In the world of identity and access management, you may have heard the terms “authentication” and “authorization.” You may have often heard them mentioned as if they were a single process — “authentication and authorization.” But are they the same thing? What’s the difference between authentication and authorization, if any?
What Is Authentication?
Authentication is the act of confirming that someone is who they claim to be in order to provide a system with the information it needs to take further action. The most common type of authentication is a password. If you enter a password into a system, the system tries to match that data with a known user. If there’s a match, it identifies you as that user.
Because a password is relatively easy to guess or steal, most systems use multi-factor authentication, requiring something in addition to a password to prove someone is who they claim to be. The extra information may be something like a one-time PIN that’s texted to the person at a device only they should possess. It can also involve a biometric authenticator like a fingerprint or eye scanner.
What Is Authorization?
Authorization is something that occurs once authentication is verified. If authentication cannot be verified, the user never reaches the authorization stage. Once they are verified, the question becomes which areas the authenticated individual can access. In a physical environment, this factor could take the form of access cards with different security clearances attached. A new employee’s card may open doors only on the first level, while a manager’s card could grant them full access to the facility.
Authorization of authenticated users is typically based on user profile, time of day, network information, physical location, or other information. For instance you can set authorizations so that employees can access only data that’s relevant to their department or so that they can access information only during working hours. Other authorization policies can be created as needed.
Authentication vs. Authorization
In summary, authentication is the process wherein a system establishes that a person is who they say they are. Authorization describes rules that say what each person is allowed to do in the system. An easy thing to remember is that authentication checks credentials while authorization checks permissions.
When it comes to your computer network, identity and access management work well when authentication and authorization function seamlessly together. If your authentication process is weak, criminal hackers will have an easier time getting in and working around your authorization protocols. If your authorization process is not well-defined, data breaches can occur when sensitive data falls into the hands of users who may handle it carelessly or misuse it. Both your authentication and authorization process must be airtight to fully protect your system.
Optimal IdM is a global leader in enterprise authentication and authorization solutions. Contact us now to request a free demo of our Identity and Access Management software.