100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Python

Authentication Basics

Learn how systems verify identity through authentication, how it differs from authorization, and the three factor categories used to prove who you are.

Authentication & Access ControlBeginner8 min readJul 8, 2026
Analogies

Introduction

Authentication is the process of verifying that someone is who they claim to be. Every time you type a password to unlock your phone, scan your face to open a banking app, or swipe a badge to enter an office, you are participating in an authentication process. It is one of the most fundamental building blocks of cybersecurity because nearly every other control — access control, logging, accountability — depends on the system first knowing, with confidence, who is making the request.

🏏

Cricket analogy: Before a player can walk out to bat for India, the umpire and scorer confirm his identity against the team sheet, just as a system must first verify who is requesting access before anything else happens.

Explanation

It is critical to distinguish authentication from authorization, since the two are often confused. Authentication answers the question 'who are you?' — it confirms identity. Authorization answers a different question — 'what are you allowed to do?' — it determines the permissions granted to an already-verified identity. A system always authenticates first and authorizes second: you must prove who you are before the system decides what you can access. For example, logging into an email account with a username and password is authentication; being allowed to read certain folders but not delete the whole mailbox is authorization.

🏏

Cricket analogy: Virat Kohli signing in at the team hotel confirms who he is, but whether he bats at number three or opens the innings is a separate decision made by the captain afterward.

Authentication methods are grouped into three classic factor categories. The first is something you know, such as a password, PIN, or answer to a security question — knowledge-based and easy to deploy, but vulnerable to guessing, phishing, or reuse. The second is something you have, such as a smartphone receiving a one-time code, a hardware security key, or a smart card — possession-based, harder to steal remotely but can be lost or stolen physically. The third is something you are, such as a fingerprint, face scan, or iris pattern — biometric and tied to a physical trait, convenient but raises privacy concerns and cannot be changed if compromised. A fourth, less formal category sometimes cited is somewhere you are (location) or something you do (behavioral patterns like typing rhythm), but the three core categories remain the foundation of authentication design.

🏏

Cricket analogy: A captain might recognize a teammate by sight (something they are), by a jersey number (something they have), or a pre-agreed dressing-room password (something they know) to confirm identity in the dugout.

Example

text
Login attempt at a bank website:
1. User enters username + password        -> AUTHENTICATION (something you know)
2. Bank server checks credentials against stored hash
3. Identity confirmed: user is 'jane.doe'
4. Bank system checks jane.doe's account permissions
5. jane.doe is allowed to view her own accounts,
   but NOT allowed to view other customers' accounts -> AUTHORIZATION

Authentication = proving identity
Authorization  = what that identity is permitted to do

Analysis

Weak authentication design is one of the leading root causes of breaches, because if identity verification can be bypassed or guessed, every downstream authorization control becomes meaningless — an attacker who successfully authenticates as a legitimate user simply inherits that user's authorized access. This is why organizations invest heavily in strengthening the 'something you know' factor with policies, layering in 'something you have' through multi-factor authentication, and increasingly adopting 'something you are' for high-assurance scenarios like unlocking devices. Understanding which factor category a control belongs to also helps security teams reason about its failure modes: passwords fail through guessing and reuse, hardware tokens fail through physical theft, and biometrics fail through spoofing or irrevocability once compromised.

🏏

Cricket analogy: If a scorer never checks credentials and lets anyone claim to be the official statistician, every downstream record of runs and wickets becomes meaningless, just as a weak login lets an attacker inherit a legitimate user's access.

Key Takeaways

  • Authentication verifies identity ('who are you?'); authorization grants permissions ('what can you do?') — authentication always happens first.
  • The three classic authentication factor categories are: something you know (password, PIN), something you have (token, phone, smart card), and something you are (biometrics).
  • Weak authentication undermines every downstream security control, since authorization decisions rely on a correctly verified identity.

Practice what you learned

Was this page helpful?

Topics covered

#Python#CyberSecurityFundamentalsStudyNotes#CyberSecurity#AuthenticationBasics#Authentication#Explanation#Example#Analysis#Security#StudyNotes#SkillVeris