Authentication vs Authorization in LLD - System Design

Two fundamental ideas in system design, particularly in low-level design (LLD), are authentication and authorization.

• Authentication confirms a person's identity.
• Authorization establishes what resources or actions a user is permitted to access.

Authentication Methods

• Password-based Authentication
  • Description: The most common form of authentication, in this users provide a unique password to verify their identity.
  • Considerations: Passwords should be complex, stored securely, and users should be encouraged to use unique passwords.
• Multi-Factor Authentication (MFA)
  • Description: Requires users to provide multiple forms of identification, such as a password and a temporary code is sent to their mobile device.
  • Advantages: Enhances security by adding an extra layer of verification, even if one factor is compromised.
• Biometric Authentication
  • Description: Involves using unique physical or behavioral characteristics for identification, like fingerprints, facial recognition, or voice recognition.
  • Considerations: Biometric data should be securely stored and processed to prevent unauthorized access.
• Token-based Authentication
  • Description: Users are given a physical or digital token (like a security key or smart card) for authentication.
  • Advantages: Provides an additional physical element that needs to be present for authentication.
• OAuth Connect
  • Description: Protocols used for authentication and authorization in the context of web applications and APIs.
  • Use Cases: Commonly used for delegated authorization, allowing third-party applications to access user data.

Authorization Models

Ensuring that only authorized individuals or entities have access to particular resources, functionality, or information is an essential component of security.

• Role-Based Access Control (RBAC):
  • Assigning roles to users or groups, letting them access only what their role requires.
  • Example: HR personnel can access HR data but not finance information.
• Security Assertion Markup Language (SAML):
  • Using an XML-based protocol for Single Sign-On, allowing admins to control resource access.
  • Example: Access permissions are communicated through digitally signed documents.
• OpenID Authorization:
  • Checking a user's identity through OpenID standards, ensuring consistency across systems.
  • Example: Standardised authorization based on authentication from an authorization server.
• OAuth Authorization:
  • It allows secure access within applications using permission tokens.
  • Example: Users grant access to their information to certain apps without sharing their password.
• Device Permissions:
  • Granting access based on the device trying to connect to a resource.
  • Example: Only approved devices can establish a connection.

Differences between Authentication and Authorization