Skip to main content

Authentication vs Authorization

Authentication vs Authorization

- Authentication and authorization are the two words used in the security world. They might sound similar but are completely different from each other. Authentication is used to authenticate someone's identity, whereas authorization is a way to provide permission to someone to access a particular resource. These are the two basic security terms and hence need to be understood thoroughly. In this topic, we will discuss what authentication and authorization are and how they are differentiated from each other.


What is Authentication?
  • Authentication is the process of identifying someone's identity by assuring that the person is the same as what he is claiming for.
  • It is used by both server and client. The server uses authentication when someone wants to access the information, and the server needs to know who is accessing the information. The client uses it when he wants to know that it is the same server that it claims to be.
  • The authentication by the server is done mostly by using the username and password. Other ways of authentication by the server can also be done using cards, retina scans, voice recognition, and fingerprints.
  • Authentication does not ensure what tasks under a process one person can do, what files he can view, read, or update. It mostly identifies who the person or system is actually.

Authentication Factors
As per the security levels and the type of application, there are different types of Authentication factors:
  • Single-Factor Authentication - Single-factor authentication is the simplest way of authentication. It just needs a username and password to allows a user to access a system.
  • Two-factor Authentication - As per the name, it is two-level security; hence it needs two-step verification to authenticate a user. It does not require only a username and password but also needs the unique information that only the particular user knows, such as first school name, a favorite destination. Apart from this, it can also verify the user by sending the OTP or a unique link on the user's registered number or email address.
  • Multi-factor Authentication - This is the most secure and advanced level of authorization. It requires two or more than two levels of security from different and independent categories. This type of authentication is usually used in financial organizations, banks, and law enforcement agencies. This ensures to eliminate any data exposer from the third party or hackers.

Famous Authentication techniques

1. Password-based authentication - It is the simplest way of authentication. It requires the password for the particular username. If the password matches with the username and both details match the system's database, the user will be successfully authenticated.

2. Passwordless authentication - In this technique, the user doesn't need any password; instead, he gets an OTP (One-time password) or link on his registered mobile number or phone number. It can also be said OTP-based authentication.

3. 2FA/MFA - 2FA/MFA or 2 - factor authentication/Multi-factor authentication is the higher level of authentication. It requires additional PIN or security questions so that it can authenticate the user.

4. Single Sign-on - Single Sign-on or SSO is a way to enable access to multiple applications with a single set of credentials. It allows the user to sign-in once, and it will automatically be signed in to all other web apps from the same centralized directory.

5. Social Authentication - Social authentication does not require additional security; instead, it verifies the user with the existing credentials for the available social network.

What is Authorization?

- Authorization is the process of granting someone to do something. It means it a way to check if the user has permission to use a resource or not.
It defines that what data and information one user can access. It is also said as AuthZ.
The authorization usually works with authentication so that the system could know who is accessing the information.
Authorization is not always necessary to access information available over the internet. Some data available over the internet can be accessed without any authorization, such as you can read about any technology from here.


Authorization Techniques
  • Role-based access control - RBAC or Role-based access control technique is given to users as per their role or profile in the organization. It can be implemented for system-system or user-to-system.
  • JSON web token - JSON web token or JWT is an open standard used to securely transmit the data between the parties in the form of the JSON object. The users are verified and authorized using the private/public key pair.
  • SAML - SAML stands for Security Assertion Markup Language. It is an open standard that provides authorization credentials to service providers. These credentials are exchanged through digitally signed XML documents.
  • OpenID authorization - It helps the clients to verify the identity of end-users on the basis of authentication.
  • OAuth - OAuth is an authorization protocol, which enables the API to authenticate and access the requested resources.
Authentication
  • Authentication is the process of identifying a user to provide access to a system.
  • In this, the user or client and server are verified.
  • It is usually performed before the authorization.
  • It requires the login details of the user, such as user name & password, etc.
  • Data is provided through the Token Ids.
  • Example: Entering Login details is necessary for the employees to authenticate themselves to access the organizational emails or software.
  • Authentication credentials can be partially changed by the user as per the requirement.

Authorization
  • Authorization is the process of giving permission to access the resources.
  • In this, it is verified that if the user is allowed through the defined policies and rules.
  • It is usually done once the user is successfully authenticated.
  • It requires the user's privilege or security level.
  • Data is provided through the access tokens.
  • Example: After employees successfully authenticate themselves, they can access and work on certain functions only as per their roles and profiles.
  • Authorization permissions cannot be changed by the user. The permissions are given to a user by the owner/manager of the system, and he can only change it.

Conclusion - As per the above discussion, we can say Authentication verifies the user's identity, and Authorization verifies the user's access and permissions. If the user can't prove their identity, they cannot access the system. And if you are authenticated by proving the correct identity, but you are not authorized to perform a specific function, you won't be able to access that. However, both security methods are often used together.

Comments

Popular posts from this blog

Object Oriented and Relational Database

Object Relational and Object-Oriented Database What Is Object Relational Database? An object-relational database (ORD) is a database management system (DBMS) that’s composed of both a relational database (RDBMS) and an object-oriented database (OODBMS). An object-relational database acts as an interface between relational and object-oriented databases because it contains aspects and characteristics from both models. Object-oriented database (ORD) serves two main purposes: It connects the divide between relational databases and the object-oriented modeling techniques that are usually used in programming languages like C#, Java and C++. It bridges the gap between conceptual data modeling techniques for relational and object-oriented databases like entry-relationship diagram (ERD) and object-relational mapping (ORM). What Is Object Oriented Database? An object-oriented database is organized around objects rather than actions and data rather than logic. Therefore, an object database is a d...

What is the monitor? How many types and what is it? Details about CRT, LCD and LED monitors.

मॉनिटर क्या है? कितने प्रकार का होता है और क्या होता है? सीआरटी, एलसीडी और एलईडी मॉनिटर के बारे में विवरण। मॉनिटर क्या है? = मॉनिटर वह पार्ट्स है जो कंप्यूटर सिस्टम के साथ टीवी जैसा दिखता है। मॉनिटर कंप्यूटर सिस्टम का एक बहुत ही महत्वपूर्ण आउटपुट डिवाइस है। इसे डिस्प्ले डिवाइस के नाम से भी जाना जाता है। कंप्यूटर पर हम जो भी कार्य करते हैं उन्हें इस मॉनिटर के माध्यम से देखा जा सकता है, इसलिए मॉनिटर को विजुअल डिस्प्ले यूनिट कहा जाता है। मॉनिटर अलग-अलग साइज में आते हैं जैसे- 14 इंच, 15 इंच, 17 इंच, 19 इंच आदि। (Image by - Google Images) मॉनिटर कितने प्रकार के होते हैं? = रंग प्रदर्शन के आधार पर मॉनिटर्स को दो श्रेणियों में विभाजित किया जा सकता है। 1) मोनोक्रोम मॉनिटर (Monochrome Monitor), 2) कलर मॉनिटर (Color Monitor) । *  वर्तमान में मोनोक्रोम मॉनिटर का उपयोग शायद ही ध्यान देने योग्य है। अब हर जगह कलर मॉनिटर का इस्तेमाल किया जाता है। 1) मोनोक्रोम मॉनिटर (Monochrome Monitor) = इस प्रकार का मॉनिटर केवल सादा-काला चित्र प्रदर्शित करता है। वर्तमान में मोनोक्रोम मॉनिटर बहुत कम उपयोग होता ...

Normalization Types in DBMS

Normalization Types in DBMS First Normal Form (1NF) A relation will be 1NF if it contains an atomic value.  It states that an attribute of a table cannot hold multiple values. It must hold only single-valued attribute. First normal form disallows the multi-valued attribute, composite attribute, and their combinations. Example: Relation EMPLOYEE is not in 1NF because of multi-valued attribute EMP_PHONE. EMPLOYEE table: EMP_ID EMP_NAME EMP_PHONE EMP_STATE 14 John 7272826385, 9064738238 UP 20 Harry 8574783832 Bihar 12 Sam 7390372389, 8589830302 Punjab The decomposition of the EMPLOYEE table into 1NF has been shown below: EMP_ID EMP_NAME EMP_PHONE EMP_STATE 14 John 7272826385 UP 14 John 9064738238 UP 20 Harry 8574783832 Bihar 12 Sam 7390372389 Punjab 12 Sam 8589830302 Punjab Second Normal Form (2NF) In the 2NF, relational must be in 1NF.  In the second normal form, all non-key attributes are fully functional dependent on the primary key  Example: Let's assume, a school can ...