Foundations

Chapter 1
Foundations: AuthN vs AuthZ & the Threat Model
What identity, authentication, and authorization actually mean — and what attackers want

Across the HTTPS, CSRF, and XSS courses, one phrase kept recurring: "the session," "the credential," "riding the user's authority." This course is the foundation underneath all of them — how a system establishes who you are and keeps that fact secure over time. Chapter 1 sets the vocabulary precisely (the most-confused pair in security: authentication vs authorization) and frames the threat model the rest of the course defends against.

Authentication vs Authorization — The Core Distinction

These two are constantly conflated, abbreviated confusingly (AuthN and AuthZ), and even share the prefix "auth" — but they answer entirely different questions:

Authentication (AuthN)Authorization (AuthZ)
QuestionWho are you?What are you allowed to do?
Verifiesyour identity (you are who you claim)your permissions (you may access X)
Happensfirst — at loginafter — on each protected action
Exampleentering a correct password / passkeybeing allowed into the admin panel
Failure looks like"Login failed" (401 Unauthorized)"Access denied" (403 Forbidden)
The order is fixed — and the HTTP status codes are (confusingly) named backwards
Authentication always comes before authorization: you can't decide what someone may do until you know who they are. A useful mnemonic: AutheNtication = who (ideNtity); AuthoRization = Rights. One historical wrinkle to know: HTTP 401 "Unauthorized" actually means un-authenticated (you haven't proven who you are), while 403 "Forbidden" means authenticated-but-not-authorized. The 401 name is a 30-year-old misnomer baked into the spec — expect it.

This course focuses on authentication and the session that follows it — establishing identity and keeping that established identity secure. (Authorization — roles, permissions, access control — is a large topic in its own right; we touch it only where the two interact.)

The Three Factors of Authentication

Authentication works by checking one or more factors — categories of evidence that you are who you claim. There are three classic types:

Factor"Something you…"Examples
Knowledgeknowpassword, PIN, security question
Possessionhavephone (TOTP app), security key, passkey
Inherencearefingerprint, face, biometric

Multi-factor authentication (MFA) means combining factors from different categories — e.g. a password (know) plus a phone code (have). Two passwords aren't MFA; they're the same factor twice. The power of MFA is that an attacker must compromise independent channels — knowing your password is useless without also having your phone (Chapter 6 goes deep).

The Wider Picture: Identity, AuthN, AuthZ, Accountability

Authentication sits in a chain of four related concepts. Keeping them distinct clarifies a lot of security design:

  • Identification — claiming an identity ("I'm user philip"). Just a claim, unverified.
  • Authentication — proving that claim (the password/passkey checks out).
  • Authorization — granting access based on the proven identity ("philip may edit posts").
  • Accountability — logging what the identity did, so actions can be traced (audit logs).

The Threat Model: What Attackers Want

Auth security is best understood by what an attacker is trying to achieve. The overarching goal is account takeover — operating as a legitimate user — and there are several routes to it:

Attacker goalHowCourse chapter
Steal the credentialphishing, breach reuse, weak password storage2, 3
Guess the credentialbrute force, credential stuffing, spraying3
Steal the sessionsession hijacking, XSS, fixation4, 5
Bypass MFASMS interception, MFA fatigue, phishing proxies6
Abuse tokensJWT flaws, stolen refresh tokens, OAuth misconfig7, 8
Hijack recoveryweak password-reset / email-verification flows9

Where This Fits With the Other Three Courses

This course completes a quartet — each protects a different part of the same login-and-session lifecycle:

CourseProtectsAgainst
HTTPS / TLSthe credential/session in transiteavesdropping, tampering on the wire
Authentication (this)establishing & holding the identitycredential theft, session hijacking, weak MFA
CSRFagainst abuse of an active sessionforged requests riding the session
XSSthe page that holds the sessionscript stealing/riding the session
The courses interlock — a weakness in one undermines the others
These aren't independent. HTTPS without strong authentication protects a worthless credential; strong authentication over plain HTTP leaks the credential on the wire; perfect auth with an XSS hole lets a script steal the session anyway (XSS course: "fix XSS first"); and CSRF rides whatever session your authentication established. The recurring cookie-flag advice — HttpOnly, Secure, SameSite — that appeared in all three previous courses lives here, on the session cookie, and Chapter 5 finally ties it together. Account security is only as strong as the weakest link across all four.

Hands-On Exercises

Exercise 1

Classify each as Authentication or Authorization: (a) the site rejects your password; (b) you're logged in but can't open /admin; (c) a fingerprint unlocks your phone; (d) a regular user is blocked from deleting another user's post. For each, give the likely HTTP status (401 vs 403) and justify it.

📄 View solution
Exercise 2

For each combination, state whether it's true multi-factor authentication and why: (a) password + SMS code; (b) password + security question; (c) fingerprint + passkey on a hardware key; (d) PIN + password. Name the factor category of each element.

📄 View solution
Exercise 3

For each prior-course attack, state which authentication threat-model goal it serves and why fixing it matters to account security: (a) XSS stealing document.cookie; (b) a CSRF forged "change email"; (c) TLS stripping on a login page. Tie each to "account takeover."

📄 View solution

Chapter 1 Quick Reference

  • Authentication (AuthN) = "who are you?" (verify identity); Authorization (AuthZ) = "what may you do?" (verify rights)
  • AuthN always comes first; mnemonic: autheNtication = ideNtity, authoRization = Rights
  • HTTP 401 "Unauthorized" really means un-authenticated; 403 "Forbidden" means authenticated-but-not-authorized (spec misnomer)
  • Three factors: knowledge (know) · possession (have) · inherence (are); MFA = factors from different categories
  • Full chain: identification → authentication → authorization → accountability
  • Threat model: the goal is account takeover — via stolen/guessed credentials, stolen sessions, bypassed MFA, abused tokens, or hijacked recovery
  • This course completes the quartet (HTTPS / Auth / CSRF / XSS) — they interlock; the weakest link sets account security
  • Next chapter: password storage done right — hashing vs encryption, salts, and slow hashes (bcrypt/scrypt/Argon2)