Authentication vs. Authorization
A Product Manager's View
These two terms have very different meanings but you usually don’t hear about one without the other when it comes to identity, security, or access control. Authentication means confirming your own identity, whereas authorization means being allowed access to the system. In even more simpler terms authentication is the process of verifying oneself, while authorization is the process of verifying what you have access to.
Authentication
Authentication is about validating your credentials such as Username/Password, UserId/PIN or BadgeId to verify your identity. The system then checks whether you are what you say you are using your credentials. Whether in public or private networks, the system authenticates the user identity through login passwords at the Identity Provider (IdP). Usually authentication is done by a username and password, although there are other various ways to be authenticated will will be discussed below.
Authentication factors determine how many different elements the system uses to verify one’s identity before granting the individual access to anything. Based on the security level, authentication factors can vary from one of the following:
· Single- Factor Authentication: This is the simplest form of authentication method which requires a password to grant user access to a particular system such as a website or a network. The person can request access to the system using only one of the credentials to verify one’s identity. For example, only requiring a password against a username would be a way to verify a login credential using single- factor authentication.
· Two- Factor Authentication: This authentication requires a two- step verification process which not only requires a username and password, but also a piece of information only the user knows. Using a username and password along with a confidential information makes it that much harder for hackers to steal valuable and personal data.
· Multi- Factor Authentication: This is the most advanced method of authentication which requires two or more levels of security from independent categories of authentication to grant user access to the system. This form of authentication utilizes factors that are independent of each other in order to eliminate any data exposure. It is common for financial organizations, banks, and law enforcement agencies to use multiple- factor authentication.
Authorization
Authorization occurs after your identity is successfully authenticated by the system, which therefore gives you full access to resources such as information, files, databases, funds, etc. However authorization verifies your rights to grant you access to resources such as a specific application on the network only after determining your ability to access the system and up to what extent. I.e., authorization is the process to determine whether the authenticated user has access to the particular resource. A good example of this is, once verifying and confirming employee ID and passwords through authentication, the next step would be determining which employee has access to which floor and that is done through authorization.
Access to a system is protected by authentication and authorization, and they are frequently used in conjunction with each other. Although both have different concepts behind then, they are critical to the web service infrastructure, especially when it comes to being granted access to a system. Understanding each term is very important and a key aspect of security.
Jazz Musician; Intuit Alum; Product Leader
3 å¹´I would prefer to describe Authentication differently than the graphic and description illustrate. Authentication is about proving that the owner of the account has the credentials to get in. In the blog, you say "Authentication is about validating your credentials such as Username/Password,?UserId/PIN or BadgeId to verify your identity. The system then checks whether you are what you say you are using your credentials." That said, I would not frame Authentication as a "system that checks whether you are who you say you are...". That is the job of another identity capability referred to as ID Proofing or Verification. Those systems attempt to solve the problem that 'it's actually Ken D. behind the keyboard, and not someone else, pretending to be Ken". Such capabilities are provided by vendors like Prove (formerly Payfone), Mitek and Confirm.io (using Gov't ID), and even Experian using the less desirable KBA (Knowledge Based Answers). It's important, especially when communicating with leadership, that the distinction between all three (Verification, Authentication and Authorization) capabilities are clear.