Read our 2020 take on authentication vs authorization here.
In order to protect sensitive data and operations from unwanted access by intruders and malicious actors, developers integrated authentication and authorization features into their applications. Whether you’re running a banking app, a social media website or a blogging platform, these are the two key functionalities that will seal your application against security incidents.
While the two terms are often used interchangeably, authentication and authorization represent fundamentally different functions and protect applications in complementary ways. Here’s everything you need to know.[sdo-table type=”column”]
|Who are you?
Verify the right person is accessing a network
|Are you allowed to do that?
|Implemented in the login stage||A form of access control|
|Check user credentials||In an organization authorization is enforced by:
|Uses authentication technology such as:
||Uses authorization software such as:
|Authentication determines the right of a user to access resources such as files, services, and data servers.||Authorization enforces user privileges to system resources such as files, services and data servers.|
|Authentication technology challenges the user to provide authentication challenges (passwords, answers to security questions, Hardware tokens, approval through an out of band device).||Authorization software determines the rights an authenitcated user has according to rules and policies.|
What is authentication?
Authentication is the process of validating the identity of a registered user who is accessing a service or application.
Traditionally, applications feature a login page where users enter their user ID (username/email/phone number) and an associated password. If the user ID and passwords match the records stored in the application’s database, the user is granted access. When users are successfully authenticated, they are usually assigned a session token. Session tokens enable authenticated users to continue accessing an application from the device they used to login until they log out or their session expires.
Passwords have grown increasingly cumbersome to manage and difficult to protect over time. They have distinct weaknesses which can make the authentication process of an application vulnerable to cyber attacks, such as password theft, brute-force attacks, man-in-the-middle attacks and data breaches.
For this reason, application developers often strengthen passwords with two-factor or multifactor authentication (2FA/MFA), which requires the user to prove ownership of an additional token (mobile device, physical dongle, email address…) when logging into a service.
An alternative to passwords is passwordless authentication, such as biometric scans and authenticator apps. Passwordless technologies such as Secret Double Octopus provide frictionless authentication that is highly resilient to security breaches and cyberattacks. Users don’t have to remember passwords, applications don’t have to store them, and everyone is safer because it makes many password-based attacks invalid.
Get our free Whitepaper about password vulnerability.
What is authorization?
Authorization is the process of making sure an authenticated user has the necessary privileges to access a specific resource or operation within an application. For instance, if you’re running a document management platform, you might want to assign files and folders to specific users.
Authorization is usually implemented through the following elements:
- Privileges: Privileges grant access to specific operations. For instance, administrators have the privilege to create or disable other user accounts, while normal users will only be granted the privilege to change their own password and profile information.
- Access Control Lists (ACL): ACLs specify which users have access to certain resources. For instance, a user must be included in the ACL of a specific file or folder in order to be able to access or modify it.
In order to assign privileges and ACLs to users in batches, applications might implement “roles” and “groups,” two features that enable the categorization of users and assign privileges and access controls to them based on their responsibilities or organizational standing.
Under normal circumstances, an authenticated user is allowed to perform all of the operations they’re authorized to do. For instance, after logging into your email account, you can view your inbox, send emails…
However, when a user wishes to access a specifically sensitive resource or operation, additional steps must be taken to authorize the request. For instance, when users want to perform a payment, they will be asked to re-enter their credentials, or basically, repeat the authentication process. Some applications might take precautionary authorization methods when they see the unusual behavior, such as access to an account from a new IP address, or an attempt to make a high-value transaction.
This is to make sure that the user’s session (explained above) has not been compromised or hijacked by a malicious actor. If the application in question uses a secure frictionless authentication process, it can make sure that users are protected without annoying them with complicated authorization confirmations and extra password entries.
The NIST guidelines and what they mean for the future of SMS authentication