Understanding the Difference: Authentication vs Authorization
Authentication and authorization are fundamentally different concepts.
Authentication is the process of verifying that a user is who they claim to be.
When we log into our account and input our username and password, that’s authentication. The entered data is authenticated by comparing it with what’s stored in the database.
Authorization, on the other hand, is about access, determining which users can access specific resources within a network.
Key Differences
Authentication
- Determines whether the user is who they claim to be.
- Requires users to verify their credentials using the established mechanism.
Authorization
- Based on predefined rules, determines whether users are allowed or denied access.
- Checks whether access is permitted according to policies and security rules.
Frequently Used Authentication Mechanisms
Single-factor Authentication (SFA) – a method where the application performs a simple check of the username and password. The application matches the user’s credentials with the password associated with that username.
Federated Identity Management (FIM) – an agreement that can be made between multiple companies allowing participants to use the same identification credentials to access all companies within the group. This approach is known as ‘federated authentication.’
Multi-factor Authentication (MFA) – requires users to provide multiple proofs to confirm their claimed identity. Users may complete the authentication process using a combination of any two or all of the following methods:
a) Authentication from their own device.
b) Biometric methods such as fingerprint or iris scanning.
c) User credentials, commonly referred to as ‘creds.’
Now, let’s talk about Authorization.
Authorization involves granting access to system resources based on a specific set of rules. At this stage, the user must already be identified and authenticated.
The authorization mechanism allows security system administrators to specify user access rights and privileges. Access rights determine what a user can access, usually depending on their role.
Roles are associated with a category or group of users performing the same set of business functions. One user may have multiple roles.
Let’s address how an authorization error might occur. For example, we try to access our account, but the system denies access. It’s likely because we entered the wrong username or password. We failed authentication, and the authorization request was denied because the system didn’t recognize us.
While these concepts are different, they are interconnected. That’s all for today. What concepts do you struggle with or mix up? Share in the comments below!