Software terminologies can be confusing. Many words may sound similar but are different aspects of computer security and networking, and sometimes, it’s hard to tell them apart.
With respect to security systems, the confusion with the terms “authentication” and “authorization” are a classic example.
They are often incorrectly used interchangeably.
While they might sound similar, they are two entirely distinct security concepts.
Developers integrate strong authentication and authorization processes to secure their application from malicious actors.
There are millions of web applications and services that require authentication to work properly, as most of their services/intents depend upon the action of their users: blogs, forums, shopping carts, collaborative tools, and subscription-based content/services.
However, it’s not the same as authorization.
Security Authentication vs. Authorization: What’s The Difference?
How, exactly, are security authentication and authorization different?
In this section, we will take a closer look at both security authentication and authorization.
What is Authentication?
Authentication is asserting and proving one’s identity. My identification is “joe_user” (userID) and I can prove I’m Joe because I know Joe’s password (that no one else knows).
Authentication is the process of validating a user’s identity to grant them access to a system or network. It determines the right of a user to access resources such as services, data servers, networks, databases, files, etc.
How does a web application provide authentication to users?
Most applications feature a login page where users have to enter their credentials to prove their identity. Those credentials may consist of their user ID, username, email, or phone number and the password associated with it.
If the credentials provided by the user match the data stored in the application’s database, the user is authenticated and granted access to the application.
Which Are the Common Authentication Methods?
There are several ways to perform authentication, including one-time passwords, biometrics, authentication apps, hardware tokens, software tokens, and many others.
One of the most common ways for authentication is passwords - if a user enters the correct password, the system checks the credentials and grants access to the user.
However, passwords are often targeted by hackers and are vulnerable to cyberattacks, such as brute force attacks, data breaches, man-in-the-middle attacks, and password cracking.
For this reason, businesses often use other security methods such as two-factor or multi-factor authentication (2FA/MFA) to strengthen security beyond passwords.
In multi-factor authentication, the system may require the successful verification of more than one factor before granting access to the user.
What is Authorization?
Once a user is authenticated, the application knows who you are. Authorization then is determining what that user can do within the application (vertical authorization, e.g., does the user have administrator rights or are they a normal user?) and what data do they have access to? (horizontal authorization, Joe User should not be able to access Mary Smith’s data).
Authorization is the process of giving necessary privileges to the user to access specific resources such as files, databases, locations, funds, files, information, almost anything within an application. In simple terms, authorization evaluates a user’s ability to access the system and up to what extent.
According to the 2019 Global Data Risk Report, nearly 53% of companies found over 1,000 sensitive files open to every employee.
To maintain strong security, authorization must take place after authentication - where the system validates the user’s identity before it grants access according to their privileges.
For instance, you might want to allow administrators to view sensitive information but limit third-party suppliers from accessing this sensitive data. Authorization is often used interchangeably with user access control and user privilege.
Which Are the Different Approaches For Authorization?
When it comes to authorization, you can take different approaches to it. What’s best for you depends on your needs.
Different approaches to authorization include:
• Token-based: Users are granted a token that stipulates what privileges the user is granted and what data they have access to where the token is cryptographically signed.
• Role-Based Access Control (RBAC): Users are identified as being in a role that stipulates what privileges they have. Additionally, their user ID would restrict what data they have access to.
• Access Control Lists (ACL): An ACL specifies which users have access to particular resources. For instance, if a user wants to access a specific file or folder, their username or details should be mentioned in the ACL in order to be able to access certain data.
Businesses often assign privileges and ACLs to users in batches, they might implement “groups” and “roles”, two features that enable the categorization of users and assign access controls and privileges to them based on their organizational standing and job functions.
Usually, once an authenticated user has access to their account, they are permitted to perform all operations that they’re authorized to do.
For example, once you log in to your email account, you can view all of your emails, reply to them, delete them, categorize them, modify your personal information, and do other email-related tasks.
However, if a user wishes to perform a particularly sensitive operation, they might need to take additional steps to authorize the request.
For instance, if a user is trying to make a payment, they might have to re-enter their password, or repeat the authentication process, to validate their identity again.
In secure environments, some applications might use such precautionary authorization methods if they observe unusual user behavior, like an IP address, or an unusual time of login, or an attempt to make a high-value transaction.
This is to ensure that only authorized users have access to their account and prove that their account hasn’t been hijacked or compromised by a malicious actor.
Authentication vs. Authorization: An Example
Still not clear about the differences between authentication and authorization?
A real-world example can help you understand the differences between authentication and authorization better.
Let’s say, for instance, you want to access your bank account online.
If you need to login to your banking application, you must have the credentials for your account. If you enter the correct username and password, you can gain access to your account. The application only grants access to a user who has the correct credentials.
This is authentication.
If you forgot your password, they may ask you some security questions that only you know, or they may email you a password reset token.
This is also authentication.
Once you have successfully logged in your user account, you can access your profile, download your bank statement, make transactions, and do many other banking-related activities. All of these activities are authorized. You are granted the privilege to perform them.
Now, let’s suppose you want to access a premium service on your account. While you can gain access to your account (authentication) and avail services, you might not be allowed (authorized) to access premium services.
In such cases, the application will check your user privileges in the back-end database and only allow you to use them if you have the right to access those premium services.
Takeaways
Authentication and authorization are two strong pillars of cybersecurity that protect data from potential cyberattacks.
Authentication is the process of verifying if a user is who they claim to be by checking their credentials. Authorization is the method of checking the privileges of a user and granting access to only specific resources.
In a nutshell, both authentication and authorization are crucial but one is not a substitute for the other.
Think of authentication and authorization as complementary systems, and you need both.
Ideally, you should implement authentication and authorization in your security systems. That’s the best way to ensure that your systems and networks are properly secured.
This post was originally published at CypressDataDefense.com.
Top comments (4)
Well explained. I'm the simplest terms, authentication is about confirming who you are and authorization is about checking what you can do.
Security is unfortunately a word that usually gets to contain everything about what people don't understand. Pic, certificates, process access, authentication+authorizations as one and every error that directly or not seems to deny access.
Glad you like it!
Thank you for this clear explanation! 🙂
These days I believe we see less and less vertical authorization in software products. The administration features rather live in a separate product, usually an internal tool. At least that's what I observed in my experience. As a security specialist, can you confirm this trend?
Thanks.