Security and Authentication in System Design

What is Security in System Design?

Security in system design refers to the practices and mechanisms used to protect a system from unauthorized access, data breaches, and malicious attacks. It ensures that only the right users can access the right data under the right conditions. At its core, system security focuses on: - **Confidentiality** – Only authorized parties can access data. - **Integrity** – Data remains accurate and unaltered. - **Availability** – Systems remain operational and accessible.

Why is Authentication Important?

Authentication is the process of verifying the identity of a user or system. It ensures that users are who they claim to be before granting them access.

Example 1: Username and Password Authentication

The most basic form of authentication is using a username and password. When you log into Gmail or Facebook, you provide credentials that are verified against stored records.

How does it work?

1. User enters username and password. 2. System hashes the password (using SHA-256, bcrypt, etc.). 3. Compares the hashed value with what’s stored in the database. 4. If they match, the user is authenticated.

Beginner Question:

Why don’t we store passwords directly? Answer: Storing plain-text passwords is risky. If the database is hacked, attackers would immediately get access to all user credentials. By hashing passwords, even if someone steals the database, the actual passwords are hidden.

Example 2: HTTPS and Data Encryption

Every time you browse a secure website (notice the lock icon in the URL bar), your browser uses HTTPS to encrypt the communication.

Why is HTTPS important?

Without HTTPS, sensitive data like passwords, payment details, or personal info is transmitted in plain text. An attacker on the same Wi-Fi could eavesdrop using a packet sniffer.

Beginner Question:

Is HTTP really that dangerous? Answer: Yes. If you're on public Wi-Fi and log in to a site using plain HTTP, anyone else on the same network could potentially capture your credentials. HTTPS uses SSL/TLS to encrypt the data, making it unreadable during transmission.

Token-Based Authentication: Sessions and JWT

Modern applications use token-based authentication for scalability and statelessness.

Session-Based:

- After login, server creates a session ID and stores it in memory. - Client receives this ID and sends it in future requests (usually via cookies). - Server checks if the session ID is valid for each request.

JWT (JSON Web Tokens):

- After login, server creates a JWT and gives it to the client. - JWT contains encoded user data and is signed using a secret key. - Client sends the JWT with every request. - Server verifies the signature to authenticate the user.

Example: Using JWT in an E-commerce App

Imagine a user logs into an e-commerce site: - The backend generates a JWT containing the user's ID and roles (e.g., admin or customer). - The frontend stores this token in local storage. - Every time the user adds a product or views their profile, the token is sent with the request for verification.

Beginner Question:

What if someone steals my JWT? Answer: That's a valid concern. JWTs should be stored securely, ideally in memory or secure HTTP-only cookies. Also, JWTs have an expiration time (e.g., 15 minutes) to minimize damage if stolen.

OAuth and Third-Party Logins

Many sites allow you to "Login with Google" or "Login with Facebook". This uses **OAuth**, a protocol for delegated authorization.

Example: Login with Google

1. User clicks "Login with Google". 2. App redirects user to Google’s consent screen. 3. After login and consent, Google sends back a token. 4. App uses this token to fetch user info from Google. 5. User is now authenticated in your app using Google’s identity.

Beginner Question:

Why use OAuth instead of asking for email/password directly? Answer: OAuth reduces the risk of password theft. Users trust Google or Facebook more than a random app. Also, OAuth helps users log in faster without needing a new password.

Common Security Vulnerabilities

It’s important to understand common threats to system security:

SQL Injection

Attackers inject malicious SQL code into input fields to access or manipulate data. **Prevention:** Always use parameterized queries and ORM frameworks.

Cross-Site Scripting (XSS)

Attackers inject JavaScript code into web pages that runs in other users' browsers. **Prevention:** Sanitize user input and escape outputs.

Cross-Site Request Forgery (CSRF)

Tricks users into submitting unwanted actions. **Prevention:** Use CSRF tokens and secure cookies.

Security Best Practices

- Use HTTPS for all traffic. - Store hashed and salted passwords. - Set secure headers (e.g., Content Security Policy). - Use secure tokens (JWT with expiry). - Validate and sanitize all user input. - Implement role-based access control (RBAC). - Monitor logs for suspicious activity.

Conclusion

Security and authentication are not optional—they are essential for system integrity. Whether you're building a small blog or a large-scale e-commerce platform, understanding how to verify users and protect their data is foundational. Mastering these concepts early gives you a solid base for all future system design interviews and real-world implementations.