Demystifying Authentication, Authorization, and Modern Security: From SSO to 2FA

What is the difference between authorization and authentication?

Authentication and authorization are two fundamental concepts in the world of cybersecurity, often used together but serving distinct purposes.

Authentication is the process of confirming that you are who you claim to be. For instance, when you log in using a username and password, you’re authenticating yourself. The underlying assumption is that no one else knows your password, so if the correct credentials are entered, the system recognizes you as the legitimate user. There are various methods of authentication. For example, when your phone rings and displays the caller as “Mom,” you expect that answering the call will connect you to your mother. This is a form of authentication based on the caller’s number. The final confirmation, however, comes when you hear her voice, which is a type of voice authentication.

In the past, unlocking your phone required entering a code, password, or drawing a pattern on the screen. These are traditional authentication methods that prove to the device that you are its rightful owner. With advancements in technology, we’ve moved towards biometric authentication, using fingerprint sensors or facial recognition to provide a more seamless and secure experience.

Authorization, on the other hand, determines what actions a user is permitted to take within a system after authentication has been completed. The system evaluates the authentication result and assigns access rights accordingly. For example, a guest login might only allow a user to view files in a specific folder, with no additional permissions. Regular users, authenticated with their credentials, may have broader access, such as the ability to view files across multiple folders, but they may still be restricted from making changes. Administrators, however, are typically granted full access, enabling them to perform any action on the server.

In summary, while authentication verifies your identity, authorization controls what you can do once your identity has been confirmed. Both processes are essential in ensuring secure access to systems and data.

How It Works and Why Two-Factor Authentication is Essential

Single-Factor Authentication

Single-factor authentication is the most straightforward and widely used method of verifying identity. Typically, you enter your username and password, which the system checks against its database. If they match, you’re granted access based on your credentials.

However, this approach has vulnerabilities. The system doesn’t verify who is entering the credentials; it only checks if they match. If someone else gains access to your login information—perhaps by observing you or through a data breach—they can impersonate you. While logging in is quick if you remember your credentials, it’s also risky. Many people use their email address as a username, which is often publicly available, and reuse the same password across multiple platforms. This makes it easier for attackers to exploit a single leaked password across various services. Unfortunately, passwords are often simplistic, such as a birthdate, which can be easily guessed.

Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of security by requiring two distinct forms of verification. After entering your login and password, you must provide a second form of authentication—typically something only you have access to, such as a phone or email account. This additional step makes it significantly harder for attackers to gain unauthorized access, even if they know your password.

While 2FA may take a little longer, the added security is worth it. To log in, attackers would need to gain access to both your password and your secondary authentication method, such as your phone or email. This method is especially effective if you use the same password across different services, as the second layer of verification helps mitigate the risk.

Examples of Two-Factor Authentication

Common methods include SMS codes, where a code is sent to your phone, or email links, where you confirm your identity by clicking a one-time link. Some services offer app-based confirmation, where you approve the login attempt via an app on your phone, or use an authenticator app that generates time-based codes. More advanced methods include biometric verification, such as fingerprint or facial recognition, and physical devices like USB tokens or NFC cards.

Security Tips for Two-Factor Authentication

To maximize the benefits of 2FA, take care of your mobile phone and consider using two SIM cards—one for receiving authentication codes that you don’t share publicly. Additionally, maintain a separate, private email address for important services, and avoid using easily guessable information, like your birthdate, for PIN codes or passwords. Always download apps from official stores to prevent malicious software from intercepting your codes.

How User Auto-Registration Works on Websites

Traditionally, registering on a website involves entering an email, creating a password, and sometimes choosing a username. Often, it also requires confirming your email before you can fully access the site. However, there’s a more streamlined approach: auto-registration, where an account is created automatically as soon as a user clicks a link, allowing immediate access to the site.

The Purpose of Registration

In the early days of the internet, registration forms were often lengthy, requiring users to provide details like their full name, email, username, password, interests, and even how they found out about the site. For online stores, additional information like delivery address and payment details was needed.

The idea behind this was to better understand users’ preferences, enhancing their experience by offering personalized products or improving site performance. However, as developers soon realized, the more complicated the registration process, the fewer people would sign up. This led to reduced user engagement, lower sales, and decreased revenue.

Over time, registration forms were simplified to the basics—usually just an email or phone number and a password. But even this can be a hurdle, especially when confirmation codes or email verifications are required.

What is Auto-Registration?

Auto-registration eliminates these obstacles. When you visit a site, a personal account is automatically created, allowing you to use the site without any restrictions. The site generates a generic username, such as “User8099” or “Client_001901.” If you wish, you can later change this username, add an email, set a password, or customize your account in other ways. But none of this is required up front, making the process faster and more user-friendly.

Auto-registration is particularly beneficial for online games with in-game purchases or online stores where the priority is on ease of access and quick transactions.

How Does It Work?

When a user visits a site, the server checks cookies and local storage files to see if the person has visited before. If not, the site creates a personal account and generates a unique token. This token is stored in the browser’s memory or cookies. The next time the user visits the site from the same browser, the token allows automatic login under the generated username.

However, if the user accesses the site from a different browser, a new account is created because the token is stored in the browser, not on the device.

Is It Safe?

Auto-registration, which bypasses passwords, verification codes, and biometric authentication, prioritizes convenience over security. The goal is to make it as easy as possible for users to engage with the site without distractions.

While this approach is suitable for browsing or casual use, it’s safer to create a password, link an email, and verify your phone number if you plan to make purchases or regularly use the site.

How and Why Phone Number Authorization is Used in Public Wi-Fi

When you connect to public Wi-Fi, the process often involves an extra layer of security: authorization by phone number. Here’s how it works and why it’s necessary.

User Experience in Public Wi-Fi Authorization

1. Connecting to the Network: A user selects the desired Wi-Fi network from the list of available options on their device.
2. Captive Portal: The device is redirected to an authorization page in the browser. The user selects phone number authorization as the method.
3. Entering the Phone Number: The user enters their phone number or calls a toll-free number provided.
4. Receiving a Code or Call: The user either receives an SMS with a code or a call from an automated system. If they initiated the call themselves, access is granted without a code.
5. Completing Authorization: The user enters the code, or if they received a call, simply inputs the last four digits of the caller’s number.

What Happens Behind the Scenes

When a user connects to a public Wi-Fi network, their device receives an SSID (Service Set Identifier) from nearby access points, identifying available networks. After selecting a network, the user is granted limited internet access—typically only to certain sites pre-approved by the network owner, like a café menu or a public transit portal.

To check for internet availability, the device sends requests to specific sites like captive.apple.com for Apple devices or connectioncheck.gstatic.com for Android. Since full access isn’t granted yet, these sites can’t be reached, and the device is redirected to a Captive Portal page. This page, controlled by the Wi-Fi provider, prompts the user to authorize.

When the user enters their phone number or makes a call, this information is processed according to the Captive Portal’s settings. The number is sent to a cellular operator or an SMS aggregator, triggering the automated call or SMS with a verification code.

Once the user successfully authorizes, the Captive Portal sends this information back to the access point (router), which then communicates with a RADIUS (Remote Authentication Dial-In User Service) server. The RADIUS server checks the user’s credentials against a database and, if everything is in order, allows internet access.

Even if a user’s data is saved, they’ll need to go through this process each time they reconnect to the network, as the system follows the same protocol for every session.

Implementing Phone Number Authorization at Home

While typically seen in public networks, this type of authorization can be set up on a home router. However, it requires specialized equipment and services:

• A Wi-Fi controller or a router that supports phone or SMS-based authorization.
• A server for hosting the Captive Portal and a database for user information.
• A Captive Portal page tailored to your network.
• A service provider for SMS or call-based verification, often requiring a business account.

Linking these components creates a secure, albeit complex, authorization system for home use.

Can the Access Point Owner See My Activity?

Yes, the owner of any Wi-Fi access point, including public ones, can monitor certain aspects of your online activity. Depending on the router model and additional software, they can view:

• Your device’s MAC address and IP address.
• The websites you visit.
• Unencrypted HTTP traffic, potentially including logins and passwords.
• The time you spent on specific sites and the duration of your visits.
• Applications or programs you use.
• Data from VoIP and Wi-Fi calls.
• Messages from certain instant messaging apps.

The level of detail the owner can access depends on various factors, including the security of your connection, data packet handling, and the use of traffic analysis tools.

The key takeaway is that no public Wi-Fi network is entirely secure. Sensitive activities, like accessing important data, should never be conducted over public Wi-Fi.

Understanding Single Sign-On (SSO) and Its Impact on Security

Single Sign-On (SSO) allows users to log into various sites and applications using a single set of credentials, typically from a popular service like Google. Here’s how SSO works, its benefits, and its drawbacks.

How SSO Works

SSO involves three key players: the user, the SSO provider, and the service provider (the site or app the user wants to access).

The process is straightforward:

• User Initiates Access: The user visits a site and selects SSO as their login method, such as using a Google account.
• Cookie Check: The site checks for existing cookies. If none are found, it prompts the user to authenticate by entering their SSO credentials in a separate window.
• SSO Provider Verification: The SSO provider checks if the user is already logged in by examining its own cookies. If the user is logged in, the provider confirms this with the site, granting access without requiring additional input.
• Authentication: If the user isn’t logged in, they must enter their SSO credentials. Once verified, the SSO provider sends a confirmation to the site, allowing the user to gain access.

The Role of the SSO Token

After successful login, the SSO provider generates an encrypted token containing user information like name, email, and authentication status. This token is sent to the site, which verifies its authenticity. If the token is valid, the user is granted access; if it’s expired or tampered with, re-authentication is required.

Depending on the SSO setup, tokens may vary:

• OAuth Tokens: Typically a string of characters used when SSO is based on the OAuth protocol.
• SAML Tokens: An XML file used in SAML-based SSO, containing user data, authentication time, and other details.
• OpenID Connect Tokens: Often in JSON format, containing key-value pairs of user information.

Advantages of SSO

The main benefit of SSO is simplifying password management. Without SSO, users must either:

• Create and store a unique password for each service.
• Use a single, often complex, password across multiple services.
• Rely on a password manager.
• Limit themselves to services that don’t require login credentials.

With SSO, one account grants access to multiple supported sites and apps. For organizations, SSO streamlines account management. Employees only need one account to access corporate systems, and upon leaving, administrators can revoke all access at once.

Drawbacks of SSO

SSO, however, introduces a single point of vulnerability. If an attacker gains access to the SSO account, they can potentially access all connected services. Additionally:

• You cannot link SSO to an existing account on a site; you must create a new profile.
• Not all apps support SSO, making it less universally applicable than a password manager.

To mitigate risks, it’s crucial to enable two-factor authentication (2FA) wherever possible. This adds an extra layer of security, requiring not just SSO credentials but also a code sent to your phone, email, or an authentication app.

SSO vs. Password Managers

While both SSO and password managers simplify login processes, they operate differently:

• SSO acts like a universal key that works with specific services.
• Password Managers generate and store unique passwords for all services, like a keyring with multiple keys.

Both systems share a common vulnerability: if compromised, an attacker could access all associated accounts. Therefore, adding 2FA to your password manager is also advisable.

When to Use SSO

Choosing between SSO and traditional password methods is a personal decision. SSO offers convenience but requires diligent monitoring and 2FA setup. Password managers provide flexibility across all sites but still centralize your security in one place. Creating strong, unique passwords for each site is secure but can be cumbersome.

In the end, the choice depends on your needs and security preferences. What will you choose?