4.1. Introduction

When building websites and applications, it is critical to restrict access to certain pages, data, and functionality.

On websites, these restrictions are created through:

• authentication - users must prove their identity

• authorisation - users can only access data that they have permissions for

Without proper authentication and authorisation, applications can be vulnerable to security threats such as:

• Unauthorised access - attackers gaining control of user accounts.

• Data breaches - exposing sensitive user information.

• Privilege escalation - users performing actions they should not be allowed to do.

4.1.1. Authentication

Authentication is the process of a user proving their identity. Authentication must take place before the user can access any restricted data.

To provide identity, a user provides a factor, which is of evidence of the user’s identity. A factor must be something that only the user knows or has access to. A username or email address is not considered a factor as they are considered public knowledge.

Some examples of authentication factors on websites are:

• Password

• OAuth and Single Sign-On (SSO), which allows users to log in using accounts from services like Google or Facebook.

• Biometric authentication, such as fingerprints or facial recognition.

• Security token, such as rolling or temporary access codes.

4.1.2. Multi-Factor Authentication

Multi-Factor Authentication (MFA) is when two or more factors are required for a user to authenticate themselves. Two-Factor Authentication (2FA) is a specific case where the user only has to provide two factors to prove their identity.

MFA is most commonly implemented with the 2FA combination:

1. Password

2. Security token i.e. temporary access code

The security token is often sent to the user via email or SMS. However because SMS is unencrypted and emails may not arrive quickly, it is becoming more common for these access codes to be accessed through dedicated authentication software such as Google Authenticator or Okta.

4.1.3. Authorisation

Authorisation is the process of granting access or restricting access to data after authentication.

Authorisation can be divided into two categories:

1. User-based access control

• Permissions are assigned to individual users.

• For example, when you log into a social media app only you can see your direct messages with other users.

2. Role-based access control

• Users are assigned roles (e.g., admin, editor, user), and permissions are granted based on roles.

• For example, on your school’s learning management system (Canvas, Moodle) you are assigned a student role, while your teacher is assigned the teacher role. As a student you can only view published resources while the teacher can also edit the resources.

4.1.4. Glossary

User authentication

The process where a user proves their identity before accessing restricted data.

User authorisation

The process of granting or restricting access to data after a user has authenticated.

Factor

Evidence of a user’s identity, based on something only that user knows or can access.

MFA

Multi-Factor Authentication. Authentication that requires a user to provide two or more factors.

2FA

Two-Factor Authentication. A form of MFA where the user provides exactly two factors.

UBAC

User-Based Access Control. Access control where permissions are assigned to individual users.

RBAC

Role-Based Access Control. Access control where users are assigned roles, and roles define what actions they can perform.

Permission

A rule that grants a user or role access to a feature, action, page, or item of data.

Role

A named group of permissions assigned to a user, such as admin, editor, or user.