Authentication (AuthN) is the process of verifying a user's identity - confirming that someone is who they claim to be. It answers the question "Who are you?"
Authorization (AuthZ) is the process of determining what an authenticated user is allowed to do - controlling access to resources and actions based on permissions, roles, or policies. It answers the question "What can you do?"
When you use a mobile banking app:
Authentication always happens first. You cannot authorize someone without first knowing who they are.
Financial regulations (PSD2, PCI DSS, SOC 2) mandate strict identity verification and access controls.
Strong authentication prevents unauthorized access while proper authorization limits damage from compromised accounts.
Ensures customers can only access their own financial data and authorized account holders can perform appropriate actions.
Prevents any single person from completing critical financial transactions alone, reducing insider fraud risk.
Proper security measures build confidence in your financial platform.
Context-aware authorization helps identify and block suspicious activities based on transaction patterns, amounts, and environmental factors.
βββββββββββββββββββββββββββββββββββββββββββ
β AUTHENTICATION FLOW β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β User Attempts Access β
β β β
β βΌ β
β Provides Credentials β
β (PIN, Password, Biometric) β
β β β
β βΌ β
β System Validates Credentials β
β β β
β βΌ β
β ββββββββββββββββ ββββββββββββββββ β
β β Valid? βββββΆβ Grant Entry β β
β β YES β β (AuthN β) β β
β ββββββββββββββββ ββββββββββββββββ β
β β β
β β NO β
β βΌ β
β ββββββββββββββββ β
β β Deny Access β β
β β (AuthN β) β β
β ββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββ
What happens:
βββββββββββββββββββββββββββββββββββββββββββ
β AUTHORIZATION FLOW β
βββββββββββββββββββββββββββββββββββββββββββ€
β β
β User Already Authenticated β β
β β β
β βΌ β
β Requests Specific Action β
β (Transfer $10K, View Reports) β
β β β
β βΌ β
β System Checks Permissions β
β (Role, Limits, Policies) β
β β β
β βΌ β
β ββββββββββββββββ ββββββββββββββββ β
β β Authorized? βββββΆβ Allow Action β β
β β YES β β (AuthZ β) β β
β ββββββββββββββββ ββββββββββββββββ β
β β β
β β NO β
β βΌ β
β ββββββββββββββββ β
β β Deny Action β β
β β (AuthZ β) β β
β ββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββ
What happens:
Traditional knowledge-based authentication.
User Input: PIN 4268
β
Hash: SHA-256
β
Compare with stored hash
β
Match? β Authentication Success
Use cases:
Required by regulations like PSD2 and PCI DSS.
Layer 1: Something You Know
ββ Password/PIN
β
Layer 2: Something You Have
ββ SMS Code, Auth App, Hardware Token
β
Layer 3: Something You Are (optional)
ββ Fingerprint, Face ID
β
All Layers Valid? β Grant Access
Use cases:
Using physical characteristics for identity verification.
Physical devices for high-security scenarios.
Examples:
For third-party integrations and open banking.
Step 1: User redirected to bank login
Step 2: User authenticates with bank
Step 3: Bank issues access token
Step 4: Third-party app uses token for API access
Use cases:
Permissions granted based on user roles.
ROLE HIERARCHY
βββββββββββββββ
Admin (Full Access)
β
ββββ Account Manager
β ββ View all customer accounts
β ββ Process transactions up to $50K
β ββ Generate reports
β
ββββ Compliance Officer
β ββ View audit logs
β ββ Review flagged transactions
β ββ Access regulatory reports
β
ββββ Customer Service Rep
ββ View customer profiles
ββ Reset passwords
ββ Process transactions up to $5K
Use cases:
Dynamic permissions based on multiple attributes.
PERMISSION DECISION TREE
ββββββββββββββββββββββββ
User Attributes:
- Role: Senior Trader
- Department: Equities
- Clearance: Level 3
- Location: New York Office
Resource Attributes:
- Type: Trading Account
- Region: US Markets
- Risk Level: High
Environmental Attributes:
- Time: Market Hours
- Network: Corporate VPN
- Device: Company-issued
β
All Conditions Met? β ALLOW
Any Condition Failed? β DENY
Use cases:
Permissions based on relationships between entities.
RELATIONSHIP MATRIX
βββββββββββββββββββ
Customer A
β
ββ Account Owner β Full Access
β
ββ Joint Account Holder β Limited Access
β ββ Can view, can transact up to limit
β
ββ Authorized Signer β Specific Access
β ββ Can approve wires, cannot close account
β
ββ Read-Only Viewer β Minimal Access
ββ Can view statements only
Use cases:
Specific permissions for individual users or groups.
Example:
Account #1234567890:
- john.doe@company.com: OWNER (all permissions)
- jane.smith@company.com: VIEWER (read-only)
- accounting@company.com: TRANSACTION (up to $10K)
Custom rules combining multiple factors.
Example Policy:
IF user.role = "trader"
AND transaction.amount > $100,000
AND time NOT IN market_hours
THEN require_additional_approval
Let's examine AuthN and AuthZ in a comprehensive banking scenario.
βββββββββββββββββββββββββββββββββββββββ
β USER: Sarah Chen β
β DEVICE: iPhone 14 (registered) β
β LOCATION: Shirakalu β
βββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββ
β AUTHENTICATION STEPS β
βββββββββββββββββββββββββββββββββββββββ€
β 1. Face ID Scan β
β ββ Biometric verified β β
β β
β 2. Device Fingerprint Check β
β ββ Registered device β β
β β
β 3. Session Token Generation β
β ββ Token: abc123xyz... β
β β
β 4. Risk Assessment β
β ββ Known location β β
β ββ Normal usage time β β
β β
β β AUTHENTICATION SUCCESSFUL β
βββββββββββββββββββββββββββββββββββββββ
Scenario A: Viewing Account Balance
Action: View Checking Account
β
Authorization Check:
ββ User Role: Account Owner β
ββ Account Relationship: Primary β
ββ Account Status: Active β
ββ Privacy Settings: Allowed β
β
Result: ALLOW β Display Balance
Scenario B: Transfer Exceeding Limit
Action: Transfer $15,000 to External Account
β
Authorization Checks:
ββ Daily Transfer Limit: $10,000 β
β ββ Transaction exceeds limit
β
ββ Result: DENY
ββ Error: "Transaction exceeds daily limit"
Scenario C: High-Value Transfer with Step-Up Authentication
Action: Transfer $50,000 (within account limits)
β
Authorization Check:
ββ Amount > $25,000 β High Risk
ββ Requires Step-Up Auth
β
β
Additional Authentication Required:
ββ SMS Code sent
ββ User enters code
ββ Code verified β
β
Authorization Re-check:
ββ Enhanced authentication β
ββ Transfer limit: $100,000 β
ββ Account balance sufficient β
ββ Anti-fraud checks passed β
β
Result: ALLOW β Execute Transfer
| User Role | View Balance | Domestic Transfer | International Transfer | Close Account | Download Tax Docs | Manage Users |
|---|---|---|---|---|---|---|
| Primary Account Holder | β | β (up to $100K/day) | β (with step-up auth) | β | β | β |
| Joint Account Holder | β | β (up to $100K/day) | β (with step-up auth) | β (requires primary) | β | β |
| Authorized User | β | β (up to $5K/day) | β | β | β | β |
| Read-Only Delegate | β | β | β | β | β | β |
| Minor (Under 18) | β | β (up to $500/day) | β | β | β | β |
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LOAN APPROVAL AUTHORIZATION MATRIX β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Loan Amount: $250,000 β
β Type: Commercial Real Estate β
β Applicant Risk Score: Medium β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Level 1: Loan Officer β
β ββ Can review application β β
β ββ Can approve up to $100K β β
β ββ Must escalate to Level 2 β
β β
β Level 2: Senior Underwriter β
β ββ Can approve up to $500K β β
β ββ Reviews credit analysis β β
β ββ Checks compliance flags β
β β ββ AML screening β β
β β ββ Sanctions list β β
β β ββ Risk assessment β β
β ββ Requires co-approval for commercial β
β β
β Level 3: Compliance Officer (Co-Approval) β
β ββ Reviews regulatory compliance β β
β ββ Checks documentation completeness β β
β ββ Provides compliance sign-off β β
β β
β Final Decision: APPROVED β
β (Requires 2 of 3 signatures) β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
PRINCIPLE: No single person can complete critical transactions
Transaction: Wire Transfer $1M+
βββββββββββββββββββββββββββββββ
Step 1: Initiator (Trader)
ββ Creates transfer request
ββ Cannot approve own requests
Step 2: First Approver (Team Lead)
ββ Reviews and approves
ββ Cannot be same as initiator
Step 3: Second Approver (Risk Manager)
ββ Final authorization
ββ Cannot be initiator or first approver
Step 4: Execution (Operations)
ββ Processes approved transfer
ββ Cannot initiate, approve, or modify
All 4 roles required β Complete transaction
Financial systems use dynamic authorization based on multiple factors:
AUTHORIZATION DECISION FACTORS
ββββββββββββββββββββββββββββββ
User Context:
ββ Role: Premium Customer
ββ Account Age: 5 years
ββ Credit Score: 780
ββ Relationship Manager: Yes
Transaction Context:
ββ Amount: $75,000
ββ Type: Wire Transfer
ββ Destination: New Payee
ββ Frequency: First time
Environmental Context:
ββ Time: 2:00 AM (unusual)
ββ Location: Foreign IP address
ββ Device: Unrecognized
ββ Network: Public WiFi
Risk Score Calculation:
ββ User Trust: +20 points
ββ Transaction Risk: -30 points
ββ Environmental Risk: -40 points
ββ Total Score: -50 (HIGH RISK)
Decision: REQUIRE ADDITIONAL VERIFICATION
ββ Send push notification
ββ Require phone call verification
ββ Implement 24-hour hold
Real-world example: A customer with a 10-year account history transferring $5,000 from their home network during business hours might not trigger additional checks. The same customer transferring $50,000 at 3 AM from a foreign country would require step-up authentication.
How AuthN and AuthZ work together in API-driven financial services:
ββββββββββββββββββββββββββββββββββββββββββββββββββ
β OPEN BANKING: THIRD-PARTY APP ACCESS β
ββββββββββββββββββββββββββββββββββββββββββββββββββ
Step 1: User wants to use budgeting app (Mint)
ββ App needs read access to bank account
Step 2: AUTHENTICATION
βββββββββββββββββββββββββββββββ
β Redirect to Bank Login Page β
β ββ User: john@email.com β
β ββ Password: ******** β
β ββ 2FA Code: 123456 β
βββββββββββββββββββββββββββββββ
β
Bank authenticates user β
Step 3: AUTHORIZATION (Consent)
ββββββββββββββββββββββββββββββββββββ
β Mint App requests permission: β
β β
β β Read account balances β
β β Read transaction history β
β β Initiate payments β
β β
β [ Approve ] [ Deny ] β
ββββββββββββββββββββββββββββββββββββ
β
User approves β
Step 4: TOKEN GENERATION
ββββββββββββββββββββββββββββββββ
β Access Token: eyJhbGc... β
β Scope: read:accounts β
β Expires: 3600 seconds β
β Refresh Token: dGVzdC... β
ββββββββββββββββββββββββββββββββ
Step 5: API ACCESS
Mint uses token to:
ββ GET /accounts β ALLOWED β
ββ GET /transactions β ALLOWED β
ββ POST /payment β DENIED β (not authorized)
Key points:
| Aspect | Authentication (AuthN) | Authorization (AuthZ) |
|---|---|---|
| Purpose | Verify identity | Control access |
| Question | "Who are you?" | "What can you do?" |
| When | First (at login) | After authentication |
| Methods | Password, MFA, biometrics, OAuth | RBAC, ABAC, ReBAC, policies |
| Result | Logged in / Denied access | Action allowed / Action denied |
| Frequency | Once per session | Every action/resource request |
| Changes | Rarely (new auth methods) | Frequently (role/permission changes) |
| Failure Impact | Cannot access system at all | Cannot perform specific action |
| Stored As | Credentials, tokens | Roles, permissions, policies |
| Compliance | KYC, identity verification | Segregation of duties, least privilege |
Complex authorization based on multiple factors:
TRANSACTION AUTHORIZATION CALCULATION
βββββββββββββββββββββββββββββββββββββββ
Account Type | Standard | Premium | Business
Daily Limit | $5,000 | $25,000 | $100,000
+
User Verification | Basic | Enhanced | Full
Additional Limit | +$0 | +$10,000 | +$50,000
+
Transfer Type | Internal | Domestic | International
Risk Multiplier | 1.0x | 0.8x | 0.5x
+
Time of Day | Business Hours | After Hours
Additional Factor | 1.0x | 0.7x
EXAMPLE CALCULATION:
βββββββββββββββββββ
Premium Account: $25,000
Enhanced Verification: +$10,000
= $35,000 base limit
International Transfer: Γ0.5
= $17,500
After Hours (9 PM): Γ0.7
= $12,250 final limit
Problem:
// Authorization checks spread across codebase
// In controller
if (user.role !== 'admin') return 403;
// In service layer
if (amount > user.dailyLimit) throw Error();
// In middleware
if (!user.permissions.includes('transfer')) next(error);
// In database query
WHERE account.owner_id = current_user.id
// β Inconsistent, hard to maintain, easy to miss
Solution:
// Centralized authorization service
class AuthorizationService {
canTransfer(user, account, amount) {
return this.checkAll([
this.hasRole(user, ['customer', 'admin']),
this.ownsAccount(user, account),
this.withinLimit(user, amount),
this.passesRiskCheck(user, amount),
this.hasPermission(user, 'transfer')
]);
}
canApprove(user, transaction) {
return this.checkAll([
this.hasRole(user, ['manager', 'admin']),
this.notInitiator(user, transaction),
this.hasApprovalAuthority(user, transaction.amount)
]);
}
}
// β Single source of truth
// β Easy to audit
// β Consistent enforcement
Problem: Mixing session-based and token-based auth creates inconsistencies.
Solution:
SESSION-BASED (Traditional Web Apps):
ββ Server stores session
ββ Cookie sent with each request
ββ Good for: Web portals, admin dashboards
TOKEN-BASED (Modern APIs):
ββ Stateless JWT tokens
ββ Token sent in Authorization header
ββ Good for: Mobile apps, microservices, SPAs
HYBRID APPROACH:
ββ Use sessions for web interface
ββ Use tokens for API/mobile
ββ Separate auth flows, same authorization engine
Problem: Users accumulate permissions over time, violating least privilege.
Solution:
REGULAR ACCESS REVIEWS
ββββββββββββββββββββββ
Quarterly Review:
ββ List all user permissions
ββ Verify business justification
ββ Remove unnecessary access
ββ Document changes
Automated Checks:
ββ Flag permissions unused >90 days
ββ Alert on privilege escalation
ββ Require re-approval annually
ββ Revoke access on role change
SECURITY LAYERS
βββββββββββββββ
Layer 1: Network Security
ββ Firewall, DDoS protection, VPN
Layer 2: Authentication
ββ MFA, biometrics, device fingerprinting
Layer 3: Authorization
ββ RBAC, transaction limits, approval workflows
Layer 4: Data Encryption
ββ TLS, encryption at rest, tokenization
Layer 5: Monitoring
ββ Fraud detection, audit logs, alerts
Layer 6: Compliance
ββ PCI DSS, SOC 2, regulatory requirements
Grant only the minimum permissions necessary.
EXAMPLE: Customer Service Representative
βββββββββββββββββββββββββββββββββββββββββ
β Can view customer profiles
β Can reset passwords
β Can process refunds up to $500
β Can view transaction history
β Cannot view full card numbers
β Cannot approve large transfers
β Cannot modify account balances
β Cannot access admin functions
Review Period: Every 6 months
Temporary Elevation: Requires manager approval + audit
Require additional authentication for sensitive operations.
STEP-UP AUTH TRIGGERS
βββββββββββββββββββββ
Low Risk (No step-up needed):
ββ View balance
ββ View transaction history
ββ Small transfers (<$500)
Medium Risk (SMS code):
ββ Transfers $500-$10,000
ββ Add new beneficiary
ββ Change contact info
High Risk (Multiple factors):
ββ Transfers >$10,000
ββ Wire transfers
ββ Account closure
ββ Access from new device/location
Log all authentication and authorization events.
AUDIT LOG ENTRY
βββββββββββββββ
Timestamp: 2025-12-12T14:23:45Z
Event: TRANSFER_INITIATED
User: sarah.chen@bank.com (ID: U12345)
Action: TRANSFER
Resource: Account #1234567890
Amount: $50,000.00
Destination: External Account #9876543210
Status: PENDING_APPROVAL
IP: 192.168.1.100
Device: iPhone 14 (ID: D-ABC123)
Location: Shirakalu (37.7749Β°N, 122.4194Β°W)
Risk Score: Medium (65/100)
Auth Method: Face ID + SMS
Approvers Required: 2
Next Action: Awaiting manager approval
Prevent brute force attacks and abuse.
RATE LIMITS
βββββββββββ
Login Attempts:
ββ 5 failed attempts β 5 minute lockout
ββ 10 failed attempts β 30 minute lockout
ββ 15 failed attempts β Account locked, call required
API Requests:
ββ 100 requests/minute per user
ββ 1,000 requests/hour per user
ββ 10,000 requests/day per user
Transactions:
ββ Max 10 transfers per hour
ββ Max 50 transfers per day
ββ Velocity checks for unusual patterns
STRONG CUSTOMER AUTHENTICATION (SCA)
ββββββββββββββββββββββββββββββββββββ
Required For:
ββ Online payments
ββ Account access via third parties
ββ Remote electronic transactions
ββ High-risk transactions
Two of Three Factors Required:
ββ Knowledge: Password, PIN
ββ Possession: Phone, token, card
ββ Inherence: Fingerprint, face, voice
Exemptions:
ββ Low-value transactions (<β¬30)
ββ Trusted beneficiaries
ββ Recurring payments (first payment requires SCA)
ββ Low-risk transactions (TRA - Transaction Risk Analysis)
ββ Contactless payments (<β¬50)
ACCESS CONTROL REQUIREMENTS
βββββββββββββββββββββββββββ
Requirement 7: Restrict access to cardholder data
ββ Need-to-know basis only
ββ Assign unique ID to each person
ββ Deny all access by default
ββ Document approval for all access
Requirement 8: Identify and authenticate access
ββ Unique user IDs (no shared accounts)
ββ Multi-factor authentication for remote access
ββ Password complexity requirements
ββ Account lockout after failed attempts
ββ Password history (no reuse of last 4)
Requirement 10: Track and monitor all access
ββ Log all access to cardholder data
ββ Log all actions by privileged users
ββ Retain audit logs for 1 year (3 months online)
ββ Review logs daily
ACCESS CONTROL CRITERIA
βββββββββββββββββββββββ
CC6.1: Logical Access Controls
ββ Authentication mechanisms
ββ Authorization rules
ββ Access review processes
CC6.2: Prior to Issuing Credentials
ββ Approval workflows
ββ Identity verification
ββ Background checks
CC6.3: Removal of Access
ββ Timely deprovisioning
ββ Automated termination processes
ββ Access reviews after role changes
β‘ User provides credentials
β‘ System validates credentials
β‘ Generate session/token
β‘ Set appropriate expiration
β‘ Return authentication result
β‘ Log authentication attempt
β‘ Verify user is authenticated
β‘ User requests action/resource
β‘ Check user permissions
β‘ Evaluate context (time, location, risk)
β‘ Apply business rules
β‘ Allow or deny action
β‘ Log authorization decision
// Authentication
await auth.login(email, password);
await auth.verify2FA(userId, code);
await auth.validateToken(token);
await auth.logout(token);
// Authorization
await authZ.hasPermission(user, 'action');
await authZ.hasRole(user, ['admin', 'manager']);
await authZ.canAccess(user, resource);
await authZ.checkLimit(user, amount);
| When | Authentication | Authorization |
|---|---|---|
| Happens | First, at entry point | After authentication, for every action |
| Verifies | User identity | User permissions |
| Results | Logged in or denied access | Action allowed or denied |
| Changes | Rarely (new auth methods) | Frequently (role/permission updates) |
| Failure | Cannot access system | Cannot perform specific action |
| Implementation | Central auth service | Distributed permission checks |
| Token/Session | Creates session/token | Validates against token claims |
| User Experience | Login screen, MFA prompts | Hidden (seamless) or error messages |
| Logging Priority | Failed attempts critical | All actions should be logged |
| Compliance Focus | Identity verification (KYC) | Segregation of duties, least privilege |
# Issue: User cannot log in
Check:
ββ Credentials correct?
ββ Account locked?
ββ Password expired?
ββ MFA device accessible?
ββ Network connectivity?
# Issue: Session expires too quickly
Solution:
ββ Adjust token expiration time
ββ Implement refresh tokens
ββ Use sliding session windows
# Issue: User cannot perform allowed action
Check:
ββ Role assignment correct?
ββ Permissions up to date?
ββ Resource ownership verified?
ββ Transaction limits current?
ββ Check audit logs for details
# Issue: Authorization too permissive
Solution:
ββ Review all role permissions
ββ Implement principle of least privilege
ββ Add approval workflows
ββ Enable audit logging
# Issue: Slow authorization checks
Optimize:
ββ Cache permission lookups
ββ Use indexed database queries
ββ Implement permission hierarchies
ββ Batch authorization checks
# Issue: Token validation overhead
Solution:
ββ Use JWT for stateless auth
ββ Cache public keys
ββ Implement token blacklist efficiently
Authentication and Authorization are the twin pillars of security. Understanding and correctly implementing both is critical for:
In financial technology, security breaches can result in:
By properly implementing authentication to verify identity and authorization to control access, you create a robust security foundation that protects your customers, your organization, and the integrity of a system.
Remember: Authentication proves who you are. Authorization determines what you can do. Both must work flawlessly together to keep your systems/customers safe and secure.
RFC 6749 - OAuth 2.0 Authorization Framework
RFC 6749 outlines the core roles, token types, grant flows (Authorization Code, Implicit, Resource Owner Password, Client Credentials), security considerations, and extensibility mechanisms used widely across modern identity and access management systems.
TOTP Authentication