# The mechanisms of authorization

Access is as much about authorization as it is about authentication.

One of the most important functions of access controls is how they assign responsibility for certain systems and processes.

Next up in our exploration of access control systems are the mechanisms of authorization.

These protocols actually work closely together with authentication technologies. While one validates who the user is, the other determines what they're allowed to do.

Let's take a look at the next part of the authentication, authorization, and accounting framework that protects private information.

Earlier, we learned about the principle of least privilege.

Authorization is linked to the idea that access to information only lasts as long as needed.

Authorization systems are also heavily influenced by this idea in addition to another important security principle, the separation of duties.

Separation of duties is the principle that users should not be given levels of authorization that will allow them to misuse a system.

Separating duties reduces the risk of system failures and inappropriate behavior from users.

For example, a person responsible for providing customer service shouldn't also be authorized to rate their own performance. In this position, they could easily neglect their duties while continuing to give themselves high marks with no oversight.

Similarly, if one person was authorized to develop and test a security system, they are much more likely to be unaware of its weaknesses.

Both the principle of least privilege and the concept of separating duties apply to more than just people.

They apply to all systems including networks, databases, processes, and any other aspect of an organization.

Ultimately, authorization depends on a system or user's role.

When it comes to securing data over a network, there are a couple of frequently used access controls that you should be familiar with: HTTP basic auth and OAuth.

Have you ever wondered what the HTTP in web addresses stood for.

It stands for hypertext transfer protocol, which is how communications are established over network.

HTTP uses what is known as basic auth, the technology used to establish a user's request to access a server.

Basic auth works by sending an identifier every time a user communicates with a web page.

Some websites still use basic auth to tell whether or not someone is authorized to access information on that site.

However, their protocol is considered to be vulnerable to attacks because it transmits usernames and password openly over the network.

Most websites today use HTTPS instead, which stands for hypertext transfer protocol secure.

This protocol doesn't expose sensitive information, like access credentials, when communicating over the network.

Another secure authentication technology used today is OAuth.

OAuth is an open-standard authorization protocol that shares designated access between applications.

For example, you can tell Google that it's okay for another website to access your profile to create an account.

Instead of requesting and sending sensitive usernames and passwords over the network, OAuth uses API tokens to verify access between you and a service provider.

An API token is a small block of encrypted code that contains information about a user.

These tokens contain things like your identity, site permissions, and more.

OAuth sends and receives access requests using API tokens by passing them from a server to a user's device.

Let's explore what's going on behind the scenes.

When you authorize a site to create an account using your Google profile, all of Google's usual login protocols are still active.

If you have multi-factor authentication enabled on your account, and you should, you'll still have the security benefits that it provides.

API tokens minimize risks in a major way.

These API tokens serve as an additional layer of encryption that helps to keep your Google password safe in the event of a breach on another platform.

Basic auth and OAuth are just a couple of examples of authorization tools that are designed with the principles of least privilege and separation of duty in mind.

There are many other controls that help limit the risk of unauthorized access to information.

In addition to controlling access, it's also important to monitor it.

In our next video, we'll focus on the third and final part of the authentication, authorization, and accounting framework.