Web Foundations & Databases · beginner · ~12 min

Authentication, authorization, and account flows

Separate authentication from authorization and spot weak points in account flows.

Overview

Authentication proves who you are; authorization decides what you may do — they're distinct, and missing authZ (broken access control) is the top web risk. Login, password-reset, email-verification, and MFA flows each have characteristic weaknesses.

Why it matters

Broken access control and account-flow flaws (reset-token leakage, MFA bypass, username enumeration) are among the highest-impact web findings. Keeping authN vs authZ straight is the lens for finding them.

Core concepts

AuthN vs authZ. Identity vs permission. Broken access control. Missing per-action authZ — the #1 risk. Reset tokens. Unguessable, single-use, expiring. Anti-enumeration. Uniform errors, rate limits. MFA bypass. Skippable/reusable/tamperable steps.

Lesson

Two words that sound alike and are constantly confused — getting them straight is essential.

AuthN vs AuthZ

  • Authentication (authN)who are you? Proving identity (password, MFA, token).
  • Authorization (authZ)what may you do? Checking permissions for each action. A user can be authenticated but not authorized for a given resource. Broken access control (missing authZ checks) is consistently the #1 web risk.

Account flows and their pitfalls

  • Login — must rate-limit and lock out to resist brute force; uniform error messages avoid username enumeration.
  • Password reset — the reset token must be unguessable, single-use, and expiring; leaking it (in a URL, to the wrong user, or via host-header poisoning) is account takeover.
  • Email verification — confirms ownership; weaknesses let attackers verify accounts they don't own.
  • MFA — a second factor; bypasses (skippable step, reusable codes, response tampering) are high-impact findings.

The recurring bug

Most account-flow vulnerabilities are missing or per-step-only authorization: the app checks who you are at login but not whether this request is allowed. Every sensitive action needs its own server-side authZ check.

Summary

Authentication and authorization are different questions; most account-flow and access-control bugs come from enforcing identity but not per-action permission. Reset, verification, and MFA flows each need careful, server-side checks.

Practice with these exercises