Two methods necessary for securing access and what you would have heard frequently confused are authentication and authorization. Authentication and authorization are key to administering user access to a location, network or within a particular system. These concepts help an administrator decide the users who have access, along with their number and their properties. It also helps the administrator decide on the resources that will be made accessible to them. Let us now look at the definition for authentication.
Authentication: What does it mean?
Authentication is the process of verifying the user’s identity through an established method that uses a particular standard or protocol. The kind of authentication ranges from a social sign on to a simple username password combination to biometric authentication. There can be authentication methods that are a combination of one or more different types of authentication. An example of such an authentication is one that requires you to use a fingerprint or OTP (one-time password) in addition to the username and password to identify yourself.
Authorization: What does it mean?
Authorization is the process of granting access to a particular file, resource, or location based on some input from the user. To cite an example, there may be certain files or directories on a system or in a network which only the administrator can view. And there may be others where many have the right to view but not the right to rename, modify, or delete. Authorization ensures that there is a hierarchy and a certain set of rules that govern the access permissions set throughout the user domain. Such authorization is the difference between a site that is vulnerable to hacking and one that is not.
Authentication vs. Authorization
The two words authentication and authorization are very often confused and many assume they mean the same thing and are interchangeable. This is not true. Authentication helps a server or client in understanding the person who is accessing the information better, what is the IP and location with time, what is the real name, and so forth. Generally, in authentication, the most familiar one, a username and password is used to verify the user.
Then you might ask: If that is what is authentication, then what exactly is authorization? While authentication is about identifying the user, authorization is about identifying user access level. In short, authorization answers what resources or files are made available to the user.
Authorization always requires some kind of authentication, as it is impossible to determine user access level without identifying the user first. So, in short, authentication is about the “who” and authorization is about the “what”. And authorization always follows authentication.
What are the Types of Authentication Methods?
In password-based authentication, the user inputs both the username as well as the correct key/password to access the platform. It is a test of recall (how well the customer has memorized the key, pin or password). At times, another type of authentication is added on to this acting as an additional layer of security. This could be something like a fingerprint or a one-time password.
Biometric authentication uses your biological makeup to identify you. Iris scan, face scan, and fingerprint are examples of such authentication. Biometric is a very strong method of authentication and benefits from being unique for every user. However, it is not hacker-proof, at least not entirely. A forged image can be used to breach security. 2D static and dynamic attacks which use images and moving video to dupe the scanner are commonplace today. In fingerprint scans, the temperature of the subject can be captured at the same point to ensure that the subject is live. When it comes to face recognition, active and passive liveness check can add an additional layer of security.
Certificate-based authentication involves using a publicly available key to authenticate a computer on a particular network. These certificates are issued by a certificate authority.
Digital certificates are components of the PKI (public key infrastructure) and are unique to each computer on the network.
Hackers generally flood a sign up or login process on a website or app with a number of tries and retries, causing the server to crash. To combat this an image or audio is presented as a challenge which cannot be easily identified by the AI which does the login. The images involve inconsistent capitalization, a mix of alphabets, numbers and symbols, and skewed or blurred letters or numbers, or having lines and other markings around numbers or letters.
There are other types of authentication too such as transaction authentication, which involves verifying the location and other credentials of the user accessing the website. This is used in several websites. If the user location or transaction seems suspicious, then an alarm can be raised for this. Further verification using username or password may be used.
Types of Authorization Methods
API keys are added in the resource URL or headers when requests are placed to access an API. An API key allows the API to recognize that the request placed for information is from a genuine and authorized source. There are two keys generally, a private key and a public key, that help with the communication.
In Basic Auth, a username and password is inserted into the header that is sent to the server. It uses Base64, an encoding technique which converts the login and password into a set of 64 characters. An advanced version of the basic form of authentication in HTTP is the HTTPS, which adds cookies and session identifiers as well.
Ever seen a password-less access being granted to websites which allows social logins. OAuth is a type of authorization that is used to onboard new customers on other websites which are allowed access by social websites such as Google, Facebook etc to your information instead.
Easy Table Authentication vs Authorization
|Access is generally system wide||Access for a specific resource|
|Decides who is granted access||Decides what level of access is granted|
|Common types are username/password, PIN or OTP based, biometric etc.||Common types are API key, OAuth etc.|
|Authentication almost always require some form of identification||Authorization at times defaults to allowing all users at a certain level in the hierarchy right to access without further verification.|
|Authentication is a user-dependent process||Authorization generally happens between computers on a network|
Authorization and Authentication used together
Authentication generally precedes any kind of authorization and such a combination of both of these is most commonly used on the Internet to allow access to websites.
One example of authentication and authorization used together is when you have to type a username and password to access a part of the website, which then allows you to connect to an API through an API key. Consider another example where you login to a platform using a username and password but then use OAuth coupled with a biometric such as face recognition to access a more advanced feature.
Authentication and authorization are two birds of the same feather, and unlike one excluding the other, one actually supports and reinforces the other. But as clearly demarcated in this blog, they are not the same. When a user is authenticated, he is then authorized to access certain resources or perform certain actions on them. In turn, these actions will determine how secure the system or the network remains over time. Without the concepts of Authentication, authorization and accounting network security would never reach the level of confidence it has attained today.
What is an authenticator app?
An authenticator app adds two-factor(2FA) authentication for logins to any account you want to protect with an additional layer of security.
Can an authenticator app use face recognition?
Yes, an authenticator can use any kind of security to serve as an additional layer of checks including OTP and face ID.
What is the authorization method list?
The authorization method list specifies how the user is authorized to access certain resources, for instance through a local database or a network server.
What is HMAC?
HMAC is hash-based message authentication code. It is used to encrypt text in a secure manner and is used in SSL (secure socket layer) certificates to ensure data security and is considered mandatory for IP (internet protocol).