The Feynman Test for Identity Security: Do We Even Understand It?

We all know the Feynman Technique"If you can’t explain something simply, you don’t understand it well enough."

Yet, in cybersecurity, we often do the opposite: overcomplicate things. And it starts with failing to define the basics correctly. One of the most glaring examples of this is the confused taxonomy of identity security.

Before you say, “Wait a minute, we already have definitions!”—I agree. NIST 800-63-3 lays out digital identity standards in great detail. But in practice, we blur the lines between what is an account and what is a credential. This leads to incorrect claims—like calling an OAuth token an identity (or account).

Getting the Basics Right: Accounts, Credentials, and Sessions

Let’s clear up this confusion:

  • An account is an entity entitled to use resources within a service. For example, your Entra ID account grants you access to Microsoft 365 services. What you can do depends on entitlements (licenses) and privileges (permissions).
  • A credential is what proves an account’s legitimacy. It could be a password, MFA factor, OAuth token, API key, RSA key, or biometric data.
  • A session is the state of authenticated access after a credential is verified. An account uses a credential to establish an active session with a service.

That’s it—three core concepts that, when mixed up, create real security blind spots.

What Enterprises Should Care About in Identity Security

If we agree on this taxonomy, the next logical step is: What should enterprises focus on? We believe there are three critical areas for any identity security program:

  1. Account Lifecycle Management & Governance
  2. Credential Lifecycle Management & Governance
  3. Activity Monitoring & Threat Detection

1. Account Lifecycle Management: Don’t Forget the Basics

Tracking accounts should be straightforward: creation, updates, deletion, and changes to attributes or privileges. Done right, this reduces risks like:

  • Dormant accounts (attackers love these)
  • Overprivileged accounts (excessive access leads to breaches)
  • Zombie accounts (partially deactivated accounts that linger)

While Zero Standing Privileges (ZSP) is trending, foundational hygiene matters just as much. A weak foundation means attackers win.

2. Credential Management: Not All Credentials Are Equal

Per NIST, credentials fall into three categories:

  • Knowledge-based: Something you know (passwords, security questions)
  • Possession-based: Something you have (authenticator apps, hardware keys)
  • Biometrics-based: Something you are (fingerprint, Face ID)

💡 MFA is simply using two or more of these types. Phishing resistance depends on whether at least one factor is high-assurance.

Figure 1: Accounts and credentials

The key security risks in credential management include:

  • Incomplete inventory of credentials (attackers find the forgotten ones)
  • Poor storage hygiene (vault for passwords, managed apps for authenticator codes)
  • Expiration & rotation gaps (stale credentials = easy targets)

What’s Next? The Power of Monitoring & Threat Detection

In a future post, we’ll dive into the third pillar—how to detect threats by analyzing activity patterns across accounts, credentials, and sessions.As the CTO of WideField Security, my job is to ensure our team not only understands these fundamentals but can explain them clearly and simply. I hope the broader industry can agree on a simple, effective taxonomy—because if we can’t even define identity properly, how can we expect to defend it?What do you think? Comment below or follow us on LinkedIn for more insights.

Don't miss these stories: