Authentication

proof of identity
need to be sure a user is who they say they are before you can trust them
usually done via a unique identifier
- unique username
and a secret that is only known by the authorised user
- password
- biometrics
- 2fa code

MFA

many secrets
protects user/system in the case that a password is disclosed
additional secrets generated at the time of use.
- short lived
- if found - attackers have a small windoe to exploit
e.g.,
- sms message
- authenticator app

verifying that a user is allowed to access the operation that they are attempting to access
requires explicit check in the system for restricted operatons
- some code that check if the roles assigned to the authenticaed user intersect the roles required for the current operation
use is assigned a role that defines the operations they are allowed to perform
e.g.
- custoemer - can view products, and see retail prices
- sales rep - can view products and see retail and cost prices
- manager - can add/delete/modify products
- admin - can change system configuration. can assign roles to users

one is useless without the other
many security vulnerabilities are caused by inexperienced/incompetent programmer creating systems that only have one or the other
authenticaion without authorisation can lead to path traversal flaws
- changing the url path to find admin sites
authorisation without authenticaion is the equivalent of blindly trusting your users.