Search⌘ K
Home
Courses
Grokking the Fundamentals of System Design

Authentication and Authorization in System Design

Understand how authentication and authorization protect systems by ensuring secure user identity and controlled access.

We'll cover the following...

Have you ever been tasked with building a new service, and one of the first questions that comes to mind is, who should be allowed to use this, and what should they be allowed to do?

This question goes beyond a simple feature. It is a fundamental security challenge that every engineer faces. Get it wrong, and you risk data breaches, unauthorized access, and a loss of user trust. Get it right, and you build a resilient, trustworthy system.

The core of this challenge involves two concepts that are often used interchangeably but are fundamentally different.

These are authentication and authorization. Understanding the distinction and how to implement them together is a necessity for modern System Design. This lesson will provide a step-by-step walkthrough of these two core security concepts.

Let’s explore authentication and how it works in distributed systems.

Authentication in distributed systems

Authentication is the mechanism by which a system verifies and validates the identity of a user, service, or device before granting access to any resources.

In a distributed system, this could be a user logging in with a username and password, or a service presenting an API key to communicate with another service. Its primary purpose is to establish a trusted identity before any interaction can proceed.

Strong authentication is the first and most critical defense against unauthorized access and impersonation.

Without it, an attacker could easily impersonate a legitimate user and gain a foothold in our system. However, designing authentication requires a delicate balance. If the process is too complex or cumbersome, we risk creating a poor user experience that drives users away.

This is the classic trade-off between security and usability.

To strike this balance, we rely on different authentication factors. These are typically categorized into three types.

  1. Something we know: This is the most common factor and includes secrets like passwords, PINs, or security questions.

  2. Something we have: This includes physical or digital items used for verification, such as a mobile phone (for one-time codes or authenticator apps), a hardware security key, or a smart card.

  3. Something we are: This factor relies on unique biological traits, known as biometrics. Examples include fingerprints, facial recognition, or iris scans.

The choice of factors depends entirely on our system’s security requirements and the level of convenience we want to offer our users. ...