Whenever a user wants to access any protected content or service is faced with a process of validation. This process can be broken down into three steps: identification, authentication and authorization. This lesson clarifies these steps.
The first step of user validation is user identification. This step aims to find out who the user is. This step can be carried out by a user or by a machine. A user can tell his name or present his id. The user can also be recognized through the camera.
The second step is authentication. In this step, the user must verify that he is who he claims to be. This can be done in different forms. For example – someone can compare his face with a photo in a passport, the user is prompted to enter a pin when paying with a bank card …
The final step of validation is an authorization. This step aims to find out if the user is eligible to carry out the action that he intends to. Does he have enough money in his bank account? Does he have a hotel reservation? Does he have permission to access the protected web page …
The video below explains this steps.
Although there are some exceptions we can say that in all cases, validation consists of all three steps.
The OWASP Foundation, in their project about the Top 10 Application Security Risks – 2017, placed “Broken Authentication” as second, “Broken Access Control” as fifth.