Authentication and authorization are both common terms in the world of identity and access management (IAM). While often used interchangeably, authentication and authorization represent fundamentally different functions and both are distinct security processes. Understanding the difference between the two is key to successfully implementing an IAM solution.
In simple terms authentication is the process of verifying who a requester is while authorization is the process of verifying what they capable or access to.
What is Authentication?
Authentication is validation process of the requester. The system checks whether requester is who its claimed or not. Generally authentication is done by a username and password, although there are other various ways and steps to be authenticated like Single-Sign-On, One-Time Pins, Authentication Apps, SSL Certificates and even bio-metrics like fingerprint or retina scanner.
In some instances, systems require the successful verification of more than one factor before granting access. This multi-factor authentication (MFA) requirement is often deployed to increase security beyond what passwords alone can provide.
What is Authorization?
Authorization is the verifying process of the requester capabilities. After successfully authenticated by the system, it verifies access for various resources. Read-Only Access might be the best option for 3rd parties’ users for reading purposes and Full Access for internal users in different capabilities as well. However authorization does not grants access instead only verifies it.
- Determines whether users are who they claim to be
- Usually done before authorization
- Challenges the user to validate credentials
- Determines what users can and cannot access
- Usually done after successful authentication
- Verifies whether access is allowed through policies and rules
In short, access to a resource is protected by both authentication and authorization. If you can’t prove your identity, you won’t be allowed into a resource. And even if you can prove your identity, if you are not authorized for that resource, you will still be denied access.