Auth?
Authentication or Authorization?
Authentication or Authorization? Many folks usually mix(up) these terms and use one for another OR often use the term auth to refer both authentication as well as authorization. Many a times I myself have been guilty of doing so😬. These two terms are somewhat related and have overlapping mechanisms in application security. But they aren’t the same thing!, Lets get this first sorted today.
Authentication is a mechanism for verifying who a user or a process is and determining whether they are in-fact what they declare themselves to be. Authentication technology in an application provides a access control to that system. For example many systems use usernames and passwords (a piece of information that is known only to user) that together known as knowledge authentication factor make up an identity(username) and a verifying entity(password) that is verified against the correctness with that saved on the system records. There many other forms of authentication methods some of which are OAuth(which includes features as “sign in with Google”), SAML (Security Assertion Markup Language) which companies use to authenticate into multiple systems by one set of credentials, and other methods as passwordless authentication that completely eliminate whole lot of issues caused by passwords.
Authorization is a mechanism of controlling what users are allowed to do and what not. Authorization is often built upon authentication and overlap most closely, as authenticated user information becomes a part of input to a system that un-locks a door then determining what that user can and cannot do(what thing they are allowed to touch, access or maybe take) becomes responsibility of authorizing that user to perform some task within that system. It is as much critical as authentication that the authenticated user should have access to the right data. One good example could be a school administration -
student come to school study, have fun, learn give a number of exams and leave. - while are not allowed access to exam papers, systems etc…
teachers teach, conduct exams construct proper time table for covering of syllabus and so on. -while don’t have access to finances of the school
school administrators control various departments like faculties, cultural department and establish school objectives and so on.
school councils and chair persons have control of these various administrators and ensure there is proper funding for the school.
All these are various authorization roles with different level of permission and access controls in a school system. Authentication becomes an important part to claim those permission.
Different methods/strategies of authorization are Attribute-based Access Control(ABAC) where a system determines one access based on an attribute or a claim associated with that user, Role-based Access control(RBAC) where permissions are associated with the roles of that user and not directly on the credentials. for example going through examination department depends on the faculty type(role -RBAC) while accessing the systems depends on the credentials provided(ABAC).
Its important that development teams spend fairly good amount of time on structuring these Authorization systems.