Authentication vs. Authorization

What is Access Control?

Access control refers to a set of policies put in place by an organization to restrict access to: 

  1. Information, such as personal details, software, a company's files, or intellectual property
  2. Hardware, such as devices or equipment
  3. Physical locations, such as an office or building

Access control is usually split between physical access control and information access control. While the two might seem different, they both have the same goal and are often dependent on one another. For example, physical access to an office requires that the name of an employee or visitor be entered into a database, which itself must be secure and accessed by authorized staff members only.

 

What is Physical Access Control?

Physical access control is a set of policies that seek to control and monitor who is granted access to a physical location. Some real-world examples of physical access control include:

  1. A physical key to a house
  2. A gate to the entrance of a condominium community or subdivision
  3. A bouncer standing outside a club or bar
  4. A subway turnstile

In all of these examples, a person or device follows a set of policies to decide who gets access to a restricted physical location. 

What is Information Access Control?

Information access control restricts access to data, files, and software. It is generally considered the core of an organization's network security, as unsecured or even weak access can mean a data breach that can cost the company millions of dollars in losses. According to Statista, "the number of data breaches in the United States in 2019 amounted to 1,473 with over 164.68 million sensitive records exposed."

Some examples of information access control include a user:

  1. Entering a password to join a Zoom meeting
  2. Using a fingerprint to unlock a smartphone
  3. Entering a network name and password to join a Wi-Fi network
  4. Accessing an employer’s corporate network using a virtual private network (VPN)

In all of these cases, software is used to authenticate, or confirm the identity of, the individual seeking access, which then grants authorization to that individual. 

Put another way, authentication confirms the identity of a user, that they are indeed who they say they are. Authorization, on the other hand, is the set of steps that gives the authenticated user permission to access an asset, whether physical or information-based.

Both authentication and authorization are important elements of information access control.

 

What is Authentication?

Authentication is the process of confirming the identity of a user. This is usually the initial step in the security process. To confirm the user's identity, the user must present physical or nonphysical evidence (information) to the authentication platform. These can be divided broadly among the following:

  1. What they have: The possession of a physical object, such as a key, keycard, key fob, or swipe card.
  2. What they know: Information that only the user would know, including a password, passcode, personal identification number (PIN), date of birth, Social Security number, or other personally identifiable information (PII).
  3. Who they are: Biometrics, or the use of an index finger, thumb, hand, voice, retina, face, or another unique physical identifier to gain access to a resource. The physical attribute must match what was used at the time of the user's enrollment in the system.

Passwords are generally the most common—and oldest—authentication factor. If the password matches exactly the password created by either the user or the system, the system assumes validity and grants access. 

Other information-based authentication processes are also gaining in popularity. One is the one-time PIN or temporary password generated by the system. It allows a user access to a single or temporary session that expires after a set amount of time. Mobile banking users typically encounter this procedure for money transfer transactions, specifically when a new recipient, at first unrecognized by the system, is added. 

Another way to confirm user identity is through an authentication application, usually on the user's mobile device, that generates temporary security codes that grant access to another website or service.

Two-factor authentication (2FA) and multi-factor authentication (MFA) are also increasingly being employed to increase security beyond the level provided by passwords alone. These processes require the successful verification of one or more modalities before granting access to a system. For example, MFA could ask a user to provide both a password and the temporary PIN sent to the user's mobile device.

 

What is Authorization?

Authorization is the process of giving a user permission to access a physical location or information-based resource (e.g., a document, database, application, or website). 

Authorization is unfortunately used synonymously with authentication, but this is an error. Authentication occurs first, followed by authorization. Users need to prove their identities before a system can grant them permission to enter. 

However, permission is a broad term. A user may pass authentication procedures and be granted access to a system, but that does not mean they can access all the components of an application or online service because specific permissions can be defined by the organization that allowed them access. 

Permissions are what a user is able to see or do on a website or inside an application. Without these specific permissions, every user would have access to the same information or features. 

As such, permissions and restrictions, and their proper administration, are critical to an organization's security for several reasons. This is because they:

Prevent a User from Accessing Another Customer's Account

This is perhaps the most important reason why permissions are necessary. For example, a customer can log in to their bank account via the bank's website or mobile application. Although the bank has allowed the user to enter the system, the bank also needs to authorize the user's permissions. Otherwise, the user would have access not only to their own account but also to every other account in the system. Permissions ensure users can access only the information they need to.

 

Block Free Accounts from Receiving the Benefits of Premium Features

Permission levels restrict free users of a Software-as-a-Service (SaaS) site, such as a newspaper with gated content or an online collaboration platform, from gaining access to premium features. Permissions need to be implemented so that users only have access to the features they paid for. Without restrictions in place, there would be revenue loss for the organization.

 

Ensure Zero Crossover Between External Client Accounts and Internal Accounts

Permissions also separate internal from external users. While both employees and customers can be allowed to use a company's website, employees should have access to data and systems that customers should not have. In the same vein, certain employees should not have access to important client information. As such, the organization must create different levels of authorizations for each employee. 

Setting the right permission levels is as equally important as selecting the right combination of authentication factors. In fact, proper authorization can reduce the negative effects of a data breach. For example, if a hacker successfully gains access to an employee's account, and if that employee is not authorized to access customers' banking or credit card information, then the ill effects of the breach could be lessened. 

Further, authorizations make employees more productive. If they have the correct level of access to the files and programs they need to carry out their work, they do not have to constantly ask their managers or IT for access. They will also not be distracted or overwhelmed by files and programs they do not need.

 

Authentication vs Authorization

To reiterate, authentication and authorization are separate steps in the user access provision process. We can use an analogy to demonstrate the differences.

Consider a pet sitter who needs to enter the home of a family that is away on vacation. The pet sitter needs:

  1. Authentication, such as a key, keycard, or security code to enter the home. If the pet sitter has the correct piece of hardware to unlock the door, the pet sitter can enter the home. 
  2. Authorization, such as the permissions and restrictions set by the family. The pet sitter has been authorized to access the living room (where the pet's leash is kept) and the kitchen (where the pet's food is stored). Once inside, the pet sitter can enter these rooms but not any other room. 

In this example, authentication and authorization work together. A pet sitter has the right to enter the house (authentication), and once there, she has access only to certain areas (authorization).

     Authentication Authorization
What does it do? Verifies identity with credentials Grants (or denies permission to access
How does it work? Mostly via passwords and biometrics organization

Via settings by security staff at an organization
Is it visible to the user? Yes No
Can the user change it? Possibly No
How does data move? Via ID tokens Via access tokens

Access Management with Fortinet

Your organization can simplify authorization management by securely connecting every identity to your resources. With the Fortinet identity and access management (IAM) tool, you can lessen the administrative burden while still providing the appropriate levels of access for all stakeholders, both inside and outside your organization.