Designing a Relatively Secure Account System: Authentication, Authorization, and Auditing

Account security is a critical issue; many recent incidents show that weak account systems lead to massive data leaks. This article reviews several real‑world cases and outlines how to build a more robust account security framework.

1. Is Your Account Secure?

Examples include the 2018 breach of 130 million hotel check‑in records from the Huazhu group and the 2017 exposure of 58.com resume data via poorly protected APIs. These incidents illustrate that a solid account system could have prevented or limited the damage.

2. Designing a Relatively Secure Account System

A secure account system should address three fundamental questions (the “3 A”):

Authentication – Who am I?

Authorization – What can I do?

Audit – What am I doing?

Only when these three aspects are properly handled can a system reliably protect user assets.

3. Authentication – Who Am I?

Authentication solves the identity problem. It has evolved through three stages:

3.1 What You Know

Static passwords, security questions, and other knowledge‑based factors. While familiar, they are vulnerable to credential theft, weak passwords, and reuse.

3.2 What You Have

Possession‑based factors such as SMS codes, email verification links, hardware or software tokens. Security depends on the user protecting the device or token.

3.3 Who You Are

Biometric methods (fingerprint, facial recognition, voice, iris, DNA). These do not require the user to remember secrets, but they are not 100 % reliable and often need to be combined with other factors.

4. Authorization – What Can I Do?

After identity is verified, the system must enforce what actions the user is allowed to perform. Common access‑control models include:

OBAC (Object‑Based Access Control) – DAC (Discretionary Access Control) and MAC (Mandatory Access Control).

RBAC (Role‑Based Access Control) – permissions are assigned to roles, and users assume roles.

ABAC (Attribute‑Based Access Control) – decisions are based on subject, object, and environment attributes.

A good policy follows the principle of least privilege and separation of duties.

5. Auditing – What Am I Doing?

Auditing provides continuous improvement and monitoring of security controls. It can be divided into:

5.1 Real‑time Online Auditing

Black‑list filtering (IP, device, phone number, etc.).

Aggregation analysis (account, IP, device, time‑window clustering).

Rate‑limit and anomaly detection.

5.2 Offline Post‑Event Auditing

Building richer black‑lists from historical data.

Constructing user profiles for risk scoring.

Analyzing logs to improve system security.

6. Summary

Protecting user accounts requires a layered approach: strong authentication, fine‑grained authorization, and continuous auditing. The exact combination of techniques depends on the sensitivity of the assets and the operational context. Simpler systems may only need basic authentication, while high‑value services should adopt multi‑factor authentication, role‑based or attribute‑based access control, and robust audit mechanisms.

Ultimately, no system can be absolutely secure; ongoing vigilance and adaptation to emerging threats are essential.