What is the difference between Authentication and Authorisation?

If you have been working as a member of the tech community (System Administrator, Software Engineer, etc.), you might have heard of the terms Authentication and Authorisation. Even though they are often used together when the security of a computer system or application is involved, they are two completely different security processes.

What is Authentication?

Authentication in the security context refers to the act or process that validates if a user of a software, computer or system is who they claim to be. The most common way to do this via the use of a password. If the user enters the correct password, the system assumes the identity is valid and allows access.

The use of password-based authentication is also known as single-factor authentication.

However, it is no longer sufficient to rely on password alone to validate a user’s identity in recent times. Improvements in computer performance have led to the reduction in the time needed to brute force a password (or in layman terms, trying out every combination of letters, numbers and symbols) and gain access into a system. Furthermore, it is human nature to use something short and/or familiar such as birthdays, social security numbers, national identity numbers and names as passwords.

In order to increase the level of security of a system, multi-factor authentication is becoming a norm and highly recommended for systems that process sensitive information.

Two-factor authentication is one of the more common multi-factor authentication scheme employed by companies such as Apple, Google and Microsoft. Under this scheme, the following two factors are commonly used for authentication:

  1. Something that you know (e.g. password)
  2. Something you own (e.g. smart card, smart phone)

This is based on the premise that even if some malicious actors manage to get a hold of a password to a system, they remain unable to log into a system because they do not have access to a registered hardware such as a smart card, security token or smart phone to further prove they are a valid user.

What is Authorisation?

Authorisation takes place after the user has verified their identity. It refers to the act or process that verifies if the authenticated user has the rights or permission to access or use a particular resource. In this context, a resource can refer to a file, a folder, a particular room within a building or an area.

The most common implementation of authorisation is role-based access control (RBAC). It is based on the premise that different users have different roles to play in a given organisation. Their roles ultimately determine the type of information they can access and the amount of responsibility they have.

However, RBAC may not be fine-grain enough to control access to specific resources—a role typically comes with a set of permissions. This is where attribute-based access control (ABAC) comes into the picture. In addition to using the roles and groups a user belongs in to determine the access, additional attributes such as a user’s citizenship, the action performed or the time at which the access is requested can be used to control access.

Conclusion

Both authentication and authorisation are fundamentals of system/information security. Without them or when they are implemented poorly, malicious actors could gain access to the system and extract sensitive information such as personal information and company secrets easily. Then, these actors could use what they acquired to mount further attacks that could include identity fraud or helping the competitors of a business to gain an edge. Even if the attacks do not come from outside the organisation, employees within could accidentally or intentionally access or change information that they are not permitted to.