In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.
More about Authentication
Authentication is the process of identifying users and validating whom they claim to be. One of the most common and obvious factors to authenticate identity is a password. If the user name matches the password credential, it means the identity is valid, and the system grants access to the user.
Interestingly, with enterprises going password-less, many use modern authentication techniques like one-time passcodes (OTP) via SMS, or email, single sign-on (SSO), multi-factor authentication (MFA), and biometrics, etc. to authenticate users and deploy security beyond what passwords usually provide.
Popular authentication techniques
- Password-based authentication is a simple method of authentication that requires a password to verify the user’s identity.
- Password-less authentication is where a user is verified through OTP or a magic link delivered to the registered email or phone number.
- 2FA/MFA requires more than one security level, like an additional PIN or security question, to identify a user and grant access to a system.
- Single sign-on (SSO) allows users to access multiple applications with a single set of credentials.
- Social authentication verifies and authenticates users with existing credentials from social networking platforms.
More about Authorization
Authorization happens after a user’s identity has been successfully authenticated. It is about offering full or partial access rights to resources like databases, funds, and other critical information to get the job done.
In an organization, for example, after an employee is verified and confirmed via ID and password authentication, the next step would be defining what resources the employee would have access to.
Popular authorization techniques
- Role-based access controls (RBAC) can be implemented for system-to-system and user-to-system privilege management.
- JSON web token (JWT) is an open standard for securely transmitting data between parties, and users are authorized using a public/private key pair.
- SAML is a standard Single Sign-On format (SSO) where authentication information is exchanged through XML documents that are digitally signed.
- OpenID authorization verifies user identity based on an authorization server’s authentication.
- OAuth allows the API to authenticate and access the requested system or resource. Not for user authorization but for clients with resource servers.
Author – Champika Mendis