Foundations · Module 6

Identity and access

Identity is where most real world attacks start because stolen access is cheaper than breaking encryption.

1h 3 outcomes Cybersecurity Foundations

Previously

CIA and simple attacks

CIA is a simple lens I use to explain what went wrong and what to fix first.

This module

Identity and access

Identity is where most real world attacks start because stolen access is cheaper than breaking encryption.

Next

Human factors and phishing

If we design the system so the safe action is slow and awkward, people will route around it.

Progress

Mark this module complete when you can explain it without rereading every paragraph.

Why this matters

This module is about calm, repeatable habits that reduce the damage when credentials leak.

What you will be able to do

  • 1 Explain the difference between authentication and authorisation
  • 2 Explain why password reuse and weak recovery paths cause real harm
  • 3 Explain how MFA and least privilege reduce blast radius

Before you begin

  • No previous technical background required
  • Read the section explanation before using tools

Common ways people get this wrong

  • Privilege creep. Permissions grow over time. Without review, the system quietly becomes unsafe.
  • Weak session handling. If sessions are stolen or replayed, security collapses. Protect cookies and tokens properly.

Identity is where most real world attacks start because stolen access is cheaper than breaking encryption. This module is about calm, repeatable habits that reduce the damage when credentials leak.

Identity is now the security perimeter because work happens everywhere. Staff work from home. Phones are used for approvals. Vendors have access. Cloud services connect to other cloud services. The question is no longer only "is the network safe". The question is "who is this, and what should they be allowed to do".

Authentication Authorisation People mix these up all the time, and systems do too. A login screen is authentication. Permissions and roles are authorisation. Weak authentication makes it easy to pretend. Weak authorisation makes it easy to abuse a real account.

Passwords are not evil. They are just easy to get wrong. Long passwords are better than clever passwords. Password reuse is the real disaster. MFA It reduces the damage when a password leaks. Least privilege It is boring. It is also one of the best risk controls we have.

In real organisations, identity failures show up as shared accounts, stale accounts, "temporary" exceptions that become permanent, and approvals done on the wrong channel. This is where audit findings come from, but it is also where incidents come from.

Everyday example. Handing someone your house keys is authorisation. Checking their ID at the door is authentication. If you give a spare key to a neighbour "just in case" and never take it back, you created a long lived trust decision without noticing.

Common mistake. Treating identity as a user experience detail instead of a safety system. Another common mistake is giving broad permissions because it is easier, then being surprised when something bad happens quickly.

Why it matters. When identity is strong and access is narrow, a compromised account does not automatically become a full breach. It buys time. It limits harm. It makes detection and recovery possible.

Mental model

Identity flow

Authentication answers who. Authorisation answers what. Sessions carry the decision over time.

  1. 1

    User

  2. 2

    Authenticate

  3. 3

    Session

  4. 4

    Authorise

  5. 5

    Protected action

Assumptions to keep in mind

  • Auth is not authz. A user can be real and still not be allowed. These are separate checks.
  • Sessions expire. A session is not a permanent right. Expiry and rotation reduce blast radius.

Failure modes to notice

  • Privilege creep. Permissions grow over time. Without review, the system quietly becomes unsafe.
  • Weak session handling. If sessions are stolen or replayed, security collapses. Protect cookies and tokens properly.

Key terms

Authentication
Authentication is proving who you are, for example by a password plus a second factor.
Authorisation
Authorisation is deciding what you can do after you are authenticated, usually via roles and permissions.
MFA
Multi factor authentication adds a second proof so a leaked password is not enough on its own.
Least privilege
Least privilege means giving only the access needed for a job and no more, so mistakes and compromise have a smaller blast radius.

Check yourself

Quick check. Identity and access

0 of 5 opened

What is authentication

Proving who you are, for example with a password plus a second factor.

What is authorisation

Deciding what you are allowed to do after you are authenticated.

Why does MFA help

It reduces the damage if a password leaks, because a password alone is not enough.

What does least privilege mean

Give only the access needed for a job so mistakes and compromise have a smaller blast radius.

Name one common identity failure

Shared accounts, stale accounts, or broad permissions given for convenience.

Artefact and reflection

Artefact

A small account hardening checklist you can repeat

Reflection

Where in your work would explain the difference between authentication and authorisation change a decision, and what evidence would make you trust that change?

Optional practice

Walk through a safe setup and see how long, unique passwords become easy when a manager does the memory work.

Also in this module

MFA deep dive practice

Compare SMS, authenticator apps, passkeys, and hardware keys. Choose what you would use for one real account and why.

Sources

Source NIST Cybersecurity Framework (CSF) 2.0 (2024)
Source OWASP Top 10 (2025)
Source OWASP ASVS 5.0.0
Source ISO/IEC 27001:2022 Information security management systems
Back to Cybersecurity