Story 10 — Gary's Front Door · Gary's Security Stories

Reading Progress

00 / 22

Story 10 · Domain 1 · Authentication & Identity

Gary's Front Door.

Three factors. One golden ticket. Three ways to prove yourself at your mate's shop — a sealed letter, a plain wristband, and a wristband with your photo on it.

By The Editors Photography: Cipher Lane Observer 3 min read

Gary upgrades his front door with a proper security system. Three ways to prove you're allowed in. Each one covers a different category of evidence.

First, a keypad — type a code to unlock. That's something you know: passwords, PINs, security questions. Weakest — someone can watch you type it, guess it, or brute force it.

Second, a key — a physical thing you carry. That's something you have: smart cards, TOTP phone apps, hardware tokens, SSH keys. Stronger — someone needs to steal the physical object.

Third, a fingerprint scanner. That's something you are: biometrics — fingerprints, Face ID, iris scans. Hardest to steal.

Gary's wife makes him use two of them — the key AND the keypad. That's MFA — Multi-Factor Authentication. Two different types. Two passwords is NOT MFA — that's two things you know. A key plus a keypad IS MFA — something you have plus something you know.

Gary's getting tired of unlocking every room separately. He goes to the ticket booth (Door 88 — Kerberos). Proves who he is once, gets a golden ticket. Now every door in the building opens without asking again.

That's SSO — Single Sign-On. Kerberos (port 88) is the golden ticket system Active Directory uses.

Gary's mate runs a shop on the next street. He trusts Gary's ticket booth, so he accepts Gary's golden ticket too — no need for a separate login.

That's federation — trusting another organisation's identity system.

Method 1: Gary's ticket booth writes a formal letter on thick paper, stamped with the official seal, and hands it to Gary. He walks to his mate's shop and presents it. The sealed letter is an XML assertion. That's SAML — a signed document passed between the identity provider and the service. Enterprise SSO lives here.

Method 2: Gary's mate doesn't need to know who Gary is — he just needs to know Gary is allowed to use the espresso machine. Gary's ticket booth gives him a plain wristband with "ESPRESSO: YES" printed on it. No name, no photo — just permission. That's OAuth — it grants authorisation (what you can access) without identity. "Let this app access my Google Drive" is OAuth.

Method 3: Same wristband, but this time it has Gary's photo laminated on it and the text "GARY, MANAGER, ESPRESSO: YES." Now his mate knows who Gary is AND what he's allowed to do. That's OIDC — OpenID Connect — OAuth with an ID token bolted on. "Sign in with Google" is OIDC.

Password plus PIN is not MFA — that's two things you know. Password plus TOTP app is MFA — that's something you know plus something you have. Two factors, two different types. Always. — Story 10 · Authentication & Identity

// GARY'S WHITEBOARD

Three factors.

Know — PIN · password

Have — key · TOTP · card

Are — fingerprint · Face ID

MFA = two DIFFERENT types. Password + PIN ≠ MFA. Password + TOTP = MFA.

// Federation Protocols

SAML — sealed letter (XML)

OAuth — plain wristband (auth only)

OIDC — wristband with photo (auth + identity)

// Quick Reference

"Which uses XML?" → SAML

"Auth only?" → OAuth

"Adds identity?" → OIDC

// Terms Introduced

Something you know / have / are
MFA (Multi-Factor Authentication)
SSO (Single Sign-On)
Kerberos (Port 88)
Federation
SAML, OAuth, OIDC

// ON THE EXAM

OAuth is authorisation only — it answers "what can this app access?" not "who are you?" OIDC adds an identity token on top of OAuth to answer both questions. SAML uses XML and is the enterprise SSO standard. "Sign in with Google" uses OIDC. Enterprise directory federation uses SAML.

Check Yourself · Question 10

Gary's mate's shop accepts Gary's credentials. Gary is given a plain wristband that says "ESPRESSO: YES" but does not show his name. Which protocol is this?

OAuth. A plain wristband with permissions but no identity is OAuth — it grants authorisation only. The receiving party knows what the bearer is allowed to do but not who they are. OIDC adds the photo (the ID token). SAML is the XML sealed letter used in enterprise federation.

Terminology · Story 10

Front Door Terms.

// Term · 01 / 05

Three Factors

Tap to reveal

// Definition

Know — PIN, password. Have — key, TOTP, smart card. Are — fingerprint, Face ID, iris. MFA requires two different types.

Domain 01

// Term · 02 / 05

MFA

Tap to reveal

// Definition

Multi-Factor Authentication — requires two different factor types. Password + PIN = NOT MFA (both are Know). Password + TOTP = MFA (Know + Have).

Domain 01

// Term · 03 / 05

SAML

Tap to reveal

// Definition

Security Assertion Markup Language — XML-based sealed letter for enterprise SSO federation. Identity provider signs an assertion. Service provider trusts it.

Domain 01

// Term · 04 / 05

OAuth vs OIDC

Tap to reveal

// Definition

OAuth — authorisation only (plain wristband). Answers: what can you access? OIDC — OAuth + identity token (wristband with photo). Answers: who are you AND what can you access?

Domain 01

// Term · 05 / 05

SSO & Kerberos

Tap to reveal

// Definition

SSO — Single Sign-On: authenticate once, access everything. Kerberos — the golden ticket protocol (Port 88). Used by Active Directory for internal SSO.

Domain 01

In the wild

A platform engineer migrates internal apps to SAML-based SSO.

The helpdesk has logged 340 password reset tickets in the last quarter. Eleven internal applications, each with its own credential store, no shared session, and no MFA enforcement on six of them. The head of security has issued a mandate: SSO or nothing goes to production.

Sanjay is the platform engineer leading the migration. The identity provider is already in place — Okta, configured with Duo for MFA push on every login. The first application to migrate is the internal HR portal, which currently uses a local SQL-backed credential table and has not enforced password rotation in eighteen months.

The SAML integration takes two days. Sanjay registers the HR portal as a service provider in Okta and configures it to redirect unauthenticated users to Okta's SSO endpoint. The assertion Okta returns is an XML document signed with Okta's private key — carrying identity, group memberships, and session expiry. The HR portal trusts Okta's signature because it holds Okta's public certificate. The chain: user authenticates with password plus Duo push (something you know plus something you have), Okta issues a signed SAML assertion, portal validates and grants access. No local credentials.

After eight applications, Sanjay flags one edge case: the expense reporting tool integrates with Google Drive using OAuth, not SAML. OAuth issues an access token scoped to Drive read-write — it does not carry identity. The architecture decision record gets a note: OAuth for delegated authorisation, SAML for federated authentication. They are not interchangeable, even though both flow through the same SSO infrastructure.

GARY'SFRONT DOOR.

Gary's Front Door.

Gary's mate's shop accepts Gary's credentials. Gary is given a plain wristband that says "ESPRESSO: YES" but does not show his name. Which protocol is this?

Front Door Terms.