Authentication and authorization are both processes that fall under the category of identity and access management (IAM), but they serve different purposes. Understanding the role each plays in keeping data safe allows your organization to make better security decisions.
Authentication is used to prove users are who they claim to be. A study by the Digital Shadows Photon Research Team in 2020 found that 15 billion stolen credentials allowing account takeover were available on the dark web, including username and password pairs for online banking, social media accounts, and music streaming services.
Most of us are used to authenticating our identity in everyday life. People are asked for a driver’s license or other form of identification to cash a check, buy alcohol or enter a restricted area. The lD is checked to make sure the person looks like the photo and the ID itself isn’t a fake. If the ID appears to be stolen or a fake, the person can be turned away, reported to law enforcement and/or the ID may be confiscated.
There are many ways to confirm a user’s identity online, and these fall into three types of authentication factors:
Multi-factor authentication (MFA) refers to the use of two or more of these factors in verifying a user’s identity. For example, you might be asked for a password (something you know) and a one-time passcode sent to your smartphone (something you have). If either of these actions is not correctly completed, access is denied.
Enterprises use authorization to grant access to resources using predetermined or customized permissions based on the user’s role, identity attributes or even certain risk factors. Once a user is authenticated, authorization dictates what data, apps and resources a verified user has permission to access, and it keeps unauthorized users from accessing things they shouldn’t, including on-premises apps and those in the cloud.
By limiting permissions to only the resources a user needs, organizations keep sensitive information protected. For example, authorization policies may allow HR employees to access apps that store sensitive employee information, but deny access to marketing teams. Similarly, accounting teams may be able to access financial apps that other departments do not have permission to view.
Authorization can also be applied to customer use cases. For example, two customers may both be logged in to a retail website, but only one of them is a member of the VIP rewards program. An authorization policy would allow the VIP customer access to the rewards application, but not the other.
Certain authorization systems can even approve or deny access to data based on what customers have consented to sharing. This makes it easier to comply with privacy regulations and build customer trust.
There are similarities and differences between authentication and authorization.
Authentication and authorization go hand-in-hand when it comes to identity and data security. They are both processes that determine whether a user should gain access to an application or system. Both authentication and authorization are designed to protect a system by ensuring that only the right users get access to the right things.
When we talk about identity and access management (IAM), authentication is the identity verification process while authorization is the access management process. Authentication occurs first in the online experience, requiring users to provide credentials that prove they are who they say they are. Then comes authorization, which applies policies to evaluate what resources are appropriate for them to access.
As an example, think about an e-commerce site where you have a customer account.
Authentication: To access your account, you have to verify yourself using one or more authentication factors.
Authorization: The enterprise grants you certain permissions as a customer after you are authenticated. You can access your account, review product descriptions, use shopping cart features, and so on. You are not authorized to use employee-only resources or features that require a certain level of security clearance or special permissions.
There are numerous authentication methods that fall under the three authentication factors (something you know, something you have and something you are). Even the most popular methods have pros and cons.
Passwords are the most commonly used authentication method, but also the least secure. Protecting account information becomes more difficult as phishing attempts and other cyberattacks increase in sophistication. Hackers can also use software programs to guess passwords by going through possible combinations very quickly.
Password fatigue is common. Depending on the enterprise, password requirements may be stringent, forcing users to select a combination of letters, numbers and special characters. It’s difficult to remember multiple passwords and come up with unique passwords for every account. Since passwords can be stolen or guessed, using the same password across accounts leads to high vulnerability for account holders and system administrators. The 2021 Verizon Data Breach Investigations Report found that 61% of breaches in 2020 were executed using unauthorized credentials.
61% of data breaches involve the use of unauthorized credentials.
2021 Data Breach Investigations Report, Verizon
Biometrics are unique physical characteristics, such as fingerprints, facial recognition, retinal or iris scans and voice recognition. Biometrics are extremely difficult to fake, which makes them appealing as an authentication method, but there are disadvantages. Not everyone has access to the necessary equipment or can afford to purchase it, such as smartphones. Privacy concerns are another issue. Biometric databases can be hacked and facial recognition systems can be inaccurate or misused.
Like authentication methods, there are pros and cons to popular authorization methods.
Role-based access control (RBAC) is a traditional approach that relies on the role of the user to make access decisions and delegates those decisions to the application being accessed. For example, members of the HR team can get access to the payroll application and members of the finance team can access financial reporting tools. RBAC made sense when access was limited to internal users inside a network perimeter, but is too limiting for many of today’s use cases.
Attribute-based access control solves some of the limitations associated with RBAC by using additional attributes that can be considered for authorization decisions. ABAC provides greater flexibility and security by evaluating additional information, such as other user attributes (e.g. age, security clearance), resource attributes (e.g. creation date, type of resource) and the context (e.g. access location, time of day) to make authorization decisions.
Recognizing that attributes alone may not be sufficient, dynamic authorization takes ABAC a step further by enabling the use of fine-grained access control, which allows you to control access beyond the application level and resource level to require that certain conditions are met. Dynamic authorization also centralizes access controls instead of incorporating them at the individual application level.
To learn how a modern access security solution, which includes both authentication and authorization, will give you the peace of mind you want and the access your users need, read the Security Leader’s Guide to Access Security.