Authentication (part 1)

In the world of data security, there is the term 'AAA' or 'A3', which is the abbreviation for the three process: 'Authentication' (based on which processes prove the true or legal identity of their users) and ‘Authorization’ (which determines which user is authenticated, what is the permission to do) and ‘Accounting’ (which determines, what share of the system resources and services will be available for users and does it pay a price for them?) The most important and first part of the AAA operation is the same authentication process. That's why we focus on authentication only in this section.

Differences Between Authentication and Authorization


Some programmers make confused two processes of Authentication and Authorization. But these processes are completely different together. In the Authentication process, it will be checked that:
Is the user the one who claims it or not?
Is the user information real or fake?
But the Authentication process means that the user who has been authenticated what has permissions and has access permission to what information. In general, Authorization is the set of permissions given to the user and done only after the Authentication step, so if the user is not authenticated, he cannot get permission. For example, in Spotify for listening to music, the user must first be authenticated to listen to the music and take the regular authoring user, in which case the middle of the song will be broadcast to the advertiser and must have selected songs in the form of shuffle Listen and do not have permission to download favorite music, and the quality of the song being played is normal.
But if the premium is purchased then the user's authorization is changed and the user has the permission to listen to music without ads and can listen to any music and allow music downloads and can listen to music with the highest quality.

In this article, we want to know what authentication means, Then we examine two of its methods.


Method 1:

In this method, there are 2 options Sign in and Sign up.


1- Sign in: If the user clicks on the Sign in, the user enters the receipt page of the mobile number (Login) and insert his mobile number.
In this step, the mobile number is checked and if the mobile number of the user is not already registered (not available on the server), the message "This number has not been registered yet" is sent and the user is transferred to the register page that enters the required information(2).
but if the user's mobile number is already registered and its information is on the server, then a 4-digit code will be sent to the mobile number that the user has entered, and the user must enter that code And in the next step the code entered checked with the code sent from the database, so if the code is entered correctly, to user will be given a token, But if the code is entered incorrectly, the message "The code entered is not correct" is sent and the user can click on the resend button.



2- Sign up: If the user clicks on the Sign-up button, the user enters the Register page, which according to the requirements of the app, enter the required information.
the next step is checking the entered mobile number and if the mobile number has already been registered, The message "This number is already registered" is sent and the user is transmitted to the Login page Which should perform the above steps (1).
but if the mobile number of the user is not already registered, then a 4-digit code will be sent to the mobile number that the user has entered, and the user must enter the code and in the next step the code entered checked with the code sent from the database, so if the code is entered correctly, to user will be given a token, But if the code entered is incorrect, the message "The code entered is not correct" is sent and the user can click on the resend button.

Method 2:

In this method, the user must first enter his mobile number when entering the app.
then a 4-digit code will be sent to the mobile number that the user has entered, and the user must enter that code And in the next step the code entered checked with the code sent from the database, so if the code is entered correctly, to user will be given a token, But if the code is entered incorrectly, the message "The code entered is not correct" is sent and the user can click on the resend button.
After the token is given to the user, in this step we check whether the user information already exists on the server (previously registered) or not.
If the user's information does not exist, then the user will be transferred to the Register page and the user will enter their information according to the program's requirements.
But if user information already exists, then the user will be logged in directly.