- System Analysis and Design - Home
- System Analysis & Design - Overview
- Differences between System Analysis and System Design
- System Analysis and Design - Communication Protocols
- Horizontal and Vertical Scaling in System Design
- Capacity Estimation in Systems Design
- Roles of Web Server and Proxies in Designing Systems
- Clustering and Load Balancing
- System Development Life Cycle
- System Analysis and Design - Requirement Determination
- System Analysis and Design - Systems Implementation
- System Analysis and Design - System Planning
- System Analysis and Design - Structured Analysis
- System Design
- System Analysis and Design - Design Strategies
- System Analysis and Design - Software Deployment
- Software Deployment Example Using Docker
- Functional Vs. Non-functional Requirements
- Data Flow Diagrams(DFD)
- Data Flow Diagram - What It Is?
- Data Flow Diagram - Types and Components
- Data Flow Diagram - Development
- Data Flow Diagram - Balancing
- Data Flow Diagram - Decomposition
- Databases in System Design
- System Design - Databases
- System Design - Database Sharding
- System Design - Database Replication
- System Design - Database Federation
- System Design - Designing Authentication System
- Database Design Vs. Database Architecture
- Database Federation Vs. Database Sharding
- High Level Design(HLD)
- System Design - High Level Design
- System Design - Availability
- System Design - Consistency
- System Design - Reliability
- System Design - CAP Theorem
- System Design - API Gateway
- Low Level Design(LLD)
- System Design - Low Level Design
- System Design - Authentication Vs. Authorization
- System Design - Performance Optimization Techniques
- System Design - Containerization Architecture
- System Design - Modularity and Interfaces
- System Design - CI/CD Pipelines
- System Design - Data Partitioning Techniques
- System Design - Essential Security Measures
- System Implementation
- Input / Output & Forms Design
- Testing and Quality Assurance
- Implementation & Maintenance
- System Security and Audit
- Object-Oriented Approach
- System Analysis & Design Resources
- Quick Guide
- Useful Resources
- Discussion
Difference between Authentication and Authorization in LLD
Introduction
In system design, authentication and authorization are two critical concepts that play a pivotal role in securing systems and controlling access to sensitive resources. Although they are closely related and often implemented together, they serve distinct purposes.
Authentication answers the question, "Who are you?";
Authorization answers the question, "What are you allowed to do?";
This article explores the differences, mechanisms, and best practices for implementing authentication and authorization in system design, highlighting their importance in modern distributed systems.
What is Authentication?
Definition
Authentication is the process of verifying the identity of a user, system, or entity attempting to access a resource. It ensures that only legitimate users are granted access.
Authentication is the act of establishing the same claim as users identify on a computer system. As opposed to identification, authenticity is the process of verifying a person's or thing's identification. Personal identification must be validated, the website's validity must be validated with a digital certificate, the relic must be carbon dated, and the product or document must not be counterfeit.
The process of determining the claimed user is known as authentication. This is the first stage of the security procedure. Completing the authentication procedure in less than or equal to −
The password− The most popular authentication factors are usernames and passwords. When the user provides the correct information, the system validates the ID and authorizes access.
Pin is a one-time use item− Allow just one session or transaction to be accessed.
An app for authentication− Generate a security code that permits access through an external party.
Biometric identification− To gain access to the system, users must give fingerprints and eye scans.
Before providing access, the system may need to validate numerous factors correctly. This multi-factor authentication (MFA) requirement frequently allows for additional protection beyond what passwords alone would give.
Types of Authentication
-
Password-Based Authentication−
Users provide a username and password to verify their identity.
Examples− Login forms, SSH access.
-
Biometric Authentication−
Uses biological traits like fingerprints, facial recognition, or retina scans.
Examples− Smartphone fingerprint unlock, airport biometric verification.
-
Token-Based Authentication−
Involves generating a secure token (e.g., JWT) after successful login.
Tokens are sent with subsequent requests to verify identity.
-
Multi-Factor Authentication (MFA)−
Combines two or more authentication factors (e.g., password + OTP).
-
Certificate-Based Authentication−
Uses digital certificates to authenticate users or systems.
Common in enterprise systems and secure APIs.
What is Authorization?
Definition
Authorization is the process of determining what actions or resources a user is permitted to access after they have been authenticated. It enforces policies to control access.
Authorization is the capacity to assign privileges/privileges to a resource, and it pertains to information security in general and computer security, in particular, access control. In a more formal sense, "authorization" refers to the process of creating an access policy. In system security, authorization is the process of giving access to a specified resource or function. This phrase is frequently used interchangeably with access control and client permission.
Permission can allow someone to download specific files from a server or provide particular users administrative access to a program.
Certification is always required for approval in a secure setting. Before the organization administrator gives access to the requested resources, users must first confirm their identification.
Types of Authorization
-
Role-Based Access Control (RBAC)−
Permissions are assigned based on user roles.
Example− An admin role has more privileges than a regular user.
-
Attribute-Based Access Control (ABAC)−
Access is granted based on user attributes (e.g., department, location).
Example− Employees in "HR" can access payroll systems.
-
Policy-Based Access Control (PBAC)−
Centralized policies define access rules, often using external policy engines.
-
Discretionary Access Control (DAC)−
Resource owners control access.
Example− File permissions on a Linux server.
-
Mandatory Access Control (MAC)−
Access is strictly controlled by the system, not by resource owners.
Authentication vs Authorization
Authentication and authorization are separate phases in the login process. To correctly implement an IAM solution, you must understand the difference between the two.
Consider a person approaching a closed door to care for a pet while the family is away on vacation. The following items are required for the individual −
Key type authentication was obtained − Like how a door lock system only allows access to users with the proper credentials, it only provides users with the appropriate key.
Authorization in the form of a permit − Once inside, the individual has access to the kitchen and the authority to unlock a cabinet containing pet food. The individual may not have the authorization to enter the bedroom for a bit of wink.
Authentication and authorization are used jointly in this example. You have the authority to enter the pet nanny house (authentication), which grants you access to specific places (authentication).
Key Differences Between Authentication and Authorization
| Sr.No. | Aspect | Authentication | Authorization |
|---|---|---|---|
| 1 | Purpose | Verifies identity. | Determines access rights. |
| 2 | Question Answered | "Who are you?" | "What can you do?" |
| 3 | Process | First step in access control. | Second step after authentication. |
| 4 | Focus | User identity. | User permissions. |
| 5 | Examples | Password login, biometric scan. | Accessing admin dashboard, editing a file. |
| 6 | Dependencies | Independent of authorization. | Dependent on successful authentication. |
Importance of Authentication and Authorization in System Design
-
Security−
Prevents unauthorized access to sensitive data.
Protects against attacks like credential stuffing or privilege escalation.
-
Compliance−
Meets regulatory requirements (e.g., GDPR, HIPAA).
-
Scalability−
Ensures secure access as systems scale to support more users.
-
User Experience−
Properly implemented authentication and authorization provide seamless and secure user interactions.
Authentication Mechanisms in System Design
Password-Based Authentication
Users provide credentials stored securely (e.g., hashed with bcrypt).
Risks− Susceptible to brute-force attacks, weak passwords.
Token-Based Authentication
After login, a token (e.g., JSON Web Token) is issued to the user.
Tokens are sent with subsequent requests for verification.
-
Benefits−
Stateless.
Ideal for distributed systems.
Examples− OAuth2, OpenID Connect.
Multi-Factor Authentication (MFA)
-
Combines−
Knowledge (e.g., password).
Possession (e.g., phone for OTP).
Inherence (e.g., fingerprint).
Significantly enhances security.
Biometric Authentication
Uses unique physical traits.
Benefits− Difficult to forge.
Examples− Apple Face ID, fingerprint scanners.
Authorization Mechanisms in System Design
Role-Based Access Control (RBAC)
Assigns permissions based on roles.
-
Example−
Admin− Full access.
Editor− Create and edit.
Viewer− Read-only.
Attribute-Based Access Control (ABAC)
Uses dynamic attributes to determine access.
Example− A manager in "Sales" can access sales reports for their region.
Policy-Based Access Control (PBAC)
Centralized access policies stored in external engines.
Example− AWS IAM policies.
Best Practices for Designing Authentication and Authorization
For Authentication
Use Secure Password Storage− Hash passwords using algorithms like bcrypt or Argon2.
Implement MFA− Add an additional layer of security.
Token Expiry− Set expiration times for session tokens.
For Authorization
Follow the Principle of Least Privilege− Grant only the necessary permissions.
Audit Permissions Regularly− Remove unused roles or excessive privileges.
Externalize Authorization Logic− Use dedicated policy engines for scalability.
Challenges in Implementing Authentication and Authorization
Scalability− Handling millions of authentication requests in distributed systems.
Security Risks− Protecting against attacks like session hijacking or privilege escalation.
User Experience− Balancing security with ease of use.
Integration Complexity− Integrating authentication and authorization mechanisms across services.
Conclusion
Authentication and authorization are foundational components of system security. While authentication ensures only legitimate users access the system, authorization determines their privileges. Together, they safeguard sensitive resources and ensure seamless operation.
Understanding the differences, mechanisms, and best practices for implementing these processes is crucial for designing secure, scalable, and user-friendly systems. As systems grow increasingly distributed and complex, robust authentication and authorization mechanisms become indispensable.