The authentication and authorization are used in respect of information security which enables the security on an automated information system. The terminologies are interchangeably used but are distinct. The identity of a person is assured by authentication. On the other hand, authorization checks the access list that the authenticated person has. In other words, the authorization includes the permissions that a person has given.
Content: Authentication Vs Authorization
|Basis for comparison||Authentication||Authorization|
|Basic||Checks the person's identity to grant access to the system.||Checks the person's privileges or permissions to access the resources.|
|Includes process of||Verifying user credentials.||Validating the user permissions.|
|Order of the process||Authentication is performed at the very first step.||Authorization is usually performed after authentication.|
|Examples||In the online banking applications, the identity of the person is first determined with the help of the user ID and password.||In a multi-user system, the administrator decides what privileges or access rights do each user have.|
Definition of Authentication
Authentication mechanism determines the user’s identity before revealing the sensitive information. It is very crucial for the system or interfaces where the user’s priority is to protect the confidential information. In the process, the user makes a provable claim about individual identity (his or her) or an entity’s identity.
The credentials or claim could be a username, password, fingerprint etc. The authentication and non-repudiation, kind of issues are handled in the application layer. The inefficient authentication mechanism could significantly affect the availability of the service.
For example, there is a sender A sending an electronic document to the receiver B over the internet. How does the system will identify that the sender A has sent a message dedicated to the receiver B. An intruder C may intercept, modify and replay the document in order trick or steal the information this type of attack is called fabrication.
In the given situation authentication mechanism ensures two things; first, it ensures that the sender and receiver are righteous people and it’s known as data-origin authentication. Secondly, it ensures the security of the established connection between sender and receiver with the help of secret session key so that it could not be inferred and it is known as peer entity authentication.
Definition of Authorization
Authorization technique is used to determine the permissions that are granted to an authenticated user. In simple words, it checks whether the user is permitted to access the particular resources or not. Authorization occurs after authentication, where the user’s identity is assured prior then the access list for the user is determined by looking up the entries stored in the tables and databases.
For example, a user X wants to access a particular file from the server. The user will send a request to the server. The server will verify the user identity. Then, it finds the corresponding privileges the authenticated user have or whether he/she is allowed to access that particular file or not. In the following case, the access rights could include viewing, modifying or deleting the file if the user has authority to perform the following operations.
Key Differences Between Authentication and Authorization
- The Authentication is used to verify the user’s identity in order to permit access to the system. On the other hand, the authorization determines, who should be able to access what.
- In the authentication process, the user credentials are verified, whereas in authorization process the authenticated user’s access list is validated.
- The former process is authentication, then authorization occurs.
- Let’s take the example of online banking services. When a user wants to access the service, the user’s identity is determined to ensure that the person is the righteous person who he/she claim to be. Once the user is identified the authentication enables the authorization which determines what the user is allowed to do. Here the user is authorized to access the his/her account online after the authentication.
The authentication and authorization are the security measures taken in order to protect the data in the information system. Authentication is the process of verifying the person’s identity approaching the system. On the other hand, Authorization is the process of checking the privileges or access list for which the person is authorized.