Authentication (AuthN) verifies "who you are" - confirming the identity of a user, system, or entity.
Authorization (AuthZ) determines "what you can do" - deciding what resources or actions an authenticated entity is permitted to access.

Key differences:

• Authentication happens first and establishes identity
• Authorization happens after authentication and grants permissions
• Authentication is binary (you are or aren't who you claim to be)
• Authorization is granular (different levels of access to different resources)

Real-world analogy: Think of entering a secure building:

• Authentication: Showing your ID badge at the entrance to prove your identity
• Authorization: The badge determines which floors, rooms, and systems you can access

Authentication factors are categorized into three types:

1. Something you know (Knowledge factors):
   • Passwords, PINs, security questions
   • Passphrases, secret keys
2. Something you have (Possession factors):
   • Smartphones with authenticator apps
   • Hardware tokens, smart cards
   • SMS tokens, email confirmations
3. Something you are (Inherence factors):
   • Fingerprints, facial recognition
   • Retina scans, voice patterns
   • Behavioral biometrics (typing patterns)
     Multi-Factor Authentication (MFA) combines two or more of these factors to enhance security. For example, using a password (knowledge) + SMS code (possession) provides stronger security than password alone.

The Principle of Least Privilege means granting users, systems, and processes only the minimum permissions necessary to perform their job functions.
Implementation strategies:

1. Start with zero access: Grant permissions only when needed
2. Regular access reviews: Periodically audit and remove unnecessary permissions
3. Time-bound access: Use temporary elevated privileges when possible
4. Segregation of duties: Divide critical functions among multiple people
5. Just-in-time access: Provide elevated access only when requested and approved
   Example implementation:

• Database admin needs read access to production during normal operation
• Write access granted only during approved maintenance windows
• Emergency access requires additional approval and is automatically logged
  Benefits:
• Reduces attack surface
• Limits blast radius of compromises
• Improves compliance posture
• Reduces insider threat risk