Authentication v Authorisation


Authentication. Authorization. It’s all just logging in right? Are they essentially the same thing? Although some may use the terms interchangeably, they are actually very different concepts and understanding how they differ is important for anyone in the security space.

In the most simplistic terms, authentication is the process of ensuring the user is who they say they are, while authorization is the process of giving users access to the resources to which they are entitled.

Authentication and authorization are dependent on each other. A user can’t be authorized if they aren’t authenticated first. Because how can you know what someone should be allowed to access if you don’t know who they are? The authentication process also provides the server with information on what a particular user is allowed to see.

A non-technical example of this would be opening a bank account. The bank won’t let you open an account without proper identification. You show your driver’s license, providing authentication, and the bank allows you to open up an account, the authorization you’re seeking.

The process is seamless, which is likely why many think they are one and the same. In reality, authentication and authorization are part of a more extensive process of tracking, controlling, managing, and monitoring users and system resources, known as access management.

What is authentication?

Authentication is the process by which a user proves their identity. There are three main factors applications can use to authenticate:

  • What you know: This is the weakest authentication factor as other people can know what you know.
  • What you have: This provides stronger authentication because someone would have to steal the object you have in order to authenticate.
  • What you are: This is the most secure authentication factor and the most user friendly.

Usernames and passwords are one way authentication occurs, but authentication of user identity is also possible through other methods, the most popular including:

  • Biometrics, such as facial or voice recognition, or fingerprints
  • Multi-factor, where the user must complete more than one authentication step to be authorized

Passwordless, where a credential is provided to authenticate instead of the traditional alphanumeric username and password.
The most secure authentication processes employ techniques that eliminate the need for alphanumeric usernames and passwords, which are inherently insecure. A passwordless authentication process provides a better user experience while also being more secure because there are no credentials to steal.

What is authorization?

Once the user is authenticated, the server then authorizes access to necessary resources. While traditionally, this meant different tiers of access, where each tier gains more and more access, that has proven insecure. Many organizations now follow a zero trust strategy. In that method, users only gain access to what they need to complete the task at hand.

Regardless of the strategy, the server is making these decisions behind the scenes. Some popular authorization strategies include:

  • Role-based access controls: a traditional method of authorizing a user based on group-based privileges. For example, the IT support representative needs access to system processes, but not the payroll system.
  • JSON web tokens: an open standard using a public/private key pair to authorize users.
  • SAML: used in single sign-on, it involves digitally-signed XML documents containing authentication data.
  • OpenID: uses an authentication server as an intermediary to verify identity.
  • OAuth: uses an API for authentication.

So how do IT departments properly utilize authorization and authentication? Every staff member should be permitted to access company resources if they provide the correct credentials. Once these credentials are received, grant permission to department-specific resources, and more preferably only the resources that are needed to complete the task at that given moment.

Understanding how the two concepts work hand in hand in network security, as well as removing holes in your security infrastructure when it comes to either authentication or authorization, will go a long way in keeping your organization’s network secure.

Similarities

As we noted earlier, both authorization and authentication are part of a larger system of managing a network known as access management. They also always work hand in hand: the first thing the server does after authentication is the authorization of necessary resources.

Differences

There are far more differences between the two concepts as you can see in the chart:

Authentication

  • Requires user credentials
  • Confirms user identity
  • Validates user credentials
  • Determines identity
  • Always comes first

Authorization

  • Determines access to resources
  • Verifies where access is allowed
  • Determines access
  • May require additional information
  • Always follows authentication

Authentication and authorization work hand in hand, and any network manager should first ensure these two processes are as secure as possible when looking to prevent or deter attacks. However, if your authentication process uses the alphanumeric username and password, no matter what you do, you’re putting your organization at serious risk.

At Beyond Identity, we believe in passwordless authentication. Our system replaces the password with secure credentials based on X.509 certificates and public-private key pairs.  Beyond Identity relies only on what you have and what you are, eliminating any knowledge-based authentication that is popular for attackers to target. If your organization is chasing a zero trust strategy, you won’t get there as long as you base it all on a fundamentally insecure authentication method: the username and password.

Our platform integrates easily with most existing SSO solutions with only a few lines of extra code, helping organizations in their efforts secure their resources. With Beyond Identity you can implement granular zero trust authorization policies that limit access to resources based on device security posture, location, and other factors.

Share this post: