Authentication or Authorization?

Authentication or Authorization?Header Image

Authentication or Authorization? Many folks in their early career usually mix(up) these terms and use one for another OR often use the term auth to refer both authentication as well as authorization. Many a times I myself have been guilty of doing so😬. These two terms are somewhat related and have overlapping mechanisms in application security. But they aren't the same thing!, Lets first get this sorted today.

Authentication is a mechanism for verifying who a user or a process is and determining whether they are in-fact what they declare themselves to be or not. Authentication technology in an application provides a access control to that system. For example many systems use usernames and passwords (a piece of information that is known only to user) these together are known as knowledge authentication factor. Identity(username) and a verifying entity(password) is verified for the correctness against the one saved on the system records. There many other forms of authentication methods some of which are OAuth(which includes features as "sign in with Google"), SAML (Security Assertion Markup Language) which companies use to authenticate into multiple systems by one set of credentials, and other methods as passwordless authentication that completely eliminate whole lot of issues caused by passwords.

Authorization is a mechanism of controlling what users are allowed to do and what not. Authorization is often built upon authentication and overlap most closely, if authenticated user information becomes a part of input to a system that un-locks a door then determining what that user can and cannot do(what thing they are allowed to touch, access or maybe take) becomes responsibility of authorizing that user to perform some task within that system. It is as much critical as authentication that the authenticated user should have access to the right data. One good example could be a school administration -

  • students come to school to study, have fun, learn give a number of exams and leave. - while are not allowed to access exam papers, systems etc...

  • teachers teach, conduct exams construct proper time table for covering of syllabus and so on. -while they don't have access to finances of the school

  • school administrators control various departments like faculties, cultural department and establish school objectives and so on.

  • school councils and chair persons have control of these various administrators and ensure there is proper funding for the school.

All these are various authorization roles with different level of permission and access controls in a school system. Authentication becomes an important part to claim those permission.

Different methods/strategies of authorization are Attribute-based Access Control(ABAC) where a system determines one's access based on an attribute or a claim associated with that user, Role-based Access control(RBAC) where permissions are associated with the roles of that user and not directly on the credentials. for example going through examination department depends on the faculty type(role -RBAC) while accessing the systems depends on the credentials provided(ABAC).

Its important that development teams spend fairly good amount of time on structuring these Authorization systems.