What is authentication and why it matters

Topic: Security basics

Authentication is verifying identity (who you are) before granting access. Learn the difference between authentication and authorization, and why strong auth (passwords, keys, MFA) is the first line of defense. Use this when designing access or explaining auth to others.

Intent: Decision

Quick answer

  • Authentication answers who you are; authorization answers what you are allowed to do. Auth is proving identity with something you know (password), have (key, token), or are (biometric).
  • Strong auth reduces risk of impersonation and takeover. Prefer keys or tokens over passwords where possible; add MFA for sensitive systems so one stolen factor is not enough.
  • Use this when setting up login, API access, or SSH; choose the right method (password, key, OAuth, certificate) for the system and the user type (human vs machine).

Steps

  1. Define authentication vs authorization

    Authentication verifies identity (login, SSH key, API token). Authorization decides what that identity can do (permissions, roles). Both are required; auth first, then authorization checks.

  2. Understand factors

    Something you know (password), something you have (key, hardware token, phone), something you are (fingerprint). Single-factor is one of these; MFA uses two or more for higher assurance.

  3. Choose the right method

    Passwords for human login where keys are impractical; keys or certificates for SSH and automation; tokens or OAuth for APIs and apps. Add MFA for admin and sensitive access.

  4. Apply to your systems

    Document how each system authenticates users and services; ensure secrets (passwords, keys) are stored and transmitted securely; rotate and revoke when people or machines leave.

Summary

Authentication proves identity; authorization grants permissions. Use factors (know, have, are) and choose the right method (password, key, token, MFA) for each system. Use this when designing or explaining access control.

Prerequisites

None.

Steps

Step 1: Define authentication vs authorization

Authentication answers who you are; authorization answers what you can do. Auth comes first; then the system checks permissions.

Step 2: Understand factors

Something you know (password), have (key, token), or are (biometric). MFA uses at least two factors to reduce risk from a single stolen factor.

Step 3: Choose the right method

Use passwords for human login where keys are not practical; keys for SSH and automation; tokens or OAuth for APIs. Add MFA for sensitive and admin access.

Step 4: Apply to your systems

Document how each system authenticates; protect and rotate secrets; revoke access when users or machines are no longer trusted.

Verification

You can explain the difference between authentication and authorization and when to use each auth method.

Troubleshooting

Weak auth everywhere — Prioritize MFA and keys for admin and production; then improve password policy. Machines using passwords — Replace with keys or tokens and rotate them.

Next steps

Continue to