Both authentication and authorization have different meanings. But, it is normal to think that these are synonyms. In fact, they are security processes that have different purposes. In essence, authentication verifies the identity of the user who wants to access a resource. On the other hand, the authorization validates whether the user does indeed have permission to access it or perform any function . Today in this article we are going to explain in detail the differences between authentication and authorization, so that these two concepts so important in computer security are clear to you.
Authentication and authorization: clarifying concepts
It is important to start with the essential, that is, define what each thing means. Authentication is the process of identifying users and ensuring that they are who they say they are.
What could be a proof of authentication? The most used is the password. If the user knows his pair of credentials (username and password), the system will understand that the identity of that user is valid. Consequently, you will be able to access the desired resource or set of resources.
There is a visible trend towards additional authentication methods, to avoid only the use of passwords. One of these additional authentication methods are OTP (OTP – One Time Passcodes) which are alphanumeric series that arrive by text message (SMS), email or we generate it with an authenticating application such as Google Authenticator, Authy or Latch. OTP is used for MFA authentication, that is, multi-factor. It is an extra step that gives us greater security when authenticating a user.
Another more modern authentication application is SSO or Single Sign-On where a user can access all the system resources he needs. This, without the need to enter your pair of credentials every time you want to enter this or that thing.
So what does the authorization consist of?
Authorization is what defines which system resources the authenticated user will be able to access . Just because you have successfully passed the authentication instance, it does not mean that you will be able to use the system entirely as a super administrator. According to a series of rules, rules and regulations specific to each internal network, it is determined that user A will have access to resources X and Y. However, user B will only be able to access resource Z.
If you were an administrator user, you would have access to resources X, Y, and Z as well as resources 1, 2, and 3, which are unique to those with administrator permissions and privileges.
Both concepts can be synthesized in the following way:
- Authentication: verify identities, by different methods (something we know, something we have, something we are).
- Authorization : check the permissions that correspond to each identity.
Most used authentication methods
We have already reviewed one of the most used methods: MFA or Multifactor authentication. Let’s go on to cite other popular methods:
- No password or Passwordless. This is one of the most practical modern methods. An example of application is the use of a magic link . It is that, every time you want to log in to a resource or service, a link will be sent to your email that will allow you to access without the need for a password. This is a recommended method, since access to email is required and, therefore, there are more guarantees to ensure that it is the user who is accessing it.
- On social networks. Without a doubt, you will have already used this method. Several applications and services give you the option to log in directly with a social account . The main advantage is that it is not necessary to create a separate account manually, directly the data of that social account does that step when starting the session. The most used social platforms are Facebook, Twitter and the Google account.
- API authentication. This is the process of certifying the identity of a user who wants to access resources and / or services on the server. To take into account, some of the most popular authentication APIs are: basic HTTP authentication, Core API and OAuth.
- Biometric Authentication. It uses fingerprints to validate the identity of the user. The most popular use case is in workplaces, where both to register the entry and exit, the finger is placed to validate the fingerprint. This fingerprint is validated by prior registration of the fingerprint that is stored in the database.
Commonly used authorization methods
What we will discuss below, is especially useful information for all developer applications and web services in general. Remember that a fundamental part of a great user experience is that they can access with confidence and security all the necessary resources at all times that they need to have them.
- HTTP authorization. As well as authentication, there is HTTP type authorization. What does it consist of? The person enters their username and password to authenticate themselves. It is good to keep in mind that this method does not involve cookies, session IDs or login pages.
- API authorization. As well as authentication, there is API type authorization. When the user tries to gain access to system resources during registration, an API key is generated. That same key is paired with a token (an identifier token) that is hidden. So, that combination of API key and hidden token is the one that is constantly used every time the user authenticates and enters their environment of resources and services that they can use.
- OAuth 2.0. This method allows the API to authenticate and access the system resources it needs. OAuth version 2.0 is one of the most secure methods of both authentication and authorization.
- JWT authorization. It is an open standard that is used for the secure transmission of data between different parties. It has support for both authentication and authorization. JWT is commonly used for authorization, and uses a public-private key pair. That is, that pair contains a private and a public key.
It is extremely important to implement and use both authentication and authorization. Both security processes provide additional layers of protection for systems and resources. This extra protection allows numerous cyberattacks to be prevented that are particularly damaging to users. Remember that these users put their personal data in the hands of the applications and services.
In many cases, highly sensitive data such as banking, financial and commercial data is included. Data breach events are one of the biggest risks that systems face. That an organization and its application or offered service is affected by a data breach, implies a great violation to the security and privacy of the users, which results in damages of incalculable value for the same.