The book is correct and let me explain more about it.
Accountability for access control fundamentally relies on Identification and Authentication.
Here's the justification:

1. Identification: This is the process of claiming an identity, typically by providing a username or ID. It’s the first step in ensuring that the correct individual is attempting to access a system or resource.

2. Authentication: Once an identity is claimed, authentication is the process of verifying that the identity is valid. This is usually done through passwords, biometrics, or other verification methods.

For accountability in access control, it’s crucial to know who is accessing the system (Identification) and to ensure that the person is who they claim to be (Authentication). Without these two factors, you cannot effectively hold individuals accountable for their actions within the system because you wouldn't be able to accurately track or verify their identity.

• Authorization, mentioned in other options, is the process of determining what resources an authenticated user is allowed to access, but it doesn't directly relate to accountability.

• Accountability and authentication (option D) suggests a circular reference, where accountability relies on authentication, but this misses the importance of identification.

I hope it is clear now. Thanks!

the correct answer is C, authorization is not the factor in which Accountability relies.

It's just identification and authentication  

---

@RontheCrypto wrote:

What two important factors does accountability for access control rely on

A. Identification and authorization

B. Authentication and authorization

C. Identification and authentication

D. Accountability and authentication

 

I think the answer should be B, as accountability is related to authorization.

 

The book says it is C.

---

The oddity of C is that you can't have authentication without identification. I'm not really sure what they are trying to get at with this question, but it is incorrect to suggest an access control relies only on authentication.  If all a system does is track who or what accessed a resource but doesn't log authorization, then you don't have enough to confirm an access control is meeting its security objective. If an ATM logs that someone with your card and PIN attempted to access your savings account, but doesn't record whether the individual is over their daily withdrawal limit, then how will either the user or the bank know why the transaction failed? Maybe there is some hair-splitting that I am missing here, but I like your answer.