Authentication vs Authorization

What is authentication and authorization? Why is it important to understand where and how to use them? They are quite easy to confuse, the two are frequently used in discussions and are often bound to key parts of system. In reality there are two different concepts, that can live completly decoupled. Authentication is a process where an individual confirms his identity. Authorization is a process that defines access policy to a resource for an identity.


Authentication verifies who you are. For example, in reality, if you buy a ticket to a concert and present it at the entrace you are authenticaticating that you are the person who bought that ticket. In computer science you can authenticate to a unix server using ssh.


Authorization verifies what you can do. Let's say you are stopped by a police car when driving home from work. He will eventually ask for your drivers licence, this will permit him to check if you are authorized to drive that car. Getting back to our unix server example, you are allowed to login to your system via ssh client, but you are not authorized to create a folder in another user's home directory, if you don't have access for that.

Authentication factors

From a security point of view an authentication call be categorized in three ways, this can be based on what the person knows, something the person has, and finally something the person is. The three categories are:

Knowledge factors

A user has to know something in order to authenticate him e.g., a password, a pass phrase, a response to a security question. In your day to day routine you will frequently enter your email and password in somekind of form. Or if you are familiar with GIT, when you setup your ssh key it will ask you for a optional pass phrase.

Ownership factors

The user possess something to validate. If you ever worked in a coorporate environment you had your ID card, this has the purpose to confirm your identity. We can associate this in a web service with a security token, let's say you want to use an API from your favourite product, in many cases you may authenticate yourself using a security token, attachet to your requested URL or adding it to the request header (this may defer from provider to provider).

Inherence factors

In general inherence refers to a biometric identifier, such as a fingerprint or a signature. This factor may satisfy a multi-factor authentication. You can read more about inherence here.

Combining the factors. Two-factor authentication.

In order to achieve a multi-factor authentication approach, one must use two or more of the three independent authentication factors (describer above). To call it a successful authentication, each factor must be validated by the other party. In many cases when you want to login to your homebanking account you need to provide a password (knowledge factor) and security token from your digipass (ownership factor). Two factor authentication is not standardized, there are many process to choose from in order to achive it.

Thanks for reading, until the next time.

comments powered by Disqus