Authentication and Access Control

Every secure system must answer two critical questions before allowing anyone in: "Who are you?" and "What are you allowed to do?" Authentication answers the first question. Access control answers the second. Together, they form the gateway between a user and the resources they want to reach.

Authentication vs. Authorization

These two terms sound similar but they are distinct concepts that work in sequence.

AUTHENTICATION VS. AUTHORIZATION:

Step 1: AUTHENTICATION (Identity Check)
  "Prove you are who you claim to be."
  User provides credentials → System verifies them
  Result: User identity confirmed (or denied)

Step 2: AUTHORIZATION (Permission Check)
  "Now that we know who you are, what can you do?"
  System checks access rights for this verified user
  Result: User gets access only to allowed resources

ANALOGY:
Authentication = Showing your ID card at a company entrance
Authorization  = Your ID card only opens certain floors, not all floors

The Three Factors of Authentication

Authentication relies on one or more of three categories of evidence. Security professionals call these authentication factors.

Single-Factor Authentication (SFA)

Single-factor authentication uses only one factor — typically a password. It is the simplest and least secure method. If the password gets stolen through phishing, data breach, or guessing, the attacker has full access to the account.

SINGLE-FACTOR: Username + Password only
Weakness: Password stolen → Account compromised completely

Multi-Factor Authentication (MFA)

Multi-factor authentication requires two or more factors from different categories. Even if one factor (like a password) gets stolen, the attacker still cannot access the account without the second factor (like a phone OTP).

MFA LOGIN EXAMPLE (Banking App):

Step 1: Enter username + password  (Something you KNOW)
         ✔ Correct credentials
Step 2: System sends 6-digit OTP to registered mobile number
         User enters OTP within 30 seconds  (Something you HAVE)
         ✔ OTP matches
Access GRANTED

ATTACKER SCENARIO:
Attacker steals password via phishing
Attacker enters password → Passes Step 1
System sends OTP to victim's actual phone (attacker doesn't have it)
Attacker cannot complete Step 2
Access DENIED

Result: Stolen password alone is useless with MFA enabled.

Common MFA Methods

Biometric Authentication

Biometric authentication verifies identity using physical or behavioral characteristics unique to each person. It falls under the "something you are" factor.

BIOMETRIC AUTHENTICATION PROCESS:

Enrollment Phase:
  User's fingerprint scanned → Converted to a mathematical template
  Template stored securely in system

Verification Phase:
  User places finger on scanner
  New scan converted to template
  New template compared to stored template
  Match within tolerance → ACCESS GRANTED
  No match → ACCESS DENIED

Types of Biometrics:
  Physical:    Fingerprint, Face, Iris, Retina, Hand geometry
  Behavioral:  Typing rhythm, Voice pattern, Gait (walking style)

Biometrics are convenient but not perfect. Fingerprints can be copied from surfaces. Face recognition can sometimes be fooled by photos. Biometrics work best as one factor in a multi-factor system rather than as the sole method.

Access Control Models

Once authentication confirms identity, access control determines what that verified user can do. Several models govern how access rights are assigned and enforced.

Discretionary Access Control (DAC)

In DAC, the owner of a resource decides who can access it. The owner sets permissions for each file, folder, or resource individually. This is the model used in most home and office operating systems.

DAC EXAMPLE (Windows File System):

User: Alice (owner of the "Budget_2024" folder)
Alice sets permissions:
  Bob → Read only
  Carol → Read + Edit
  Everyone else → No access

Alice controls who gets what access to her files.

Mandatory Access Control (MAC)

In MAC, a central authority (not the data owner) assigns security labels to both users and resources. Access is only granted when the user's clearance level matches or exceeds the resource's classification level. This model is used in government and military environments.

MAC EXAMPLE (Government System):

Security Labels:
  TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED

User Rahul → Clearance: SECRET
File A → Classification: TOP SECRET → Rahul CANNOT access
File B → Classification: SECRET → Rahul CAN access
File C → Classification: CONFIDENTIAL → Rahul CAN access

Rahul cannot grant himself access to File A even if he wants to.
The system enforces it, not the file owner.

Role-Based Access Control (RBAC)

In RBAC, access is assigned to roles, not individual users. Users then receive roles based on their job function. This simplifies management in large organizations — when a new employee joins, they simply get the appropriate role and automatically inherit all the permissions for that role.

RBAC EXAMPLE (Hospital System):

ROLES AND THEIR PERMISSIONS:
┌─────────────┬──────────────────────────────────────────┐
│ Role        │ Access Permissions                       │
├─────────────┼──────────────────────────────────────────┤
│ Doctor      │ View + Edit patient records, prescribe   │
│ Nurse       │ View patient records, update notes       │
│ Billing     │ View billing info only, no medical data  │
│ IT Admin    │ System settings, no patient data         │
│ Receptionist│ View appointment schedule, no records   │
└─────────────┴──────────────────────────────────────────┘

New employee Dr. Priya → Assigned "Doctor" role
Dr. Priya automatically gets all doctor permissions
No need to set each permission individually

Attribute-Based Access Control (ABAC)

ABAC is the most flexible model. Access decisions use multiple attributes — user attributes, resource attributes, environmental attributes, and action attributes. Rules define what combination of attributes allows access.

ABAC RULE EXAMPLE:

Rule: "A user can access financial reports IF:
  - User's department = Finance
  - User's clearance = Manager or above
  - Time = Business hours (9 AM - 6 PM)
  - Location = Office network IP range"

Result: An off-hours remote access attempt from a Finance Manager
        would be DENIED because the time and location conditions fail.

The Principle of Least Privilege

The principle of least privilege states that every user, application, and system should have access only to the minimum resources required to perform their specific function — nothing more. This limits the damage an attacker can do if they compromise an account.

LEAST PRIVILEGE IN PRACTICE:

WRONG APPROACH:
New employee joins marketing team.
System admin gives "Administrator" access because it's faster to set up.
If this employee's account gets hacked → attacker has full system control.

RIGHT APPROACH:
New employee joins marketing team.
System admin gives access to: Marketing folder, Email, CRM tool only.
If this employee's account gets hacked → attacker only sees marketing files.

Single Sign-On (SSO)

Single Sign-On allows a user to authenticate once and gain access to multiple applications without logging in again for each one. This improves usability and reduces password fatigue. When a user logs into their company's SSO system, they can access email, project management tools, HR software, and other applications seamlessly.

SSO WORKFLOW:

Without SSO:
  Email login → separate password
  HR portal login → separate password
  CRM login → separate password
  (User manages 10+ passwords → often reuses weak ones)

With SSO:
  User logs in ONCE to SSO system
  SSO grants access token
  Email, HR Portal, CRM, all recognize the token → no re-login needed
  (One strong login protects everything)

Access Control Summary

Authentication proves identity and access control enforces what that identity can do. Both depend heavily on one critical element: the password. The next topic examines password security in depth — what makes a password strong, how passwords get compromised, and how to manage them safely.