Cyber Security:
Authentication and Authorisation
Authentication and authorisation are two vital information security processes that administrators use to protect systems and information. Both of them are important to CIA Confidentiality
Authentication verifies the identity of a user or service, and authorization determines their access rights.
Authentication
Authentication is the process of determining that someone is who they claim to be by verifying their identity.
For example, if you want access to your online bank account you are required to fill out your details, these are then checked against a specific database following your input.
After this step, if the submitted data matches, you are granted system access.
Another example of authentication would be when two devices are set in different locations - like when you work at home and your laptop logs in to the work server. Through authentication, these basically can establish a trust level and you can connect to the server.
Authorisation
Authorisation is the process of granting someone permission to do something, or access a certain resource. For this to happen the authentication stepmust have been completed. The 'level of access' is then ascertained from data files and the user then has access to files at that level of trust.
This access permission can be granted by a person or an automated system.
Authorization is usually done with the goal of preventing unauthorized access to resources.
For example, you may be authorised to use standard apps at your job, but you might not be authorised to use some applications reserved only for admins. To get access to restricted areas you have to be authorised through a privileged access management system for example, that assigns you limited privileged permissions.
Authentication vs. authorization
| Authentication verifies the user's identity |
Authorization validates the user's access |
| Checks the identity of a user |
Level of access to apps, files or data permitted |
| Uses passwords or biometric data to validate the identity of the user |
Follows some settings established and managed by the company |
| A process that is visible and accesible to the user |
The user has no power in terms of modifying or altering the set of settings already established within the company |
| data is transmitted via ID tokens |
data is transmitted via access tokens |
See here for two-factor authentication
