Authentication and Authorization, also known as AuthN and AuthZ, are two essential terms used in the context of access control, and more specifically, Identity-Access-Management (IAM). Understanding the difference between the two is absolutely crucial. The IAM space can be a bit confusing - and the fact that authentication and authorization sound similar doesn’t help either. Combined, Authentication and Authorization determine the security of your application - and you can’t build a secure application unless you have configured both correctly.
What are Authentication and Authorization?
The easiest way to distinguish between authentication and authorization is as follows:
Authentication is about determining who has access to a system, while authorization is about determining what they can do within the system.
Specifically, authentication verifies who someone is, while authorization verifies what specific applications, files, and data they can access.
If we look at a simple real-world example - authentication identifies who's at the door and whether they may enter. Authorization deals with deciding what they can do inside the house.
What Is Authentication?
Authentication is the first step in the process of access control. It involves verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to granting access to resources in that system. Common authentication methods include passwords, Multi-factor authentication (MFA), biometric data, and OTPs (One-Time Passwords).
For instance, consider token-based authentication, a popular method in modern web applications. Token-based authentication works by issuing a token upon the successful verification of credentials. This token, usually a cryptographically signed piece of data, is then used to access the application, replacing the need for repeated username and password inputs.
Leading authentication services include:
What Is Authorization?
After authentication, the system must determine what an authenticated user can do. This is where authorization comes in. Authorization is the process of establishing permissions for a user determining the operations that they can perform.
Permission models for authorization vary widely. Role-Based Access Control (RBAC) is a common model where access rights are grouped by roles, and users are assigned roles based on their responsibilities. This model simplifies managing user permissions, especially in large organizations where many users have overlapping access needs.
Leading Authorization services include:
Permit.io, AuthZed, Ory Keto, Styra DAS
Authentication vs. Authorization
Verifies the identity of a user or system. Ensures the user is who they claim to be.
Determines what a user or system can do. Controls access to specific resources within a system.
Establishing identity. "Who you are."
Establishing permissions and access levels. "What you can do."
Passwords, biometrics, security tokens, multi-factor authentication, smart cards.
Role-based access control (RBAC), attribute-based access control (ABAC), relationship-based access control (ReBAC), and policy-based access control (PBAC).
Credentials provided by the user.
Policies and rules defined by the system.
Identity providers and authentication services like OAuth, OpenID Connect.
Application logic, access control frameworks, and policy engines.
Logging in with a username and password.
Granting read or write access to a file or a system resource.
Direct, as users must provide credentials.
Indirect, as it operates behind the scenes post-authentication.
Typically occurs once at the beginning of a session.
Can occur multiple times, whenever a user requests access to a resource.
Independent, as it does not rely on authorization.
Dependent on authentication; cannot occur without prior authentication.
Audit and Compliance Considerations
Logging and monitoring of login attempts and credential usage.
Monitoring and recording of access attempts to resources and data.
Continuously advancing with new technologies like biometric authentication and AI-based anomaly detection.
Evolving with complex organizational structures and expanding cloud environments.
Typically performed once per session.
Performed for every access attempt.
To establish trust and confirm the identity of users, systems, or devices.
To ensure appropriate and authorized access and usage of resources, data, or functionalities.
Authentication and Authorization Lifecycle
Understanding the lifecycle of authentication and authorization is critical in implementing effective security measures. Authentication generally precedes authorization; a user first proves their identity and then is granted access to resources based on their permissions.
Authentication is typically a one-time process per session, whereas authorization can occur multiple times during a session. For example, in a banking application, a user is authenticated at login but is authorized separately for transactions, account settings changes, and viewing sensitive account information.
Modern authentication solutions gather the relevant information about the user into a passport-like document called a JSON Web Tokens (JWTs). The information within the JWT is signed cryptographically, allowing later recipients of the JWT (mainly the authorization layer and the application itself) to make trustworthy decisions based on the user's identity without having to re-authenticate.
Authentication and authorization are pervasive in the digital landscape, forming the backbone of application security. These processes are integral to maintaining data integrity and user privacy, from logging into social media to accessing bank accounts.
Want to learn more about Auth? Join our Slack community, where there are hundreds of devs building and discussing AuthN and AuthZ.