People often confuse the terms AuthZ (authorization) and AuthN (authentication). Some of the that stems from the fact that the short forms of authentication and authorization are the same – “auth” – so even a delegated authorization scheme like OAUTH can be easily confused with something that has to do with authentication. But authentication and authorization are really two simple and complementary concepts that work in tandem to protect identity and access management to resources.
AuthZ vs. AuthN
Authentication or AuthN is the process of proving that users are who they claim to be. In other words, proving that the user behind the keyboard is the actual owner of the account associated with the username.
Authorizations or AuthZ specify what resources an authenticated user is permitted to access and which operations they are permitted to perform on the resource. For example:
- Can a user access the HR folder on the company file server?
- Which files in the folder can s/he access?
- Can they read and write to it or is their access “read-only”?
Based on the two definitions above, there is a natural order in which authentication and authorization are performed. Users are first authenticated to establish that they do in fact own the username account. Once their identity is known, their access management permissions to resources – their authorizations – get looked up in the authorization system and enforced.
Authentication and authorization work in tandem to prevent unauthorized access control to data and systems. In the most basic setup, users are authenticated once, typically when logging on to the company network, and their authorizations/access permissions are determined based on the role associated with their user credentials.
For example, a user is authenticated when logging on to their Windows desktop, and their authorizations are determined by the group to which their user account is associated – e.g. system administrator, finance employees, developers, etc. In more modern setups, users are authenticated more frequently, and authorizations are defined at a more granular level.
In some cases, authorizations are also contingent on various contextual parameters. For example, users are authenticated every time they request access to a resource, and authorization is granted for accessing and performing specific operations on a specific resource. Authorizations may be further limited by where the user is connecting from, the security posture of the device they are using, and what they have accessed historically, etc.
The concepts of authentication and authorization can be applied to human users and also to unattended software and systems interacting with one another without human intervention (e.g. one application asking for services from another software via an API interface).
Recent Developments in AuthN
More recently, the idea of “continuous authorization” has become popular and involves continually permitting access to resources based on the integrity of the device a user is connecting from or a continuous authentication of identity. With this approach, users are evaluated not just at the start of a session with a resource but at a periodic interval of time. In this scenario AuthN is highly connected to AuthZ since a failure of identity during a more continuous check would imply that an action needs to be immediately taken on the AuthZ side. In older network days, perhaps a user was placed on a specific VLAN that had less privilege and access, in today’s network and application architecture, perhaps specific application workloads or services are made off limits or a user may be kicked off of an application altogether.
Recent Developments in AuthZ
Unlike AuthN, the AuthZ side of the house has seen much more dynamism and change in the past 15 to 20 years. Let’s take a look at some of those, starting with, what are common ways to authenticate users?
- Passwords were the default way for authenticating users for ages. The user enters a username or user id, which tells the system who the user is claiming to be, and a password, a shared secret only the “real” user and the authenticating software should know. If the user is able to prove their identity by recalling the right password then the user authentication service will assume that the user is who the username says they are.
- Two-factor authentication (2FA). As passwords became increasingly vulnerable to stealing and other attacks (primarily via phishing), multi-factor authentication (MFA) was added on top of the standard username-password combination. Requiring additional factors offers a stronger, higher-assurance form of authentication.
- The first authentication factor typically remains the password, but in addition to the password, the user needs to prove possession of a physical authenticator (something the user has), or produce a biometric or behavioral print (something the user is). A common second-factor authenticator is proving possession of a registered hardware authentication token (i.e. OTP token or USB key) or device (i.e. mobile phone). Proof of possession is generally done using one-time passcode (OTP) technology or public-key cryptography (PKI certificates).
- Biometric authentication has seen a dramatic increase in use, whether as part of an MFA scheme or as a standalone authentication method. Many biometric signatures are in use today, the most popular being fingerprint and facial signatures. Biometric prints can be obtained from a fingerprint sensor embedded in most mobile devices and laptops, face image can be taken from the device camera, or voice-print captured by its microphone. Behavioral biometrics are also used to uniquely identify a user. Unique user behaviors can be detected by measuring the distinctive way in which the user strokes the keyboard (keystroke dynamics) or the unique patterns used to draw a signature.
- Passwordless authentication is likely the future approach to MFA since it proves more secure than passwords and provides a better user experience (UX) for the workforce. As its name suggests, the passwordless authentication process removes passwords as a means of proving identity and replaces them with one or more (typically two) alternative forms of authentication. Most commonly used is a registered mobile device in combination with a fingerprint taken from the device’s sensor. Other forms of passwordless authentication can be a registered mobile device in combination with a faceprint or voiceprint, a dedicated USB authentication token device, etc.
Authorization schemes historically defined user permissions based on the assigned role of the user’s identity. But more modern authorization approaches implement a more granular approach that looks at what specific capability or data the user is trying to access, and contextual information associated with the network access request – e.g. where is the user accessing from, what is the security posture of his device, is this atypical behavior for the user, etc.
Under a role-based permissions scheme, each user account is assigned a role definition, and permissions are automatically associated with the role. For example, a user with an admin role has extensive permissions to read and write to all resources, whereas a user with a contractor role may only have granted access and read-only permissions to a small subset of applications and databases.
Passwordless Authentication and Zero Trust
More granular permissions schemes have become more mainstream in recent years. Zero Trust, with its “never trust, always verify” approach, grants permissions in a very particular way. For example, a user may have access to the salaries folder owned by the HR department, but only to the salaries of his direct subordinates, and only when logging in from a company–issued computer during work hours.
Passwordless authentication and Zero Trust Architectures are two strong trends in authentication and authorization policy that will likely continue to be a major investment area for companies in the coming years.
The adoption of passwordless authentication systems is driven by the realization that password vulnerabilities are at the heart of a great majority of network security breaches. Passwords at the hands of users are easily compromised via various flavors of phishing attacks, or simply guessed by sophisticated attackers. Passwordless authentication offers a superior alternative to passwords. It offers better security, a better UX, and is cheaper to own and operate.
Zero Trust acknowledges that authenticating users at the front gate – the network perimeter – and authorizing them to roam free and access anything and everything once they’ve crossed the perimeter no longer works. Instead, Zero Trust requires users to authenticate more frequently and authorizes them to grant access to resources on an as-needed basis. It is a much more granular authentication and authorization scheme that seeks to positively vet the identity of every user asking for access to a resource, and verify that that user has the minimum permissions required to perform his job.