Authentication vs Authorization
Authentication and authorization have important differences to consider when implementing security for your organization and network.
What is the Difference Between Authentication and Authorization?
The difference between authentication and authorization is:
- Authentication: proves a user is who they say they are
- Authorization: permits users to access certain tools, data, or areas on a network
What is Authentication?
In terms of security, authentication is technologies and processes that determine who a user is and that they are who they say they are.
System security is predicated on the concept of trust. Users, especially external users, are subject to tests or requirements that tell your systems that they can trust that user, usually through some sort of authorization schema that includes different forms of identification. When users access systems, security will determine that a user is who they say they are by providing some credentials to prove it.
Some of this trust negotiation happens in the background through APIs and other technical safeguards. When it comes to user interfaces, however, the most basic, and common, form of authentication is the combination of a username and a password.
A username and password are, simply put, a combination of an identifying name assigned to a user with an associated, private password. In ideal circumstances, only the user (and select administrators) knows or has access to these passwords. That way, when the password is presented by a user to log in to a system, the system can assume that they are who they say they are.
The world isn’t always ideal, however, and passwords can be compromised. That is why most systems use some sort of additional “proof” from a user that can fall into one of three categories:
- Secret knowledge, like a password
- Biometric information, like a fingerprint scan or facial scan
- Physical access to something, like SMS on a phone or an email address
From these different categories, your security system can combine different forms of proof to create Two-Factor or Multi-Factor authentication schemes.
- A Two-Factor Authorization (2FA) system would combine two of the above-listed methods together.
- A Multi-Factor Authentication (MFA) system would use three of the above-listed factors in some combination.
Technically, 2FA is a subset of MFA, just with a different combination of security checks.
With the increase in sophisticated security attacks and scams, many consumer IT services are leveraging at least 2FA in a variety of ways:
- One of the older forms of 2FA present in our daily lives appears when you take money from an ATM. This system requires a physical item (your card) and a secret piece of information (the PIN).
- More online services, like email providers or online banking portals, now use 2FA. Once they enter their password (secret knowledge), they will then receive an email or SMS message containing a temporary identification number (physical access) to verify it is them.
- Many laptops now come with multiple forms of security checks. A typical laptop will allow system access through a PIN or password (secret) or biometric measures like a fingerprint scan (physical access).
- Tablets and smartphones are now also utilizing MFA with configurable authorization requirements, including PINs, fingerprint scans and facial recognition.
What is Authorization?
Authorization sounds similar to authentication, and at times it does include it as part of its operation. But whereas authentication is focused on identifying who you are, authorization is determining what resources and capabilities you can access within the system.
Obviously, this includes users authenticating themselves. But once a user is in the system, there needs to be additional security measures in place to restrict access to data or commands in a system based on user designations, or types of users.
For example, your IT system may have different tiers of users, including base-level users, administrators and internal IT support. Each user base has a different level of access to resources based on their position. Users, for example, will have basic resources that might help them use a product or service. Internal IT may have access to audit logs and other data to help allocate resources or install software. Administrators might have total access to everything in the system, including the ability to change configuration files or add and delete records.
Some authorization techniques include:
- Role-Based Access Controls: Users are assigned access to resources based on a role in an organization (like administrator, user, etc.). Anyone with a specific role, rather than an individual authorization credential, can access specific resources.
- JSON Tokens: An open standard built from Internet Engineering Task Force (IETF) RFC 7519, these tokens use encrypted JSON metadata to serve as verification of a user’s identity authentication and access privileges.
- Security Assertion Markup Language (SAML): An open standard for passing security tokens to authorize users built on encrypted XML markup.
What are the Major Differences Between Authentication and Authorization?
The differences here seem rather clear: Authentication is proving who a user is, and authorization is granting or limiting access to system functions and resources.
At the same time, these two aspects of system security function together and, often, are inseparable from one another. Accordingly, several solutions have been released (or that are emerging) to help simplify the interactions between authentication and authorization:
- Single Sign-On (SSO): SSO attempts to make access across a system more streamlined by providing a mechanism across different systems from a single login. That means one username and password gives access to whatever relevant resources the user should have access to.
- OAuth:OAuth is a specification for authorization rather than a system or platform for authentication, but it serves as the foundation for how an authorization server interacts with the resource owner to obtain a scope-based authorization grant. Essentially, OAuth allows platforms to use “tokens” with “scopes” that prove that a user is who they say they are to other sites and quantify their level of authorization at the same time. For example, we’ve all logged into third-party websites using Facebook or Google credentials. That is accomplished by verifying the user’s identity first, and an appropriate code-grant based OAuth 2.0 authorization flow next, effectively, allowing you to access different sites without sharing your secret login credentials with third parties. But the key is to first establish a scope-based relationship between each of those sites and your identity provider, Google or Facebook. OAuth 2.0 is the authorization standard for doing that.
The primary differences you will see are when you plan out the security of your IT system against user interface and ease of access. You definitely want to include robust authentication procedures to ensure only the right people are accessing system resources. At the same time, you don’t want to have those people constantly signing in to access different parts of the system.
In this context, many authorization configurations will use tokens, generated during authentication, that tell the system that you are who you say you are and what you can do. As you move between different systems, whether that is different applications to different directories on a server hard drive, the token authorizes you every step of the way.
BlockID from 1Kosmos Reduces Risks Associated with Authorization and Authentication
With the complex way that these two access control methods work together to secure systems, it becomes quite a feat for engineers, IT specialists and compliance managers to ensure that their systems are not only protected, but operating with regulations as well.
Instead of mixing and matching authorization and authentication, 1Kosmos built BlockID from blockchain technology to simplify and strengthen security. It does so by:
Removing the Need for Passwords: Passwords can be stolen and forgotten, and with BlockID your users can access systems without using passwords or sacrificing security.
Leveraging Biometric Data: BlockID removes the need for physical media or authenticators. Instead, users can access resources through fingerprint, voice or facial recognition.
Decentralization: Credentials are encrypted and stored in the blockchain, meaning that there is no central point of failure or theft and that security and compliance are maintained.
Authorization and authentication don’t have to hold your business back. If you want to stay up to date with news from 1Kosmos sign up for our newsletter. And read more and learn about our Passwordless Authentication system, BlockID.