person Tute World Team

Authentication & Authorization

Two words that are often confused but represent completely different questions. Authentication asks: "Who are you?" Authorization asks: "What are you allowed to do?" Together, they're the foundation of every access control system ever built.

Authentication vs. Authorization — The Core Difference

Authentication (AuthN)

"Who are you?"

Verifying that you are who you claim to be. This happens at login — entering a password, scanning a fingerprint, or using a hardware key.

Example: Showing your passport at the airport.

Authorization (AuthZ)

"What can you do?"

Determining what an authenticated user is permitted to access or perform. Checked after identity is verified.

Example: Your passport gets you through security, but not into the cockpit.

Key rule: Authentication always comes first. You can't authorize someone whose identity you haven't verified. But authentication alone isn't enough — you also need to enforce what each user can and can't do.

The Three Factors of Authentication

All authentication methods fall into one of three categories, called factors:

🧠

Something You Know

Passwords, PINs, security questions. The most common factor — and the weakest when used alone.

📱

Something You Have

A physical device: your phone (for SMS codes or authenticator apps), a hardware security key (YubiKey), or a smart card.

👆

Something You Are

Biometrics: fingerprint, face recognition, iris scan, voice print. Convenient but raises privacy concerns and can't be changed if compromised.

Multi-Factor Authentication (MFA) combines two or more factors. Even if an attacker steals your password (something you know), they still need your phone (something you have) to get in. MFA blocks over 99% of automated account attacks according to Microsoft.

Passwords: Why They're Still Terrible (And How to Make Them Less Terrible)

Passwords are everywhere despite being the weakest form of authentication. Here's why they fail:

  • Reuse: People use the same password across many sites. One breach exposes all accounts (credential stuffing).
  • Weak passwords: "password123" and "qwerty" are still among the most used passwords in the world.
  • Phishing: Users can be tricked into entering their password on a fake site.
  • Database breaches: If a site stores passwords insecurely (unencrypted or weakly hashed), attackers can crack millions of them.

How passwords should be stored (and how they often aren't)

Passwords should never be stored in plain text. They should be hashed with a slow, salted hashing algorithm like bcrypt, Argon2, or scrypt. The "salt" is a random value added before hashing — it means two users with the same password get different hashes, defeating precomputed "rainbow table" attacks.

Many companies still store passwords in MD5 or SHA-1 — fast hashing algorithms that are woefully inadequate for passwords and easily cracked with GPU power.

Modern Authentication: OAuth 2.0 and JWT

When you click "Sign in with Google" on a third-party app, you're using OAuth 2.0 — an authorization framework that lets you grant limited access to your data without sharing your password.

How OAuth works (simplified)

  1. You click "Sign in with Google" on App X
  2. App X redirects you to Google's login page
  3. You log in to Google and approve the permissions App X is requesting
  4. Google gives App X a token (not your password)
  5. App X uses the token to access your data on your behalf

You never share your Google password with App X. If you revoke access, App X's token stops working immediately.

JWT — JSON Web Tokens

A JWT is a compact, signed token used to prove identity between services. It has three parts (separated by dots): a header, a payload (user info), and a cryptographic signature. The signature is what makes it trustworthy — it's created with a secret key, so anyone with the public key can verify the token is legitimate and hasn't been tampered with.

Authorization Models: Who Can Do What?

Once identity is verified, systems use authorization models to decide what's allowed:

  • RBAC (Role-Based Access Control): Permissions are assigned to roles ("Admin", "Editor", "Viewer"), and users are assigned roles. Simple and widely used.
  • ABAC (Attribute-Based Access Control): Permissions based on attributes — the user's department, the time of day, the resource's sensitivity level. Flexible but complex.
  • Principle of Least Privilege: Every user and process should have only the minimum permissions they need. A customer service rep shouldn't have access to the financial database.
  • Zero Trust: "Never trust, always verify." Treat every user and device as potentially compromised, even if they're inside the corporate network. Always authenticate and authorize, never assume.

Frequently Asked Questions

Why can't we just use passkeys instead of passwords?

We're trying to! Passkeys are the FIDO2/WebAuthn standard that replaces passwords with cryptographic key pairs. Your device holds a private key; the website holds the public key. You authenticate by proving you have the private key (often via biometric unlock). They're phishing-resistant (no password to steal) and can't be breached from server databases. Apple, Google, and Microsoft all support them. Adoption is growing fast.

Is SMS-based MFA safe?

It's much better than no MFA, but it has known weaknesses. SIM swapping attacks (convincing a carrier to transfer your number to the attacker's SIM) can defeat SMS MFA. For high-value accounts, use an authenticator app (TOTP) or a hardware security key instead. But enabling SMS MFA is far better than password-only access.

How does cryptography relate to authentication?

Deeply. Passwords get hashed using cryptographic hash functions. TLS uses asymmetric cryptography to authenticate servers during HTTPS connections. JWTs are signed with cryptographic signatures. Passkeys use public-key cryptography. Digital signatures authenticate software updates. Authentication and cryptography are inseparable — which is why post-quantum cryptography matters so much for authentication systems too.

← Networking Basics Next: Phase 2 — Classical Cryptography →

Frequently Asked Questions

What will I learn here?

This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.

How should I use this page?

Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.

What should I read next?

Use the navigation below to continue to the next lesson or explore related topics.