📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • Authentication
  • Authentication versus authorization

Was this helpful?

  1. Access Control: Basics

Authentication

Authentication

Authentication is the process of verifying an assertion about a user or thing. Most often, the identity of that user or thing is the assertion that is verified during authentication. Authentication therefore follows after identification, which is the process of indicating the identity of a user or thing.

Human users can authenticate using three factors:

  • Something you know (example: password)

  • Something you have (example: identity card)

  • Something you are (example: fingerprint)

When two or more different factors are combined during the authentication process, we call it multi-factor authentication.

Authentication versus authorization

Authentication is distinct from authorization. Authorization specifies the permissions of a user or a thing. In other words, authorization defines what an entity (user or thing) is allowed to do in an application. Thus, we have to distinguish between the following three processes:

  • Identification: indicate the identity of a user or thing

  • Authentication: verify the identity of that user or thing

  • Authorization: validate that the verified user or thing is allowed to execute a certain action

PreviousHashingNextPasswords

Last updated 3 years ago

Was this helpful?