REFERENCE LIBRARY
Security the Basics
The entire point of logging into a system is to establish the identity of a user. This is usually achieved with the use of a username or email address. Identities in software are used to control access and to establish accountability.
Identities, such as just an email address, are not secret, so it is easy to impersonate someone to commit fraud. Authentication is when a user proves their identity. Authentication is achieved with a secret code or password. A key, such as a smart card, can be used, or a bio-metric property, such as a fingerprint.
Application security is very difficult because there is always a trade off between usability and security. There is never a single, perfect, one-size-fits-all solution for authentication. For example, a key card is secure enough for allowing entry into a shared office but is insufficient for gaining access to a vault or high-security lab.
If a developer does not want to do any authentication, they have the option of delegating it to other systems such as active directory, client certificates, or using OAuth2, which allows other applications to authenticate the user.
