Growth & Marketing
December 14, 2022
January 30, 2023
Growth & Marketing
December 14, 2022
January 30, 2023
Although these terms are employed sometimes as synonyms and they are both abbreviated as “auth”, the reality is that they are very different. While Authentication is the process of verifying the credentials that one user provides, authorization is the process of verifying that you are allowed to access an area of an application.
Putting this into practical words; when you open a bank account, you need to provide the ID, passport number etc. to authenticate yourself. Once provided, they need to authorize the process to allow you to open the bank account.
Authentication and authorization are similar in that they are two parts of the underlying process that provides access and this is why they are usually confused. They are also similar in the way they both leverage identity. As you cannot authorize a user or service before identifying them, authentication always comes first.
Authentication refers to the process of validating a user’s identity. Usernames and passwords are the most basic and familiar forms of authentication. However, systems can use several mechanisms to authenticate the user. So to verify the identity, this process uses one of these options:
Passwords, security questions and digital codes fall under the “Something you know” category. As you are supposed to be the only one who knows the answers or passwords of these security questions, the system assumes that it can grant you access.
For the second type, “something you have”, you can find physical devices such as USB security tokens and mobile phones. For example, when you access a system and it sends you an OTP code via SMS or one application, you can verify yourself because you own that device.
The third type “Something you are” is done through biometric authentication such as fingerprints, voice recognition, iris recognition etc. This option is very good when making sure that the person accessing is the right one. However, some users might be privacy-cautious, and opposed to anything that collects such sensitive data.
Most IAM (Identity and access management) solutions support Multi-Factor Authentication (MFA) functionality to protect against credential theft and user impersonation. With MFA, a user must present multiple forms of evidence to gain access to an application or system—for example, something you know, a password and something you have, short-lived SMS code.
Authorization refers to the process of granting a user permission to access specific resources or capabilities once their identity is verified. For this process for example, Access Control Lists (ACLs) determine which users or services can access a particular digital environment. To accomplish this process, they have different “allow” or “deny” rules based on the user’s authorization level. If the user wants to make changes that compromises the security, an ACL will deny the access.
Another type of authorization is access to data. In any enterprise environment, you have different data with levels of sensitivity that your employees may be able to access or not. Some common methods:
JWT allows transmitting information between parties in a secure way. It’s a common practice to add metadata with rules to access specific resources like an API.
A session management solution that stores the token on the server-side, along with user data. Session tokens are verified against the server’s database with every user request, and a single token can be easily revoked at any time. This results in higher latency than JWTs. However, when control over session revocation is critical, this solution can be beneficial since it guarantees instant session revocation when needed.
Depending on the profile of the employee, they may be granted one access or another.
Stands for Security Assertion Markup Language. It is an open standard that provides authorization credentials to service providers. These credentials are exchanged through digitally signed XML documents.
As per the above description, we can say Authentication verifies the user's identity, and Authorization verifies the user's access and permissions. If the user can't prove their identity, they cannot access the system. However, both security methods are often used together and consequently, they remain both equally important.