Authentication and Access Control

Imagine walking up to the door of a school computer room. Before you can use anything, two different questions have to be answered. First: who are you? Second: what are you allowed to do once we know that? These are two of the biggest ideas in keeping systems secure, and they have proper names.

Getting the first one right stops strangers pretending to be you. Getting the second right stops you — or an intruder using your account — from doing damage you were never meant to.

Authentication: the three factors

Every way of proving who you are falls into one of three groups, called authentication factors. A memory hook: something you know, something you have, and something you are.

Two-factor authentication (2FA)

A single factor on its own can fail. So the strong approach is to demand two different factors at once — this is two-factor authentication, or 2FA (sometimes called multi-factor authentication). The key word is different: two passwords is still only one factor, but a password plus a code from your phone is two.

The everyday example is a cash machine. To take money out you need your bank card (something you have) and your PIN (something you know). A pickpocket with just the card is stuck; a shoulder-surfer who saw your PIN but has no card is stuck too. They'd need both, which is far harder to pull off.

If your account is protected by a password and nothing else, then that one secret is a single point of failure: the moment it leaks — through a data breach, a phishing email, or malware — whoever has it is you, as far as the system can tell. There's nothing left to stop them.

2FA fixes exactly this. A stolen password is no longer enough on its own, because the attacker still can't produce the code on your phone or your fingerprint. And it's why reusing one password everywhere is so dangerous: when one website is breached, attackers try that same email-and-password pair on your email, your bank and your school account (this is called credential stuffing). One leak then unlocks everything. Use a long, unique password for each account — a password manager makes this painless — and turn on 2FA wherever it's offered.

Why length beats cleverness

Attackers who steal a list of scrambled passwords often try to crack them by guessing every possible combination — a brute-force attack. The number of combinations depends on how many symbols you allow and how long the password is. If there are s possible symbols and the password is L characters long, the number of possibilities is

N = s^{L}.

That exponent is the whole story: every extra character multiplies the effort to crack it. Change the length in the program below and press Run to see how fast the crack time explodes — even at a billion guesses per second.

// A brute-force attacker tries every combination of symbols. // Try changing `length` from 6 to 8 to 12 and watch the time explode. const symbols: number = 95; // letters, digits and punctuation on a keyboard const length: number = 8; // how many characters long the password is const combinations: number = Math.pow(symbols, length); const guessesPerSecond: number = 1_000_000_000; // a fast attacker: 1 billion per second const seconds: number = combinations / guessesPerSecond; const years: number = seconds / (60 * 60 * 24 * 365); console.log("Symbols available: " + symbols); console.log("Password length: " + length); console.log("Combinations: " + combinations.toExponential(2)); console.log("Time to try them all: " + years.toExponential(2) + " years");

A short password falls in seconds; adding just a few characters pushes the crack time past a human lifetime. That's why security advice keeps saying: make it long.

Access control: what you're allowed to do

Authentication got you through the door. Access control now decides what you can touch inside. The most common tool is file permissions: for each file, the system records who may read it (open and view) and who may write to it (change or delete it).

Permissions are usually tied to the type of account you have. An ordinary user account can work with its own files but can't change how the whole computer is set up. An administrator (admin) account can install software, create accounts and edit system files — powerful, and therefore dangerous if it falls into the wrong hands.

Notice the pattern in the table: the student can only touch their own work, the teacher can mark everyone's, and only the admin can change the settings that keep the whole system running.

The principle of least privilege

A golden rule of access control is the principle of least privilege: give every account only the permissions it genuinely needs to do its job — and no more.

Why? Because every extra permission is an extra thing that can go wrong. If an attacker breaks into an ordinary user account, they can only reach that user's files. But if they break into an admin account, they own the whole machine. Running day to day as a limited user — and only becoming admin for the brief moment you actually need to — keeps the blast radius of any mistake or attack as small as possible. It's the same reason a shop doesn't give every employee a key to the safe.

That pop-up is least privilege in action. Even on your own machine you normally run as a limited user, so a rogue program you accidentally downloaded can't quietly install itself or change system files. When something genuinely needs admin power, the system stops and asks you to confirm — turning a silent action into a deliberate one you have to approve.