What is authentication? What is an authorization? Are they the same thing? What makes them different? That's what we will see in this article!
Authentication and authorization are two very distinct words, but the line between their usefulness may seem blurred. However, in IT, these two terms are often used when talking about secure access to a resource, data or any other object requiring controlled or secure access. Authorization gives a user access to a resource, while authentication verifies that a user is who they claim to be. To what extent should one or the other be used?
To authenticate or to authorize? That is the question.
In IT, this term refers to the fact of granting or not an access to a file, a function or any part of a computer system to a user. Very often, this happens after an authentication.
Authentications are intended to guarantee the identity of a person. It is used to validate that the user is the person they claim to be. As it was said before, this step often comes before the authorization step, it is in most cases the first step to guarantee data and access security.
Authentications are most of the time made with a pair of login/password specific to each user of the system. But they can also be completed by a second factor. This is called Two-Factor Authentication (2 FA). In this case, the user will have to present two proofs of identity to the authentication system. For example, their login/password pair and a one-time passcode (OTP) that they will receive on their cell phone. In rarer cases, multi-factor authentication is also possible, based on the same principle as dual authentication, but with even more factors.
According to Microsoft, the implementation of dual authentication reduces risks by 99.9%. They are therefore effective and reliable solutions to secure your systems.
The concepts of authentication and authorization are quite easily intertwined. Indeed, when you access a website via your login and password, you feel like you are authorized to access what is behind it. In reality, your authentication has only proved your identity. It is the authorization that allows you to access the content. But these two processes are related, you have authorization to access a resource because you have proven your identity. Authentication is a visible process while authorization is not visible. This can cause these confusions.
To illustrate this, let's take the example of a sporting, musical or other large-scale event. In order to enter, you must present your identity card. This will be used to prove that you are the person you claim to be. The organizers will then be able to verify that you have been invited. Your ticket will be used to determine where you should sit (seat number, pit, VIP area...).
In this example we have an authentication, through your identity card. This authentication allows you to access the event. Then an authorization to access some services through your ticket. This authorization allows you to access certain services if your privileges allow it.
The use of RBAC (Role-Based Access Control) is a solution of choice to control and provide authorizations to your employees. RBAC accesses are managed based on the roles to which the users belong. In 2004, a study by the National Institute of Standards and Technology (NIST) showed that the RBAC model meets the majority of needs for businesses and organizations. As a result, RBAC was transcribed into the NIST model to become a standard. This standardization was pursued by the InterNational Committee for Information Technology Standards (INCITS), which is a standards development organization accredited by the American National Standards Institute (ANSI). This resulted in the ANSI/INCITS 359 standard in 2004. This document was republished as INCITS 359-2012, which has since been reaffirmed (INCITS 359-2012 (R2017)).
This model is therefore approved and still widely used. It allows access to be provided to those who need it and then withdrawn from those who do not. It allows for fast, efficient and more secure management, as it is only necessary to apply roles to employees rather than permissions one by one.
Example of use: Employees with the "Human Resources" role have access to employee pay slips, employees without this role will not have access.
This model supports Boolean logic, in which rules contain "IF, THEN" statements indicating who makes the request, the resource and the action.
Example of uses: IF the requester is a manager, THEN allow read/write access to sensitive data.
IF it's daytime, THEN allow modification (in case no one is supposed to work at night)
This model is a perfect complement to RBAC, as it guarantees even greater access security.
There are different standards and protocols that allow to set up authentications or authorizations. The most well-known are the following:
OAuth is a so-called "authorization delegation" protocol. It can be used to manage authorizations. It is very practical, because it allows for example users to give authorizations on the resources they own to websites or applications. These applications and websites will then be able to access the user's resources without the user having to provide their password. Many web giants use this mechanism like Google, Facebook, Twitter, Amazon...
OpenID Connect is an identification layer based on OAuth 2.0. It is used by many actors as a means of authentication for users. By combining OpenID Connect with OAuth, it becomes possible to perform authorization and authentication in a single request.
SAML is a standard used for authentication. It allows for unique authentications. Also called Single Sign-On (SSO) in English. Single sign-on allows users to authenticate on several platforms by identifying themselves only once. This offers greater security. If you want to know more about single sign-on (SSO), please read our article about it!
A good security strategy requires protecting resources with a combination of both authentication and authorization. With a well thought-out authentication and authorization strategy, organizations can effectively verify the identity of each user on their system and what they have access to. This prevents unauthorized or even malicious activity and drastically reduces risk. By requiring users to identify themselves and maintain good digital hygiene, authentication will be strong. In addition, by ensuring that your employees only access the resources they need, companies can maximize their productivity, while strengthening their security. This is especially important in a context of increasing digitalization where cyber risks are growing by the day.
As we have seen in this article, understanding the concepts of authentication and authorization is very important for your security policy. Understanding the differences between these two processes is even more important as it will help you keep your data safe. Having strong security is not only good for you, but it is also good for your company and the image it sends out into the world. Having a company that reflects a safe and secure image for its customers' data around the world is increasingly important in a world where personal data has become a major issue. Just like yellow gold and black gold, the white gold that represents each user's personal information and data is a precious resource that must be protected. This is why good authentication and authorization rules have become essential and even indispensable. As part of your development, having a secure environment will not only appeal to your users, but also to companies that want to work with you. This is especially true when setting up a SSO (Single Sign-On). Indeed, being SSO compliant could be a real asset for your development. Moreover, it is really part of a simplified authentication framework, but also more secure.
So, ready to learn more about authentication and authorization processes? Interested in single sign-on? We tell you more at Cryptr.