Security & Authentication Series

Authentication & Authorization

Authentication verifies "Who are you?" while Authorization controls "What can you do?"

Login

Username

Password

User Database

adminadmin2FA

Password: admin123

editoreditor

Password: editor123

viewerviewer

Password: viewer123

Visual Guide

AuthNAuthentication: Login, password, MFA validation
AuthZAuthorization: RBAC permissions, access control
✓Granted: Action is permitted for the role
✗Denied: Action is not permitted

How to use

Authentication Tab: Try logging in with existing users. Test failed attempts to see lockout. Use MFA code: 123456.

Authorization Tab: Select a role, resource, and action. Click "Check Access" to verify permissions in the RBAC matrix.

Key Concepts

Authentication (AuthN)

Verifies identity - "Who are you?" Validates credentials like passwords, MFA codes, or biometrics. Results in a session token or identity assertion.

Authorization (AuthZ)

Verifies permissions - "What can you do?" Controls access to resources based on roles, permissions, or policies. Common patterns: RBAC, ABAC, ACL.

Quick Guide: AuthN vs AuthZ

Understanding the basics in 30 seconds

How It Works

User provides credentials (password, biometric, MFA)
System verifies identity against stored data
Session token issued upon successful authentication
Each request checked against role/permission matrix
Access granted or denied based on authorization rules

Key Benefits

Separation of identity and access control
Granular permission management (CRUD per resource)
Audit trail for compliance
Defense in depth security model
Scalable across large organizations

Real-World Uses

Enterprise IAM systems (Okta, Azure AD)
API gateway access control
Multi-tenant SaaS applications
Healthcare HIPAA compliance
Financial systems (PCI-DSS)

Authentication vs Authorization Explained

Two sides of the security coin - verify identity, then grant access.

Authentication Methods

Password-based: Traditional username/password
Multi-factor (MFA): Something you know + have + are
Single Sign-On (SSO): One login for multiple apps
Passwordless: Magic links, WebAuthn, biometrics
API Keys: Machine-to-machine authentication

Authorization Models

RBAC: Role-Based Access Control
ABAC: Attribute-Based Access Control
ACL: Access Control Lists
ReBAC: Relationship-Based Access Control
Policy-Based: OPA, Casbin, Cedar

Security Best Practices

Always hash passwords (bcrypt, Argon2)
Implement account lockout after failed attempts
Use short-lived session tokens
Enforce MFA for sensitive operations

Follow principle of least privilege
Log all access attempts for auditing
Separate duties for sensitive resources
Regular permission reviews

Security Implementation Patterns

Authentication Strategies

Session-Based

Server stores session state
Session ID in cookie
Good for traditional web apps
Requires session storage (Redis)

Token-Based (JWT)

Stateless - no server storage
Token contains claims
Ideal for APIs & microservices
Horizontal scaling friendly

Authorization Models Compared

Model	Description	Use Case
RBAC	Permissions assigned to roles	Enterprise apps, CMS
ABAC	Attribute-based policies	Complex rules, dynamic access
ReBAC	Relationship-based (Google Zanzibar)	Social apps, shared resources
ACL	Access Control Lists per resource	File systems, simple apps