotated after use. Prevents “standing admin” risk where one leaked credential gives permanent god-mode.

5. Identity-based Attacks (Credential Stuffing, Password Spraying)

• Credential Stuffing Use stolen username/password pairs from one breach → try them on many other sites (automated bots). Why it works: Password reuse is still ~60–70% across accounts. 2026 India example: Combo lists from previous RockYou2021-style dumps + recent Indian breaches (Zomato, Domino’s, etc.) → bots try millions of email:password pairs on banking/UPI/logins. Defense: Enforce unique passwords + MFA + detect anomalous logins (impossible travel, unusual device).
• Password Spraying Try a few common passwords (e.g., Welcome123, Password@2025, CompanyName@2026) across many accounts → avoid lockouts. Example: Attacker targets corporate Entra ID → tries “January2026” on thousands of user@company.in accounts. Defense: Strong password policy, account lockout + smart lockout (Azure AD/Entra), MFA, behavioral analytics.

Other identity attacks (2026 hot):

• MFA fatigue bombing (push spam until user approves).
• Adversary-in-the-Middle (AiTM) phishing (Evilginx-style).
• Token replay / session hijacking.

Best defenses right now: Phishing-resistant MFA (FIDO2/Passkeys), Conditional Access policies (location, device compliance), identity threat detection (Microsoft Defender for Identity, Okta ThreatInsight).