4.1. Introduction#
When building websites and applications, it is critical to restrict access to certain pages, data, and functionality.
On websites, these restrictions are created through:
authentication - users must prove their identity
authorisation - users can only access data that they have permissions for
Without proper authentication and authorisation, applications can be vulnerable to security threats such as:
Unauthorised access – attackers gaining control of user accounts.
Data breaches – exposing sensitive user information.
Privilege escalation – users performing actions they should not be allowed to do.
4.1.1. Authentication#
Authentication is the process of a user proving their identity. Authentication must take place before the user can access any restricted data.
To provide identity, a user provides a factor, which is of evidence of the user’s identity. A factor must be something that only the user knows or has access to. A username or email address is not considered a factor as they are considered public knowledge.
Some examples of authentication factors on websites are:
Password
OAuth and Single Sign-On (SSO), which allows users to log in using accounts from services like Google or Facebook.
Biometric authentication, such as fingerprints or facial recognition.
Security token, such as rolling or temporary access codes.
4.1.2. Multi-Factor Authentication#
Multi-Factor Authentication (MFA) is when two or more factors are required for a user to authenticate themselves. Two-Factor Authentication (2FA) is a specific case where the user only has to provide two factors to prove their identity.
MFA is most commonly implemented with the 2FA combination:
Password
Security token i.e. temporary access code
The security token is often sent to the user via email or SMS. However because SMS is unencrypted and emails may not arrive quickly, it is becoming more common for these access codes to be accessed through dedicated authentication software such as Google Authenticator or Okta.