What's the difference between authentication and authorization?
Jan 27, 2021
Authentication confirms that users are who they say they are, while authorization gives them access to resources and services. When you hear a knock on your door, you look through the peephole to see if you know the person. And, if that person is a plumber you’ve summoned, you expect them to fix your kitchen sink rather than roam through your house. In computing security, looking through the peephole is called authentication, and allowing a person to do certain things is authorization.
What is authentication?
Authentication is the process of identifying the user. It always runs at the start of the application, when you have to enter your credentials. If you can’t successfully authenticate yourself, you are not allowed to use the services or resources.
Here are a few examples of authentication we are all familiar with:
- logging in to your email account;
- logging in to smartphone apps;
- starting your computer;
- accessing your company’s network;
- accessing your accounts on different websites.
Authentication checks your credentials against those saved in the service’s database. If they match, you’re granted access.
Types of authentication
We all have dozens of accounts protected by passwords — it’s the most popular method of authentication. The stronger your password, the better. Many people use the same password for all their accounts, which is a big mistake. If a hacker were to steal your password, he could get access to a bunch of different services with zero effort.
We recommend using a unique password for every account. Of course, it would be impossible to remember them all, but a password manager could do that job for you.
Two-factor authentication includes an extra step in the login process, providing users with more security. It means that, after typing your username and password, you also need to authenticate yourself using an authentication app, a fingerprint, or a token.
Since passwords can be stolen, two-factor authentication is your safe harbor.
As the name suggests, biometric authentication relies on the distinctive characteristics of your body: your voice, face, fingerprint, or the eye. With biometric authentication, you don’t need to remember any PINs or patterns — that’s why it’s so popular among smartphone users.
Token authentication is typically used as a second step after typing your credentials. A token generates a unique code, which is valid only for a short time. After the code expires, the token provides you with a new one.
What is authorization?
Authorization defines the rights you have in the services you use. Namely, it’s what you can access and what is restricted. When you connect to your company’s network, you are granted access to certain resources necessary for your daily work. If you’re working in a marketing department, you probably won’t be able to access files from the financial unit.
However, every user can share files with their co-workers, thus authorizing them. Let’s take NordLocker as an example. It’s an easy-to-use app that allows users to encrypt data and store it on the computer or in NordLocker’s cloud. You can share your files with other users and authorize them to have access. But they also need to create their own master password to authenticate themselves in the app.
Types of authorization
- Role-based access control is used by medium-sized and large enterprises for assigning roles and privileges to employees.
- OAuth authorization is an open standard authorization protocol that describes how services and servers can safely access their assets. When you go to a website and it offers to log in using other websites or services, this process is enabled by OAuth authorization.
- Security Assertion Markup Language (SAML) allows one computer to perform both authentication and authorization on behalf of multiple computers.
- JSON Web Token (JWT) authorization generates a token for a specific user, allowing access to certain resources and services.
John believes that the best things in life are simple. He uses the same approach when he’s writing about online security. John says that his #1 pet peeve is phishing scams. Ironically, his favorite non-work related activity is fishing.