Authentication vs Authorization
Today, we’ll be looking at authentication and authorization. As you may or may not know, authentication and authorization are both processes necessary to protect data and ensure there’s no breach or unauthorized access.
Both terms are usually used when discussing security, particularly when it concerns gaining access to a system. It’s quite easy to mistake one for the other, and that’s the key reason behind today’s topic.
Let’s take a look into how these two are different.
Authentication
Imagine you have to get into a party which is strictly by invitation. You may have people showing up just for the food. So you get to the entrance, and you probably tell the security personnel who you are. Your IV — invitation card is requested. It’s expected that if you’re on the guest list, you should have the IV, just like other guests. Having an IV grants you access to the party, else you are escorted out. That’s a simple description of what authentication is.
Authentication requires you to identify who you are and then verifies and confirms that you are who you say you are.
In web apps where users are allowed to create accounts, you typically need to be authenticated for you to have access to that account. This is done so that you don’t have an imposter breaking into your account.
Common Authentication Factors
There are a couple of authentication factors that a system could use to verify a user’s identity before granting access.
Single-factor authentication: Here, a user is required to add a password against a user ID or username.
Two-factor authentication (2FA): Here, users are required to have an extra layer of information that is only known to them in addition to just the username and password. This makes it harder for hackers to get through to them. Platforms like GitHub, and some other social media platforms now require users to have 2FA or give the option of enabling it.
Multi-factor authentication: This the most advanced. It typically uses two or more levels of security to grant users access. It is commonly required by financial applications. With several enterprises going passwordless, we find modern authentication techniques like one-time passwords (OTP), which are used via SMS or email. We also have the single sign-on (SSO) where users can use one set of credentials to log in to multiple applications so that they don’t have to input their username and password information repeatedly. For example, you can use your Facebook or Google account to log in to several applications.
Authorization
After authentication has been done, authorization permits users to access certain resources.
So you remember how you are only able to get into that party with an IV. Now imagine that there are some rooms in the venue that read “Only authorized personnel allowed beyond this point”. Even though you have access to get into the hall, eat, dance, take selfies, etc., there are some places within the hall that you don’t have permission to be in, and this is what authorization is about.
So now that we know who you are through authentication, you only have access to some resources based on your roles. In a web application, you might be allowed to view some content or visit some pages, but based on your role, you might not be allowed to view some other content because you’ve not been granted permission. That explains why you might visit some sites and come across a 403 page which basically means “Hey, I’m sorry I know who you are and I believe you are who you say you are, however you don’t have the permission to access this resource.”
And this, friends, is the difference between authentication and authorization. I hope you learnt something today about these concepts.
