HACKERLOI
⏱ 5:00 remaining

Authentication & Authorization

1 Global Definition

Authentication is the process of verifying the identity of a user or system, ensuring that they are who they claim to be. Authorization, on the other hand, determines what actions, resources, or privileges an authenticated user is allowed to access. Together, they form the foundation of access control and security in digital systems.

1.1 Authentication Methods

Knowledge-Based (Something You Know)

  • Passwords
  • PIN
  • Security questions (low security, easily guessable)

Possession-Based (Something You Have)

  • Smart Cards
  • OTP Tokens
  • U2F Keys

Inherence-Based (Something You Are)

  • Biometrics
  • Voice recognition
  • Behavioral biometrics (typing speed, mouse movement)

Multi-Factor Authentication (MFA)

  • Combines two or more categories (e.g., password + OTP)
  • Reduces risk of account compromise
  • Mandatory in high-security systems

1.2 Authentication Protocols

Kerberos

A ticket-based system using a trusted Key Distribution Center.

LDAP

Lightweight Directory Access Protocol, common in Windows Active Directory.

OAuth 2.0 & OpenID Connect

Modern web standards enabling delegated access and single sign-on (SSO).

SAML

Security Assertion Markup Language, often used for enterprise SSO between applications.

1.3 Authorization Models

Discretionary Access Control (DAC)

Owners decide who can access their resources. Flexible but less secure.

Mandatory Access Control (MAC)

Central authority assigns access based on security labels (used in military systems).

Role-Based Access Control (RBAC)

Permissions tied to organizational roles, not individuals.

Attribute-Based Access Control (ABAC)

Access based on attributes (user role, device type, location, time).

1.4 Access Management Enhancements

Single Sign-On (SSO)

One set of credentials grants access to multiple systems.

Federated Identity

Trust relationships across organizations for cross-domain access.

Zero Trust

"Never trust, always verify": continuous authentication and authorization based on context.

1.5 Benefits & Challenges

Benefits

  • Protects systems and data from unauthorized access
  • Improves user experience with SSO & MFA
  • Supports compliance requirements (HIPAA, GDPR, PCI DSS)

Challenges

  • Password fatigue and reuse
  • MFA adoption resistance
  • Complex identity federation and interoperability

1.6 Real-World Example

  • User logs into corporate VPN with password (authentication)
  • MFA prompt via mobile push notification (additional authentication factor)
  • Access granted to finance system but denied to HR system (authorization)
  • All actions logged and forwarded to SIEM for monitoring

1.7 Why Authentication & Authorization Matter

Without strong authentication, attackers can impersonate users; without proper authorization, they can escalate privileges and cause damage. Together, authentication and authorization enforce the principle of least privilege, safeguard sensitive resources, and form the backbone of identity and access management.

🍪 CookieConsent@hackerloi:~

Welcome to Hackerloi

$ Allow cookies on this site ? (y/n)