Authentication, Identity & Non-repudiation

The CIA triad tells you what to protect. This lesson is about the gate that decides who gets in and what they can prove later.

Authentication vs authorization

Two words people mix up constantly:

• Authentication answers "are you who you say you are?" It is the system verifying your identity.
• Authorization answers "now that I know who you are, what are you allowed to do?"

You authenticate at the front door (login). You are authorized for specific rooms (admin panel, billing, nothing at all). A bug that confuses the two, letting an authenticated-but-not-authorized user reach the admin panel, is one of the most common real-world findings.

The three factors of authentication

Every way of proving identity falls into one of three buckets:

Multi-factor authentication (MFA) combines two or more different types. A password (know) plus a phone code (have) is real MFA. Two passwords is not, both are Type 1, so one leak breaks both. The whole point is that an attacker would have to defeat two unrelated things at once.

Non-repudiation

Non-repudiation is proof that someone did a thing, strong enough that they cannot credibly deny it later.

Think of a signature on a contract. Digitally, this comes from cryptographic signatures and good logs: if an action is signed with your private key, the system can prove it came from you. Authentication says "you got in." Non-repudiation says "and here is the receipt."

Privacy

Privacy is about giving people control over their own data, what is collected, who sees it, and how long it is kept. It overlaps with confidentiality but adds a human and legal angle: even data you are allowed to hold should only be used in ways the person expects.

Takeaway

Authentication proves identity, authorization grants access, non-repudiation produces proof, and privacy respects the person behind the data. When you test a login system, ask all four questions, not just "did the password check work?"