Learning Objectives
- Explain how access levels protect data and system functions.
- Describe authentication using usernames and passwords, biometrics and two-step verification.
- Explain how privacy settings reduce unwanted information exposure.
- Explain how user checking of communications and links supports security.
Key Terms
- Access level
- A set of permissions controlling which data and functions a user can access.
- Authentication
- Checking that a user is who they claim to be.
- Username
- An identifier used to state which account is requesting access.
- Password
- A secret value used as authentication evidence.
- Biometric
- A measurable physical or behavioural characteristic used for authentication.
- Two-step verification
- Authentication that requires two verification steps.
- Privacy settings
- Controls that limit who can view information or how information is shared.
- Least privilege
- Giving a user only the access needed for their role.

Access Levels
Access levels control what an authenticated user is allowed to view or do. A student account may read learning materials but may not change system settings. An administrator account can have wider permissions.
The purpose is to limit access to authorised resources and reduce the damage caused by error or account compromise. If every account had full access, one stolen password could expose or alter all data.
Access levels are about authorisation after identity has been checked. Authentication asks who the user is; access levels determine what that user is permitted to do.
Username And Password Authentication
A username identifies the account requesting access. A password provides secret evidence that the user is authorised to use that account.
Passwords should be difficult to predict or discover through brute force. Reusing one password across several services increases the damage if it is disclosed.
A username alone is not usually secret and is not sufficient authentication. The security depends on the secret credential remaining protected.
Biometric Authentication
Biometric authentication uses a physical or behavioural characteristic, such as a fingerprint or facial pattern. The system captures a sample and compares it with stored reference data.
Biometrics can be convenient because the user does not need to remember the characteristic. However, the system must capture and compare the sample accurately. A biometric is not identical to a password because it cannot simply be changed in the same way if compromised.
The syllabus requires understanding of biometrics as an authentication method, not detailed study of every biometric algorithm.
Two-Step Verification
Two-step verification requires a second verification step in addition to the first. A user may enter a password and then provide a one-time code or approve the login through another trusted method.
The benefit is that an attacker who discovers only the password may still be unable to authenticate. It therefore provides stronger protection against stolen or brute-forced passwords.
The two steps should be described as separate verification requirements, not simply typing the same password twice.
Privacy Settings
Privacy settings control the visibility and sharing of personal information. A user can limit which people can view posts, profile details or activity.
These settings reduce unnecessary exposure that could assist social engineering or unwanted tracking. The user should review them because default settings may share more information than expected.
Privacy settings do not prevent all attacks. They complement authentication, access levels and safe user behaviour.
User Awareness Checks
Users should check the spelling and tone of communications. An unexpected style, urgent demand or unusual request can indicate impersonation. The claimed sender should be verified through a separate trusted route.
Users should also check the URL attached to a link. The destination domain must be inspected before login details or personal information are entered. These checks reduce the success of phishing and other social engineering attacks.
Authentication And Authorisation
| Control | Main Question | Example |
|---|---|---|
| Username and password | Can the user prove access to the account? | Account name plus secret password |
| Biometric | Does the captured characteristic match the stored reference? | Fingerprint comparison |
| Two-step verification | Can the user complete a second verification requirement? | Password plus one-time code |
| Access level | What may the authenticated user access or change? | Read-only student permission versus administrator permission |
| Privacy settings | Who may see or receive shared information? | Only approved contacts can view a profile item |
Worked Examples
Authentication Versus Access Level
Question: A teacher and learner both log in successfully, but only the teacher can change marks. Explain the two controls involved.
- Both users prove their identities through authentication.
- The system reads the permission assigned to each account.
- The teacher access level allows mark changes; the learner level does not.
Answer: Authentication identifies each account, while access levels authorise different actions after login.
Benefit Of Two-Step Verification
Question: An attacker discovers a user’s password. Explain why two-step verification can still protect the account.
- The password completes only the first step.
- A separate second verification is still required.
- The attacker may not possess the second method.
Answer: The attacker cannot complete authentication with the password alone.
Examination Guidance
- Distinguish authentication from access levels.
- For two-step verification, describe two separate requirements.
- Explain the security benefit of a biometric rather than only naming an example.
- Include both spelling and tone when the question refers to checking communications.
Common Mistakes
- Saying a username is always a secret password.
- Describing access levels as different screen brightness settings.
- Calling two entries of the same password two-step verification.
- Claiming privacy settings replace the need for authentication.
Knowledge Check
1. What is authentication?
2. What is the purpose of an access level?
3. Give three authentication methods required by the syllabus.
4. Why does two-step verification reduce the risk from a stolen password?
5. How do privacy settings help security?