Learning Objectives
  • Explain how access levels protect data and system functions.
  • Describe authentication using usernames and passwords, biometrics and two-step verification.
  • Explain how privacy settings reduce unwanted information exposure.
  • Explain how user checking of communications and links supports security.
Key Terms
Access level
A set of permissions controlling which data and functions a user can access.
Authentication
Checking that a user is who they claim to be.
Username
An identifier used to state which account is requesting access.
Password
A secret value used as authentication evidence.
Biometric
A measurable physical or behavioural characteristic used for authentication.
Two-step verification
Authentication that requires two verification steps.
Privacy settings
Controls that limit who can view information or how information is shared.
Least privilege
Giving a user only the access needed for their role.
Summary diagram
Summary Of The Main Ideas In This Lesson
Access Levels

Access levels control what an authenticated user is allowed to view or do. A student account may read learning materials but may not change system settings. An administrator account can have wider permissions.

The purpose is to limit access to authorised resources and reduce the damage caused by error or account compromise. If every account had full access, one stolen password could expose or alter all data.

Access levels are about authorisation after identity has been checked. Authentication asks who the user is; access levels determine what that user is permitted to do.

Username And Password Authentication

A username identifies the account requesting access. A password provides secret evidence that the user is authorised to use that account.

Passwords should be difficult to predict or discover through brute force. Reusing one password across several services increases the damage if it is disclosed.

A username alone is not usually secret and is not sufficient authentication. The security depends on the secret credential remaining protected.

Biometric Authentication

Biometric authentication uses a physical or behavioural characteristic, such as a fingerprint or facial pattern. The system captures a sample and compares it with stored reference data.

Biometrics can be convenient because the user does not need to remember the characteristic. However, the system must capture and compare the sample accurately. A biometric is not identical to a password because it cannot simply be changed in the same way if compromised.

The syllabus requires understanding of biometrics as an authentication method, not detailed study of every biometric algorithm.

Two-Step Verification

Two-step verification requires a second verification step in addition to the first. A user may enter a password and then provide a one-time code or approve the login through another trusted method.

The benefit is that an attacker who discovers only the password may still be unable to authenticate. It therefore provides stronger protection against stolen or brute-forced passwords.

The two steps should be described as separate verification requirements, not simply typing the same password twice.

Privacy Settings

Privacy settings control the visibility and sharing of personal information. A user can limit which people can view posts, profile details or activity.

These settings reduce unnecessary exposure that could assist social engineering or unwanted tracking. The user should review them because default settings may share more information than expected.

Privacy settings do not prevent all attacks. They complement authentication, access levels and safe user behaviour.

User Awareness Checks

Users should check the spelling and tone of communications. An unexpected style, urgent demand or unusual request can indicate impersonation. The claimed sender should be verified through a separate trusted route.

Users should also check the URL attached to a link. The destination domain must be inspected before login details or personal information are entered. These checks reduce the success of phishing and other social engineering attacks.

Authentication And Authorisation
Control Main Question Example
Username and password Can the user prove access to the account? Account name plus secret password
Biometric Does the captured characteristic match the stored reference? Fingerprint comparison
Two-step verification Can the user complete a second verification requirement? Password plus one-time code
Access level What may the authenticated user access or change? Read-only student permission versus administrator permission
Privacy settings Who may see or receive shared information? Only approved contacts can view a profile item
Worked Examples
Authentication Versus Access Level

Question: A teacher and learner both log in successfully, but only the teacher can change marks. Explain the two controls involved.

  1. Both users prove their identities through authentication.
  2. The system reads the permission assigned to each account.
  3. The teacher access level allows mark changes; the learner level does not.

Answer: Authentication identifies each account, while access levels authorise different actions after login.

Benefit Of Two-Step Verification

Question: An attacker discovers a user’s password. Explain why two-step verification can still protect the account.

  1. The password completes only the first step.
  2. A separate second verification is still required.
  3. The attacker may not possess the second method.

Answer: The attacker cannot complete authentication with the password alone.

Examination Guidance
  • Distinguish authentication from access levels.
  • For two-step verification, describe two separate requirements.
  • Explain the security benefit of a biometric rather than only naming an example.
  • Include both spelling and tone when the question refers to checking communications.
Common Mistakes
  • Saying a username is always a secret password.
  • Describing access levels as different screen brightness settings.
  • Calling two entries of the same password two-step verification.
  • Claiming privacy settings replace the need for authentication.
Knowledge Check

1. What is authentication?

Answer: Checking that a user is who they claim to be.

2. What is the purpose of an access level?

Answer: To control which data and functions an authenticated user may access.

3. Give three authentication methods required by the syllabus.

Answer: Username and password, biometrics and two-step verification.

4. Why does two-step verification reduce the risk from a stolen password?

Answer: The password alone is not enough to complete the second verification step.

5. How do privacy settings help security?

Answer: They limit unnecessary exposure or sharing of personal information.